Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 309 Deep Dive: Helmut Dansachmueller | Passwordless Authentication To Help Australia’s Healthcare Industry
Identity & Access Management
First Aired: May 21, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with Helmut Dansachmueller, VP RFID Products Identification Technologies at HID, as he explores the growing need for passwordless authentication in safeguarding Australia’s healthcare industry. Helmut highlights the global nature of security threats, emphasizing that seamless, user-accepted MFA and FIDO-based systems are critical for protecting patient data without imposing extra burdens on employees. The discussion covers the frustrations employees face with password management—including frequent changes and insecure storage and the importance of user education and acceptance for successful security adoption. Helmut also addresses practical challenges in clinical environments, such as the need for fast, reliable access during emergencies and robust processes for lost credentials, and looks forward to future innovations like biometrics to further streamline secure authentication in healthcare.

Helmut has been in the security business for more than 25 years in various management roles for some of the leading suppliers of a broad range of security solutions. He also holds some patents. Within the last 20 years he has successfully led different engineering, global product management and marketing teams. His portfolio includes one of the first VPN products ever as well as solutions for HW-based encryption solutions in combination with RFID technologies managed by his various teams. He has been with HID now for more than 15 years with a focus on RFID technologies, and is used to challenging the status quo in seeking more customer-friendly solutions and services.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Helmut Dansachmueller [00:00:00]:
Using MFA, multifactor authentication, in combination with FIDO, for example, really reduces the complexity for the user because it’s so easy when you are having a stick or a USB token or a smart card connected to your computer, and that’s all what you need. It’s seamless. And when it’s seamless, it becomes used and it becomes accepted.

Podcast Voice-over [00:00:29]:
This is GeekCast.

KB [00:00:40]:
Joining me today is Helmut Dansachmueller, VP RFID products identification technologies at HID. And today, we’re discussing passwordless authentication to help Australia’s health care industry protect patient data. So, Helmut, thanks for joining and welcome.

Helmut Dansachmueller [00:01:01]:
Thank you for having me here.

KB [00:01:03]:
Okay. So I’m really curious with your view, your experience, your background, but perhaps give us a bit of a lay of the land in the healthcare security sort of space and how you see it here in Australia.

Helmut Dansachmueller [00:01:13]:
That’s a great question, but I would like to clarify something very important at the very beginning. The entire topic about passwordless authentication, security, and whatever you would like to call it, is not an Australian phenomenon. This is a global one. And also the threats are global. Yes. Legislation is always a local legislation. You might have specific rules in Australia, which are not valid in Europe or North America. You have the Australian Center of Cybersecurity, which is great.

Helmut Dansachmueller [00:01:51]:
But they are not doing anything different than NIST is doing in America or BSI is doing in Germany. So threats are global and regardless where you are. And as we see it in this interview, I’m sitting and I’m located in Germany. You are in Australia, and you are just one mouse click away from my side. So the threat is everywhere, and the threat can come from everywhere. And when I look to the current situation, we clearly see an increase of, let’s say it in this way, attacks against the infrastructure, against GDPR, against data privacy, against encryption of data, all these kind of things, denial of service attacks, ransomware, and whatever you have it in Australia. As I said before, it’s global, and we need to fight against that. And only if we have, let’s call them, seamless security measures, which are easy to survive and which easy to apply for employees, the security is good enough.

Helmut Dansachmueller [00:03:05]:
Because security is as good as the employees are using it, and they’re not trying to circumvent it. And they will not try to circumvent it when it’s absolutely seamless. And they don’t really recognize that they are doing highly complicated things when, for example, looking at FIDO, looking at all the passwordless authentications with MFA. It is clearly as soon as it is seamless for the users, it can work, and it will help all the health care industry in Australia. I think what is the most important thing is, as I said, having it seamless and making it sure that everybody is applying it. Nobody shares any credentials across the organization with other colleagues and all that kind of stuff. That’s the most important thing. I hope I did not speak too much around it, and I hope it was clear what my points are.

Helmut Dansachmueller [00:04:15]:
Let’s repeat. The threat is global. The threats are massively increasing in regards to data privacy, in regards to ransom attacks, in regards to denial of service attacks.

KB [00:04:29]:
Lots of points interesting that you share. One of which would be on the employee front passwords. You mentioned before, you you gotta make things seamless, easy, or ask people try to circumvent it, which I agree with. What do you think the sentiment is at the moment with the average employee around passwords?

Helmut Dansachmueller [00:04:47]:
Yeah. It it’s crazy. A password, if it is long enough and if it is really secure, there is still the an attack vector because passwords need to be verified and need to be stored somewhere. Yes. Of course. Passwords are stored in a one one way encryption, and you’re only comparing the one way encryption values. But they need to be stored somewhere, and that’s the biggest threat you have. When you’re using passwordless authentication, for example, FIDO, you’re playing and you’re introducing private key encryption.

Helmut Dansachmueller [00:05:24]:
So the value which is used to encrypt your data or to verify your ident identity is never ever stored on the host side on the other side of the equation. It only remains on your PC, and therefore, it can’t be stolen. When combining this with additional hardware, as, for example, MFA, multifactor authentication says, then it’s really secure, and customers and users do not care about passwords. They are acting as always, but they can’t share their credential with others because it’s the private key, and the private key is stored maybe on the computer, maybe on an additional device, a USB token, a smart card, something like that. And that’s the biggest difference.

