New in PACScenter: Passwordless authentication

Posted by on | Featured

PACScenter now supports Passkey authentication

The new PACScenter passkey login makes authentication easier than ever. With passwordless access, users can enjoy faster, safer, and more convenient entry to the system. It is well known that people have a tough relationship with their passwords. They come with the burden of requiring users to memorize them or safekeep them the best they can. While we know that a more complex and less predictable phrase constitutes a stronger password, in practice it is easy to cut corners: often the passwords created by users are weak and repetitive in order to reduce cognitive load, which in turn makes online accounts more insecure.

It is known that a significant number of system breaches are caused by password leaking or phishing. A report from Verizon suggests that as much as 81% of all hacking related breaches took advantage of compromised passwords. For a system that handles information as sensitive as medical imaging and patient data, upholding security in a picture archiving and communication system (PACS) is crucial to the reliability and credibility of information systems in healthcare.

Enter passkeys

PACScenter is accessible with a passkey
Figure 1 – A FIDO2 compatible security key such as the YubiKey can be used to log in to your PACScenter account without typing or saving any passwords.

Passkeys are an alternative to traditional passwords for authenticating to various platforms. Rather than making the user memorize a password, passkeys use public key cryptography to prove that they are allowed to access a service. These passkeys are saved in such a way that prevents them from being used by unwanted peers, and cannot be forged or guessed by bad actors.

The authentication cycle may involve a user’s personal device, such as their mobile phone or a personal hardware security key. As part of this cycle, the user’s device may also do a telemetry prompt (for example, a finger print check) to ensure that there isn’t someone else using the device. This operation sequence is already common when performing sensitive tasks such as payments through the phone.

Here is a quick run-down of the differences between passwords and passkeys:

  • Bootstrapping: When setting up a new account, a system may either ask the user to provide a password, or generate one for them. With passkeys, this process is as simple as asking consent for the user to store a new passkey on their device, with no memorization required by the user.

  • Saving: When using passwords, the relying party (as in the platform that you want to log in to) keeps something relatively sensitive, usually a password hash, which allows it to validate that the password for access to that account is correct. A security breach on the relying party can compromise the hash and facilitate brute force attacks towards the recovery of the original password, especially if a weak password or hash algorithm was used.

    A passkey, on the other hand, is saved in the user’s own device, or a separate device such as a smartphone or a dedicated hardware security key, and the relying party only saves the user’s public key credentials, which does not expose the passkey. It is created and validated through public key cryptography, and stored in a way which prevents other people from using it.

  • Scope: Users may end up reusing the same password in multiple different services, at the risk of compromising multiple accounts at once. In contrast, passkeys are unique to a specific domain by design, and cannot be transferred across disparate services.

Passkeys in practice

Fortunately, most Web platforms can make this authentication workflow a reality today. Passwordless authentication on the Web is possible through WebAuthn, an open specification that allows users to register and login to systems using passkeys.

It is worth pointing out that this is no bleeding edge technology. In fact, user authentication via WebAuthn is already available in all modern internet browsers. Moreover, passkeys can be saved securely on a device that supports it, which includes all computers with Windows 11, security keys, and most mobile devices.

Passkeys in PACScenter

As of version 4.44.0, PACScenter supports passwordless user authentication. While user account creation is restricted to platform administrators, existing users will be able to register their passkeys in order to use them instead of a password for future logins.

PACSCenter login screen showing options to log in with email and password, OAuth, or Passkey.
Figure 2 – PACScenter login form, featuring a Passkey button

This feature may eventually extend to other BMD Software products. At the time of writing, passkey adoption is still slow but steady. We anticipate that many more platforms will have first class support for passkeys in the future. By acknowledging the importance of reliable authentication mechanisms, we are taking steps towards the safety of patients and healthcare professionals in a digitally connected world.

Comments are closed.