I visited the doctor yesterday, and was told that they have a new online portal to use to interact with them, including retrieving test results and the like. I was encouraged by the enrollment process: they gave me a form with a 15-character activation code to establish my account. This was significantly better than similar systems I have been asked to enroll at in the past.
After entering my enrollment code, birth date, and postal code, I was able to create an account. But imagine my disappointment when I reached the requirement to provide the answer to a “security” question. Here were the choices:
The answer to many of these questions is readily available (high school graduation date and mascot and undergraduate college, for example). For many people, whose wedding pictures are on Facebook, the location of their wedding reception is not a very well kept secret. And how much entropy would many of these questions (such as musical genre) have?
As is often the case, I don’t have a clue about how these questions/answers will be used: to reset a password, or will additional evidence be required for that? So, as usual, I gave a non-answer to one of the questions and continued.
The final disappointment was that there seems to be no option for two-factor authentication. Health data is often among the most sensitive data about a person, and there’s no excuse for a standard health portal not to have two-factor authentication at least as an option.
By the way, since I will never be using this as a security answer, my high school “mascot” is the Mountaineer.