Why not just supply hardware tokens? They are not that expensive.
for multiple sites? Just what everyone wants, a pocket full of tokens.
it's PHI so I could easily see insurance companies at some point also requiring it, so that could be another 20.
This is a joke right? You can use a token across multiple sites. Especially Yubikeys.
yeah I know you can with something like a Yubikey - but that assumes that the site supports Yubikeys -and our EHR only supports Symantec VIP tokens - super lame!
I'd argue it might work anyway. Yubikeys support up to 31 or so OATH-TOTP codes (like an RSA token or Google auth app type token). It also supports any number of u2f applications and two slots for TOTP/HOTP, hmac-SHA1, and GPG keys.
As long as the VIP tokens use some standard for the way it generates the TOTP token you can scan it/enter it with the Yubikey Authenticator app and have it manage that.
It is the same for using Authy instead of Google Authenticator. A lot of sites only say Google Authenticator, but they all use standards, thus Authy works just fine.
Exactly. Anything that says it uses Google Authenticator, can also use MS Authenticator. Same standards as JB said.
That part I know, but Symantec VIP uses their own what they call credential IDs, it's not a generic number like GA or MS auth uses... but I'll have to dig into it to see if it's cross compatible.