A passwordless login experience has replaced long passwords and SMS codes for accessing digital devices at a regional non-profit supporting unpaid carers in the Australian Capital Territory.
This follows ongoing privacy and security improvements at Carers ACT, part of the wider not-for-profit Carer Gateway in Australia.
The organisation provides a range of support services for carers at four locations across the ACT, including care planning advice and support, counselling, peer support, respite care, educational workshops, social activities, advocacy, mobility support and technology.
THE PROBLEM
Carers ACT has seen a recent increase in sophisticated cyber threats, including email phishing attempts targeting their staff. There are also threats from unsecured devices and users accessing guest Wi-Fi systems in their premises.
“The breach of our account is extremely troubling to us. We hold some of the most sensitive personal information, [so we] take the responsibility to protect that information seriously.”
Thomas Pike, ICT Innovation Lead, Carers ACT
Recognizing these concerns, the organization has enhanced privacy and security, including a full migration to Microsoft Entra ID. The organization has also introduced multi-factor authentication programs, such as the use of authenticator apps, which are recommended by the Australian Cyber Security Centre to mitigate cybersecurity incidents.
“It is essential to implement strong technical controls when implementing a customer data monitoring approach,” said Pike. “Organizations, regardless of industry, should take customer data security seriously, and the use of multi-factor authentication is an essential tool.”
Recently, when the organization moved to electronic progress notes at support facilities, it was found that many support staff had trouble accessing devices with multiple layers of security, causing the IT help desk to be overwhelmed with support requests.
“We ended up spending a lot of time resetting passwords or users not being able to log in due to platform issues.”
PROPOSE
To improve the user experience, the organization went passwordless when accessing the Microsoft Surface Go tablet by implementing YubiKeys. Created by California-based Yubico, this FIDO-based security key provides an additional layer of protection, complementing the FIDO2 and Conditional Access features of Microsoft Entra ID.
Facing the Challenge
For Pike, enhancing security for an organization doesn’t have to be complicated for its employees.
He said employees would prefer to use any simple solution rather than having to remember long usernames and passwords to access their devices.
“Our support staff eagerly embraced the change as we were able to demonstrate a simple and reliable login experience that reduced frustration and allowed them to focus on customer care.”
“We were able to deploy YubiKeys in just a few days.”
Pike emphasizes that in any change management process, “it is important to demonstrate value to individuals.”
RESULT
The password-free security key, which complements Microsoft Entra ID, has simplified the sign-in process for Carers ACT staff. “It allows us to enhance our existing security posture while also significantly improving the user sign-in experience,” Pike exclaims.
At the end of the day, prioritizing user experience is key to pursuing continuous security improvements in healthcare.
“This project has demonstrated that increased security does not have to mean increased complexity or cost for employees. Every organization should consider their user experience,” he concluded.
_
Thomas Pike’s answers have been edited for brevity..
