Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rapid Authentication Systems?

Posted by Cliff on from the secure-yet-fast dept.

Barrington Johnson asks: "I am an emergency physician, and am looking for a solution for authentication which is compatible with rapid logons and logoffs. We have several web-based terminals into which we put information. The web application gives a real-time representation of the emergency department, so it is important that it is kept up to date. We have an opportunity to re-design our system, and I know that if I make the authentication process too difficult e.g. username+password, doctors will store up their data entry, and do it all in one go, removing the real-time usefulness of the display. At what level (application/browser/system) should authentication occur, and what method would be best?" Might a smartcard-based authentication system work well in this situation?

11 of 48 comments (clear)

  1. 2 tiers of authentication by arrow · · Score: 2, Insightful

    Maybe consider 2 tiers of authentication.

    First level being a 4 digit pin that can be easily entered at a login screen that will allow view access to all the important data.

    Second level, require a username and password if anyone actualy wants to modify something.

    --
    symetrix. We are building a religion, a limited edition.
    1. Re:2 tiers of authentication by V.+Mole · · Score: 2, Insightful

      Uh, the whole point is to encourage easy modification, so that the records are up to date.

  2. Simple answer... by SoCalChris · · Score: 4, Insightful

    I am an emergency physician

    Hire a professional web designer that specializes in security. I wouldn't want people to expect me to be a doctor, and I wouldn't want a doctor designing a secure web site for me.

    No offense, but for something like medical records, stick to what you went to school for.

    1. Re:Simple answer... by sixseve · · Score: 4, Insightful

      I don't think he's planning to implement this himself. When you hire a web designer or system implementor you need to know what to ask for, and I think that's what he's trying to figure out here.

    2. Re:Simple answer... by thesp · · Score: 2, Insightful

      I think that this is not a good way forward. What makes you think that a professional generic information-content-presenter will have any real understanding of the needs of a professional information-user when it comes to a system that is not directed at a mass audience, and must be excatly tailored to achieve maximum efficiency and usability.

      Too often hav I seen professional designers choose technology over stability and form over function when it comes to implementing everyday tools. When it comes to mass market solutions, certainly, a professional designer would be then person to choose, rather than ask someone who doesn't really understand how he wants to interact with the system to make the interface choices. However, when it comes to information professionals, and doctors rank among those, they will have a far better idea of how their thoughts are arranged when recording a case, and how much flexibility/rigidity is required. In the design stage, a doctor will have far more immediate insight when an interface isn't right for his needs than a designer writing to specification.

      And the other benefit, tying this nicely in with arguments for open source as this is slashdot, is that in the even the user interface isn't optimal, it can be easily modified if one of the users is the designer. He will be far better placed to respond to problems or niggles or inefficiencies or illogicisms in the system, and will intuitively find the solution.

      In short, never assume you know how someone else conceptualises their information unless you are really sure you know what you're doing.

      Shorter, people who understand what they need will know what they want, and will be best placed to implement it. People who don't know what they want can be given what you want to give them.

  3. Re:Host-Based Auth by Atzanteol · · Score: 2, Insightful

    Client certs would be better for this, but I think then you have the problem that these terminals are shared. How do you know who's using it?

    --
    "Ignorance more frequently begets confidence than does knowledge"

    - Charles Darwin
  4. It depends. by Nos. · · Score: 3, Insightful
    Like everything... it depends.

    How secure are the workstations? If the public can get at them then security is still a big concern. If not, a simple 4 digit pin as others suggested might be enough. However, if its feasible that a unknown person could have a few minutes unobserved at the machine, then I would look for something a little more secure

    How quick is quick? Smart cards, or USB keys could be quick, but if in a hurry, Doctors may not want to fumble around with something else they have to carry around... and what if they forgot it at home. Typing username - TAB - password - ENTER is usally very quick for anyone that has typed their username and password a few times. However, it could be inconvenient if the doctors are not usually standing/sitting with both hands free. What is the environment like? Do they sit at a desk, or quickly pass one of these terminals, click a few buttons, and continue on? If they're time spend at the terminal is measured in minutes, 5 seconds to log on wouldn't be inappropriate. If its measured in seconds, something quicker should be investigated.

    What's the budget like? Bio-metric sensors are always an option, like a thumb print scanner. However, these would be slightly more costly that a small USB key, but eliminate remembering passwords/pins and carring around an ID card/USB key.

    1. Re:It depends. by Anonymous Coward · · Score: 1, Insightful

      How about the problem with examination gloves and thumbscanners. some form of RFID on a card they already carry might be handiest

  5. Depends on your security needs by hackstraw · · Score: 4, Insightful

    I'm not sure how sensitive the data is, but I'm assuming its relatively low. (Please don't go on a tangent here, there is little to no security involved with paper files...)

    The quickest/easiest/cheapest way would be to use a standard mag strip reader or an RFID tag with no pin/password etc, just a swipe, and someway to "logout".

    If more security is needed or possibly variable security needed (maybe 1st screen is kinda public domain, but to get more details you need more authentication), then a smartcard that uses its serial number as a token like in the RFID or mag strip example I just gave, and then the user would have to put in a PIN to get the more sensitive data.

    The fortunate thing is that all 3 technologies are pretty inexpensive and easy to work with.

  6. Hire me by Tye_Informer · · Score: 3, Insightful

    One suggestion here is to hire a security professional. That is not a bad idea.

    However I have a better one. Hire me! (Better for me, at least). But seriously, if you can't figure out the best solution, you certainly are not going to get it solved here. Bring in a consultant who specializes in this aspect of your business (ER management) and have them explain the options.

    It is not clear what your requirements are, but I am not sure this is a good candidate for a "technology" solution. Charts are still the standard method for tracking in ER environments and a good old-fashioned white board is a pretty good way to track assignments. No matter what the solution, if the doctor has to go away from the patient to check status or update status the system is going to be always out of date (hence charts hanging on for so long).

    I know this isn't the sexiest solution but you need to prepare yourself for the boring solutions when you present this problem.

  7. Why authenticate? by Andy_R · · Score: 2, Insightful

    Why is authentication needed?

    In an ER situtation, there must be hundreds of things lying around that unauthorised people MUST NOT mess with, or people die and other people get fired. Just define the terminal as one of those things.

    Stick a dummy video camera pointing at the keyboard, and tell all the unauthorised staff they'll get fired if they are seen touching it.

    If you need to identify who is making entries, give every doctor a dedicated function key, and refuse any entires that are not preceded by a fkey press.

    --
    A pizza of radius z and thickness a has a volume of pi z z a