I'm reviewing some updates related to potential changes in HIPAA regulations, which include allowing user behavioral characteristics for multi-factor authentication (MFA). This could mean things like how you walk or type could be part of the authentication process. Has anyone actually implemented behavioral MFA in their organizations? How did it go in terms of user acceptance, admin views, and overall organizational feedback?
3 Answers
For anyone interested in the official details, the proposal outlines that multi-factor authentication should include at least two out of three categories: what you know (like passwords), what you have (like tokens), and personal characteristics (including behavioral traits). They're really pushing for a broader definition that includes things like gait and typing patterns, which could make MFA much stronger against cyber attacks.
I'm super stoked about the potential of this! Can't wait to see how it plays out in real-world applications.
I haven't come across many vendors offering behavioral MFA yet. It sounds like it could add more complications than it's worth. I mean, how practical is it really?
There’s actually a company called Verosint that has this kind of technology. They were bought by Imprivata and offer what's called adaptive MFA. I'm not too keen on the privacy implications of behavioral tracking, but I guess if it helps keep compliance, it’s what you have to do.