

Trusted by healthcare organisations including Consumer Direct Care. SOC2 Type II · ISO 27001 · FIDO Certified.
Fastest way to integrate MFA and Passkeys
Rapid deployment with pre-built UI, components, SDKs, and rules engine.
Unified authentication user experience
Combine passkeys, biometrics, and MFA into a seamless user experience.
Integrates with your Identity-Provider (IDP)
Integrate MFA and passkeys into any identity stack.
Implement best practices with expert support
Receive expert guidance and support to achieve top-tier passkey adoption rates.
Why healthcare authentication is different
Shared workstations, constant rotation
Clinical staff move between nursing stations, labs, and exam rooms dozens of times a shift. Blanket MFA prompts slow down care and create workarounds, including shared sessions, written-down credentials, propped-open access. The answer is not more prompts. It is smarter prompts: adaptive step-up authentication that applies the strong check where the risk is and leaves routine access fast.
Legacy systems that were never built for modern auth
EHR modules, medical devices, and older clinical applications often cannot speak SAML or OIDC. Some have no integration path to a modern identity provider at all. Healthcare teams need an authentication layer that works with the identity stack already in place, not one that requires re-architecting it.
Patient portals where friction kills adoption
Telehealth platforms and patient portals need MFA that works for every patient, including those who struggle with SMS codes or authenticator apps. Passkeys let patients authenticate with a fingerprint or face scan on their own device. No codes, no friction, phishing-resistant by default.
Business associates multiply the surface area
Every vendor, MSP, and third party with ePHI access needs to enforce MFA and produce audit evidence. The authentication challenge in healthcare is not one system, but hundreds of systems, spread across cloud, on-prem, and hybrid environments, each with its own login story. A unified orchestration layer brings them under one set of policies.
HIPAA is making MFA mandatory. Here is what is changing.
The proposed HIPAA Security Rule update removes the distinction between "required" and "addressable" implementation specifications. For authentication, that means multi-factor authentication would become an explicit requirement for every system that creates, receives, maintains, or transmits ePHI. The final rule has not been published yet, but the direction is clear enough to plan around.
MFA becomes mandatory across all ePHI access
Not just remote access and admin accounts. Clinicians, billing staff, contractors, and vendors all fall inside the requirement.
Business associates are covered
Every third party with ePHI access must enforce MFA and demonstrate it in updated business associate agreements.
Phishing-resistant methods are favoured
The proposed rule leans on NIST SP 800-63B, which means passkeys (FIDO2/WebAuthn) and hardware security keys are the preferred options. SMS OTP is the weakest acceptable method.
Audit evidence is expected from day one
The rule does not ask for a policy document that says MFA exists. It expects evidence that controls are deployed and operating — who authenticated, with which method, against which policy, and what happened on high-risk events.
The compliance window is roughly 240 days
Once the final rule publishes: 60-day effective date, then 180 days to comply. That is about eight months, and most of it goes to procurement and rollout.
How Authsignal helps healthcare teams
Frequently asked questions
Does Authsignal replace our existing identity provider?
No. Authsignal is a drop-in authentication layer that sits on top of your existing identity stack. Whether that is Azure AD B2C, AWS Cognito, Auth0, Keycloak, or another provider, or your own database. You keep your current identity stack and add passkeys, adaptive MFA, and step-up authentication on top.
Does the proposed HIPAA rule require phishing-resistant MFA?
The proposed rule leans on NIST SP 800-63B, which favours phishing-resistant methods like passkeys and hardware security keys for privileged and remote access. SMS OTP is classified as a restricted authenticator — not banned, but treated as the weakest acceptable option. The practical direction is toward passkeys as the primary method.
How does Authsignal work with legacy healthcare systems that cannot support modern authentication?
For systems that can integrate via SAML, OIDC, or API, Authsignal adds the MFA layer directly. For legacy systems that cannot support modern auth protocols, Authsignal's rules engine can enforce compensating controls such as network-based policies, restricted access windows, and enhanced logging. The proposed HIPAA rule includes provisions for documented compensating controls on genuinely constrained systems.
What compliance certifications does Authsignal hold?
Authsignal is SOC2 Type II certified, ISO 27001 certified, and FIDO Certified. These certifications directly address the security and audit requirements that healthcare organisations evaluate when selecting authentication vendors.
How long does it take to deploy Authsignal in a healthcare environment?
Most teams are live in weeks, not months. Authsignal's pre-built UI, SDKs, and no-code rules engine are designed for rapid deployment on top of existing identity infrastructure with no migration required.

