• Rekorse@sh.itjust.works
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    1 month ago

    Can be funny for trivial stuff, but in the medical field this type of stuff is pretty messed up in my opinion. Some medical places implement stuff like that just because they refuse to pay people to staff the phones in scheduling.

    Also, if the old lady doesnt want MFA thats her choice.

    • yetAnotherUser
      link
      fedilink
      arrow-up
      2
      ·
      1 month ago

      Mandatory MFA isn’t a bad thing though.

      If an old lady doesn’t want to remember a password, should she be able to enter just her email/identifier without any verification?

      • dan@upvote.au
        link
        fedilink
        arrow-up
        1
        ·
        1 month ago

        MFA doesn’t really help much in the case of a tech illiterate person though, since TOTP codes can be phished just like username and password can. A scammer that calls them will just ask for the code in addition to the username and password.

        My employer uses Yubikeys with FIDO2/WebAuthn for two factor auth, but that’s probably too complex for a non technical person to figure out (even if it’s basically just “press the button when it tells you to”).

        • yetAnotherUser
          link
          fedilink
          arrow-up
          2
          ·
          1 month ago

          Well, TOTP prevents at least these attack vectors, even for tech-illiterate people:

          • Unnoticed data base leaks being used to gain full access to people’s accounts
          • Credential stuffing (using another service’s leaked credentials to gain access)

          With TOTP there must be at least some contact between the “hacker” and the victim.

      • Rekorse@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 month ago

        I just think they should be able to opt out. Its up to the patient what their security posture is. If they don’t want it, they shouldnt be forced to have it. Just have them sign away their rights to sue the hospital or something along those lines.

        I’m open to hearing an argument why it should be forced to use MFA even if the patient doesnt want it. I know at least one hospital my company works with that has it optional for patients who want it.

        • yetAnotherUser
          link
          fedilink
          arrow-up
          2
          ·
          1 month ago

          I think most people are just unaware of the risk that is involved. Healthcare information is some of the most sensitive data on a person and should be protected at all cost.

          Some older people in particular have as much of a self-preservation instinct on the internet as toddlers in real life. If protecting them takes away a tiny bit of agency from them then so be it because they cannot be trusted with such decisions. I believe any reasonable person would use MFA because trading off a tiny bit of convenience for a significant amount of security is always worth it.

          • Rekorse@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            1 month ago

            Most of these patients have already received emails from multiple healthcare organizations that their data was breached though.

            The way medical data is stolen isnt through individual accounts usually unless you are famous or a politician.