Multi-Factor Authentication (MFA)
Why We’ve Added Multi-Factor Authentication (MFA) to Clinical Projects
We build digital tools to help manage clinical trials. These systems often deal with sensitive patient data, and it’s our job to keep that information secure.
One of the ways we do that is by adding multi-factor authentication (MFA). This means users will need more than just a password to log in — for example, they might also need a code sent to their phone or a physical key.
We get that this can feel like a hassle. No one loves having to do extra steps. But the truth is, MFA massively improves security, and it’s one of the simplest ways to protect data from cyberattacks. This paper explains why recommend this move, what the challenges are — especially in hospital settings — and how we make MFA flexible and fair.
The Case for MFA
Protecting Sensitive Clinical Data
Clinical trials collect and store private health data, including patient names, conditions, and results. That kind of information is valuable — both to the people involved and to hackers. MFA helps make sure that only the right people can access it.
Reducing the Risk of Cyber Attacks
Weak passwords, reused credentials, and phishing attacks are some of the most common ways hackers break into systems. MFA adds a second layer of protection, so even if a password is stolen, the account stays locked unless the attacker also has the second factor — like a code or physical device.
Meeting Global Compliance Expectations
Security rules, in healthcare, vary around the world — GDPR in Europe, HIPAA in the US, and ethics boards in Australia. MFA isn’t always strictly required, but using it in your trial shows you are serious about protecting data and meeting global expectations.
Reinforcing Trust with Stakeholders
Sponsors, ethics committees, and institutional partners expect robust digital safeguards. Including our platform MFA in your trial signals that you are committed to best practices in information security.
It's part of our broader goal of making Spiral’s systems trusted and future-proof — ready for more advanced integrations, decentralised trials, and remote monitoring capabilities.
MFA is offered to all our stakeholders.
Challenges in ICU and High-Pressure Settings
We’re acutely aware that some environments introduce real limitations around MFA — especially intensive care units (ICUs), where mobile phones are often prohibited due to hygiene protocols, electromagnetic interference concerns, or institutional policies.
In such settings, clinicians may not have access to personal devices, and requiring mobile-based authentication can delay critical actions. These aren’t trivial concerns — any barrier to fast access could have a direct impact on patient care.
Designing MFA to Fit the Environment
Recognising the complexity of these settings, we do not approach MFA as a “one size fits all” solution. Instead, we've developed an adaptive, context-sensitive approach.
Where mobile use is not feasible, we can explore options such as:
Hardware security keys (e.g. YubiKeys)
Desktop-based push authentication
Smart card access tied to institutional credentials
These methods can offer strong security without relying on mobile apps or SMS.
Role-Based Access and Risk-Based Triggers
Not every user interaction requires MFA. By implementing conditional access policies, we can:
Require MFA only for sensitive actions or role types
Skip MFA for trusted devices and locations
Offer session-based authentication to avoid repeated prompts
This ensures we retain security without adding unnecessary friction for frontline teams.
Supporting Users Through the Change
We also focus on support — offering clear guidance and responsive help to ensure that MFA doesn’t feel like a roadblock. We know that the success of each rollout depends not just on the technology, but on how it’s introduced and supported.
Conclusion
The push to introduce MFA across our projects is a proactive step to ensure the data entrusted to us is handled with the highest standard of care. While there are real challenges — especially in high-acuity clinical environments — our commitment is to implement MFA in a way that respects both the need for security and the realities of clinical workflows.
We’re confident that with thoughtful design, collaboration, and support, MFA can enhance trust, strengthen compliance, and protect the integrity of the important work we do.