We received a consultation from a medical/pharmaceutical-related company regarding the enhancement of authentication for a pharmacy's interpersonal business support system. YubiOn solved this problem by proposing the introduction of an authentication service using the YubiOn FIDO2 Server and the use of the FIDO2-compatible authentication device YubiKey. This time, we will introduce the specific contents.
Introduced Organization
Medical/pharmaceutical company Deployment scale:
Introducing of authentication service by YubiOn FIDO2 Server By introducing our authentication service to the interpersonal business support system at the pharmacy, two-factor authentication by FIDO2 authentication is realized. More than 1,000 pharmacies use the interpersonal business support system.
Adoption of authentication device YubiKey Arrange YubiKeys for each pharmacy worker (non-biometric physical key)
Issues
Strengthening the security of interpersonal business support system in pharmacy The interpersonal business support system provided by medical and pharmaceutical company supports interpersonal work by streamlining pharmacy-to-patient medication follow-up, patient-to-patient consultation, and office visit appointments. In terms of system security, it is required to introduce two-factor authentication (*1) as described in the Ministry of Health, Labor and Welfare's "Guideline for Security Management of Medical Information Systems, 5th Edition". Also, regarding the introduction of two-factor authentication, it was necessary to consider the convenience of end-users involved in support work while maintaining security strength. This time, the challenge is to strengthen security and improve convenience for end users by adopting two-factor authentication for the interpersonal business support system. (*1) Two-factor authentication is an authentication that combines two different factors out of the three factors of authentication: "knowledge information (password or PIN)", "possession information (authentication device, etc.)" and "biometric information (fingerprint, etc.)".
Solution
Introduction of authentication service by YubiOn FIDO2 Server By using our authentication service, they were able to introduce two-factor authentication using FIDO2 to the interpersonal business support system (RP) without building a separate authentication server. Regarding the incorporation of FIDO2, we have received feedback that it was a smooth implementation thanks to the provision of a development support tool (SDK). For end-user authentication, after entering the user ID, two-factor authentication based on possession and knowledge is completed by inserting the authentication device YubiKey into the USB port, entering the PIN code, and touching the YubiKey. There is no longer a need to remember long and complicated passwords, and authentication can be performed with a simple operation of "YubiKey + PIN code input", enabling stronger authentication without compromising user convenience.
About FIDO2 (*2) authentication In conventional ID+password authentication, a user is identified by performing authentication processing on the server side based on the ID+password entered by the user. However, there are risks such as attacks where passwords are tried many times (brute force) and passwords are stolen (phishing). In addition, there is also the problem that the damage is expanded by using the same password for multiple services. Authentication by FIDO (Fast Identity Online) has emerged to solve such password problems. FIDO performs authentication with high-security strength using public key cryptography (*3). In conventional authentication, authentication processing was performed on the server side, but with FIDO, user verification is performed by the authentication device at hand, and the server side verifies the authentication result. Confidential information is not leaked to the outside, and it is an authentication method that is strong against phishing attacks. In the user verification method introduced this time, two-factor authentication is performed by combining possession information by the authentication device YubiKey and knowledge information by PIN code. The below diagram is a simplified representation of the FIDO2 authentication sequence. (*2) FIDO2 Consists of a web authentication technology called WebAuthn standardized by W3C, which applies digital signatures using public key encryption, and a communication technology between devices called CTAP, established by the FIDO Alliance. (*3) Public key cryptography A method of encryption and decryption using different keys, a public key, and a private key. Data encrypted with a public key can only be decrypted with the paired private key.
Adoption of authentication device YubiKey Biometric authentication is also possible in FIDO2 authentication, but biometric authentication devices are expensive and are judged unsuitable for on-site convenience, so the non-biometric authentication device YubiKey was adopted. In addition, the Security Key by Yubico, which focused on FIDO functions, is relatively inexpensive among YubiKeys, so it is possible to reduce the cost of introducing an authentication device.
Finally
The products and authentication device information introduced this time are summarized below. Please feel free to contact us if you have a request.
Introduction of authentication service by YubiOn FIDO2 Server Please refer to the product introduction page for the use of the authentication server service by FIDO2. ※ Our YubiOn FIDO2® Server was certified as a FIDO2 server on March 11th, 2019.
Authentication device YubiKey We sell authentication devices that support FIDO2 (PIN/biometric) and multiple protocols. You can buy from our YubiKey shop or Amazon.
※ For bulk purchases and quotation requests please contact us from the inquiry page.