Multi-Factor Authentication (MFA)

Written By Audrey Shearer

Why We’ve Added Multi-Factor Authentication (MFA) to Clinical Projects

We build digital tools to help manage clinical trials. These systems often deal with sensitive patient data, and it’s our job to keep that information secure.

One of the ways we do that is by adding multi-factor authentication (MFA). This means users will need more than just a password to log in — for example, they might also need a code sent to their phone or a physical key.

We get that this can feel like a hassle. No one loves having to do extra steps. But the truth is, MFA massively improves security, and it’s one of the simplest ways to protect data from cyberattacks. This paper explains why recommend this move, what the challenges are — especially in hospital settings — and how we make MFA flexible and fair.

The Case for MFA

Protecting Sensitive Clinical Data

Clinical trials collect and store private health data, including patient names, conditions, and results. That kind of information is valuable — both to the people involved and to hackers. MFA helps make sure that only the right people can access it.

Reducing the Risk of Cyber Attacks

Weak passwords, reused credentials, and phishing attacks are some of the most common ways hackers break into systems. MFA adds a second layer of protection, so even if a password is stolen, the account stays locked unless the attacker also has the second factor — like a code or physical device.

Meeting Global Compliance Expectations

Security rules, in healthcare, vary around the world — GDPR in Europe, HIPAA in the US, and ethics boards in Australia. MFA isn’t always strictly required, but using it in your trial shows you are serious about protecting data and meeting global expectations.

Reinforcing Trust with Stakeholders

Sponsors, ethics committees, and institutional partners expect robust digital safeguards. Including our platform MFA in your trial signals that you are committed to best practices in information security.

It's part of our broader goal of making Spiral’s systems trusted and future-proof — ready for more advanced integrations, decentralised trials, and remote monitoring capabilities.

MFA is offered to all our stakeholders.

Challenges in ICU and High-Pressure Settings

We’re acutely aware that some environments introduce real limitations around MFA — especially intensive care units (ICUs), where mobile phones are often prohibited due to hygiene protocols, electromagnetic interference concerns, or institutional policies.

In such settings, clinicians may not have access to personal devices, and requiring mobile-based authentication can delay critical actions. These aren’t trivial concerns — any barrier to fast access could have a direct impact on patient care.

Designing MFA to Fit the Environment

Recognising the complexity of these settings, we do not approach MFA as a “one size fits all” solution. Instead, we've developed an adaptive, context-sensitive approach.

Where mobile use is not feasible, we can explore options such as:

  • Hardware security keys (e.g. YubiKeys)

  • Desktop-based push authentication

  • Smart card access tied to institutional credentials

These methods can offer strong security without relying on mobile apps or SMS.

Role-Based Access and Risk-Based Triggers

Not every user interaction requires MFA. By implementing conditional access policies, we can:

  • Require MFA only for sensitive actions or role types

  • Skip MFA for trusted devices and locations

  • Offer session-based authentication to avoid repeated prompts

This ensures we retain security without adding unnecessary friction for frontline teams.

Supporting Users Through the Change

We also focus on support — offering clear guidance and responsive help to ensure that MFA doesn’t feel like a roadblock. We know that the success of each rollout depends not just on the technology, but on how it’s introduced and supported.

Conclusion

The push to introduce MFA across our projects is a proactive step to ensure the data entrusted to us is handled with the highest standard of care. While there are real challenges — especially in high-acuity clinical environments — our commitment is to implement MFA in a way that respects both the need for security and the realities of clinical workflows.

We’re confident that with thoughtful design, collaboration, and support, MFA can enhance trust, strengthen compliance, and protect the integrity of the important work we do.

Audrey Shearer
Next

Openness