A passwordless login experience has replaced long passwords and SMS codes to access digital devices at a regional non-profit that supports unpaid carers in the Australian Capital Territory.
This comes on top of ongoing privacy and security enhancements at Carers ACT, part of the broader non-profit Carer Gateway in Australia.
The organisation provides a range of support services to carers in four locations across ACT, including care planning advice and support, counselling, peer support, breaks from caring, educational workshops, social activities, advocacy, mobility and technology aids.
THE PROBLEM
Carers ACT noted the recent uptick in sophisticated cyber threats, including spear phishing attempts to their employees. There are also threats from unsecured devices and users accessing guest Wi-Fi systems within their facilities.
“Account compromise is hugely worrying for us. We hold some of the most sensitive personal information, [so we] take the responsibility to protect that information very seriously.”
Thomas Pike, ICT Innovation Lead, Carers ACT
Recognising these concerns, the organisation has beefed up its privacy and security, including its full migration to Microsoft Entra ID. It has also put in place multifactor authentication schemes, such as the use of authenticator apps, which adoption has been recommended by the Australian Cyber Security Centre to mitigate cybersecurity incidents.
“Having robust technical controls in place is essential when taking a custodian approach to client data. Organisations, no matter the industry, should take the security of their client data very seriously and the use of multi-factor authentication is an essential tool,” Pike said.
Recently, when the organisation transitioned to electronic progress note-taking at their respite facilities, it was observed that many support staff had trouble accessing devices with multiple layers of security, leaving the IT helpdesk swamped with requests for assistance.
“We ended up spending a lot of time on password resets or with users simply not able to log in due to platform issues.”
PROPOSAL
To improve user experience, the organisation went passwordless in accessing Microsoft Surface Go tablets by adopting YubiKeys. Created by California-based Yubico, this FIDO-based security key provides an additional layer of protection, complementing the FIDO2 and Conditional Access features of Microsoft Entra ID.
MEETING THE CHALLENGE
For Pike, strengthening an organisation’s security does not have to be complicated for its employees.
Staff, he said, would rather go with anything simpler than remembering usernames and long passwords when accessing their devices.
“Our support staff eagerly embraced change when we were able to demonstrate a simplified and reliable login experience, reducing frustration and allowing them to focus on providing care to our clients.”
“We were able to implement the YubiKeys within just a couple of days.”
Pike emphasised that in any change management process, “it is important to demonstrate value to individuals.”
RESULTS
The passwordless security key, complementing Microsoft Entra ID, has thus simplified the login process for Carers ACT staff. “It allowed us to increase our existing security posture while dramatically improving the user login experience,” Pike exclaimed.
By the end of the day, prioritising the user experience is key in pursuing continuous security enhancements in healthcare.
“What this project has demonstrated is that increasing security does not mean increasing complexity or overhead for staff. All organisations should consider their user experience,” he concluded.
_
Thomas Pike’s responses have been edited for brevity’s sake.