What is two-factor authentication (2FA), and why do you need it?
We’ve laid out the details on one of the best tools you have to protect patient privacy by preventing unauthorised access to your online accounts. Learn the essentials of how 2FA works, why you should enable it, and what you can do to use it smartly.
Before we dive into the world of two-factor authentication, here are some helpful links for anyone who might be looking for specific information related to using 2FA for your Cliniko account:
2FA is a multi-factor authentication technique, sometimes known as two-step authentication (2SA). It requires users to enter a 6-digit code as an added layer of protection—along with their password—when logging in to their online accounts.
Unlike passwords that you can use over and over again, 2FA codes can only be used once. Each time an account asks you to authenticate, you’ll need to enter a unique 6-digit code.
There’s a good chance you’ve already used 2FA in the past. Some websites might send the code in a text message to your phone. You then need to submit that code to the website before accessing your account. That’s one form of 2FA.
Another version of 2FA that’s growing in popularity is the use of a downloaded authenticator app (usually on your smartphone or tablet). These apps automatically generate time-sensitive verification codes that are linked to your various online accounts.
So, instead of getting a code in a text message, one will be created within the app. Then the rest of the process works the same.
How does 2FA work?
The effectiveness of 2FA is based on the idea that online access should be based on two things: something you know and something you have.
That’s why it also helps to use ‘something you have’, like your smartphone or tablet. Even if someone has your password, they won’t be able to access your account unless they also have your device.
Please note that 2FA is linked to your device, not your mobile number. If you get a new phone or tablet, you’ll need to transfer the authentication data from your old device or repeat the setup process for the new one.
And be sure to keep your old device handy in case you need the data from it to help with the new setup. Don’t wipe it clean until you’re sure everything is working well with the new device.
Cliniko does keep your mobile number on file. But it’s not used in the authentication process. If ever your device is misplaced or damaged, we’ll help you get back into your account by first using your number to make sure we’re helping the right person.
When prompted, grab the 6-digit verification code found in your authentication app.
Enter that code into Cliniko, and you’re in!
That’s it. And it works the same way across any of your online accounts that use 2FA.
Why do 2FA codes expire?
Your authenticator app will automatically generate your codes. Each time a new one gets created, it will expire after 30 seconds. Once that happens, another new code is created and then expires 30 seconds later. And on and on it goes.
If you’re entering a code into your account and it expires before you’re able to complete the submission, that code is no longer valid. You’ll need to enter the newer code from your authenticator app (within its 30-second window).
By having such a short lifespan, it’s nearly impossible for anyone else to have the correct sequence of digits, not to mention using them within the precise time frame while they are valid. This is a big reason why 2FA is so effective.
It’s important to make sure the time settings are properly synced between the app and the servers that host your online accounts.
But if you have valid codes that aren't working, you may need to double-check your device’s time settings and make sure it’s set to ‘automatic’ or ‘network’. When a change is needed, it’s usually pretty marginal, and you may not even notice a difference.
Why should you use 2FA?
Using 2FA for your online accounts is one of the most important things you can do to keep them secure. No precaution is flawless. But by using 2FA in conjunction with a strong, unique password, it’s much more difficult for information to get into the wrong hands.
You’re the guardians of your patients’ data, and you’re legally obligated to protect it. That’s reason enough to take proactive measures. But the Australian government has also recently raised the penalties for misusing the personal information of both your patients and your team. If a data breach occurs, practices could face hefty fines.
Put simply, using 2FA is in the best interest of your patients—and your practice. And with so much at stake, it’s worth a little extra effort.
‘Multi-factor authentication (MFA) is mandatory for end users that can access taxation or superannuation related information of other entities or individuals (e.g. tax agents, employers).’ (Please note that 2FA is a form of multi-factor authentication.)
In other words, because Xero has access to your financial data, the ATO mandates that Xero must require it’s users to use 2FA.
‘In 2018, the Australian Tax Office updated the online security requirements for customers of software providers that connect with the ATO. It is now compulsory for anyone with access to an Australian organisation on Xero to have 2SA [aka 2FA] enabled on their login. The same is true for customers using other cloud-based platforms.’
While these suggestions are specifically intended for Cliniko, they may also work well for some of your other 2FA-enabled accounts.
Require 2FA for all users. We highly recommend you do this for the protection of your business and patient data. This includes practitioners, team members, and virtual assistants. And if you’re using the Xero integration in Australia, this is now required. Take a look at this help article to get set up with 2FA.
Create and safeguard your backup codes. This point cannot be stressed enough. If your secondary device is unusable for any reason, you’ll need to use backup codes to get access to your account quickly. We recommend printing these codes or storing them on an external drive. Then put them someplace safe with limited concern of being lost, stolen, or destroyed.
Use a quality authenticator app. We recommend Authy, which offers a browser extension and the ability to sync between multiple devices. That’s helpful for when you have two or more users who need separate access to your account.
Prepare for the worst-case scenario. Have a plan of action for what to do if you don’t have access to your device or if your codes aren’t working. Ensure that you’ll be able to use your backup device instead, or be able to get a hold of your backup codes quickly.
We answered your questions about online security during COVID-19 on YouTube live. Check out the recording of the session with plenty of helpful information, plus links to the top tools we mentioned during the broadcast.