KB [00:06:18]:
Getting as well, just putting my employee consumer hat on would be back in the day when sort of the Internet started, we had a lot less systems that we would log into. You may at best have had one password. Now you have fifty, sixty, a hundred, depends what tools, subscriptions. Anything that you log into now requires a password, but all different requirements. So do you think that what do you think the main frustration is for an employee at the moment? Is it just can’t remember it? I’m just gonna reuse the same password because I can’t remember it. I’m not gonna get a password manager because I gotta pay for it, or my company doesn’t allow password manager. Even if they do, there’s another bunch of requirements I’ve gotta adhere to. I’m just trying to really get in the minds of that frustration behind employees who then try to circumvent what they’re doing because this introduces a lot of friction.

Helmut Dansachmueller [00:07:14]:
Absolutely. And, yes, formally, we said resetting passwords is the most pain in the back. To be honest, it’s not because passwords can easily be resetted with automated processes. But having the pain of not, no, you should not share passwords across different systems because then the weakest system becomes the entry point into security and to break the security of a user and break the security of an organization. So passwords need to be different, and then there’s the next pain point. Passwords need to be changed on a regular basis. Some companies requesting that every month, every two weeks. And how should you remember as a user different password generations for different usages? And password managers do not really solve the problem.

Helmut Dansachmueller [00:08:14]:
It’s still the problem that the password needs to be stored on the other side of the equation, as I said, on the host side again. So whenever a password is introduced and is used directly, the password is stored on the other side, and it can be hacked from the other side. There are many occasions public now where systems are broken because all these passwords are opened and are becoming public because of a weak system on the other side. With password less authentication, using FIDO, for example, passwords can’t be broken. The only thing what could happen is that you lose your token. So even with passwordless authentication, you need to have backup mechanisms, like storing the security key somewhere on your local system but not on the host system. And this provides much better security than password based systems.

KB [00:09:19]:
So from your experience, what would you say induces the most amount of pain from a user perspective? If you have to sort of attribute it to one sort of key element.

Helmut Dansachmueller [00:09:31]:
Memorizing different passwords for different systems and then not having the guarantee that nothing happened on the host side. Using MFA, multifactor authentication, in combination with FIDO, for example, really reduces the complexity for the user because it’s so easy when you are having a stick or a USB token or a smart card connected to your computer, and that’s all what you need. It’s seamless. And when it’s seamless, it becomes used and it becomes accepted. And I think one of the most important pillars for security are not the encryption algorithms. It is the acceptance of the users because every system depends on the acceptance of the users. And only when the users accept the security mechanisms, they are good enough to survive over a longer term of time.

KB [00:10:33]:
So do you say this will become sort of the more it’s become the new normal now for people, companies? I mean, I’ve spoken a lot about password this on this show in the past. Yeah. There’s some emergence of it, but people are still stuck in the old ways. How would you say we can get people to move beyond removing passwords, not having the headache, removing the pain, making it easier, making it more secure by all things you just mentioned? How do we get people in that mindset?

Helmut Dansachmueller [00:11:00]:
The most important topic is education and this knowledge. By demonstrating how easy it is, could be a video, could be YouTube videos, for example, could be just leading by example if administrators educate their users how to use an MSA token, how to use FIDO, for example, and to demonstrate how easy it is for them and how much time they could save when logging in because they don’t need to memorize passwords. I think you have everything you need to convince users to use a passwordless system for their own benefits.

KB [00:11:41]:
So going back on, you said education and knowledge. So there obviously is education. There’s knowledge out there. You think it’s just time in terms of adoption, or what do you think that looks like? Because, like, there there is this sort of information that exists out there, and yet not a lot of people has have adopted this yet.

Helmut Dansachmueller [00:12:00]:
You are absolutely right, Kerissa. Besides communicating the users and getting the acceptance of the users really using it, there is a gap, and this gap needs to be bridged. And this bridge can only happen if I said it already at the beginning. It’s seamless when customers see how easy it is that they do not need to remember complicated passphrases, which might need to be changed every month or every every second week, then you’re in the right system, and then users will accept it. By trying it and giving it the chance, users will love it because it’s easier, and it provides them with a perceived higher security.

KB [00:12:46]:
Would you say people are skeptical perhaps? Like, oh, this is so seamless. It’s so easy. It may not be secure.

Helmut Dansachmueller [00:12:53]:
Yes. You’re absolutely right. It is like always. Especially in IT, you can’t see what happened on the host. So, therefore, simple education and easy to follow and comprehend information, how and why security with based on MFA is more secure and is more convenient helps to get the acceptance of the users. Users need to feel it. Users need to see it. Otherwise, it won’t work.

Helmut Dansachmueller [00:13:25]:
But the organization, from my point of view, they are all having it in their hands. They can provide simple systems then again in the introduction phase, educating the users, showing good examples, and then it works. And we see it with many customers. And, yeah, we are security company. We are providing the readers for the MFA systems. And, of course, we have a vital interest that MFA will become more spread spread will spread more around and will be used by everybody. And what we see and what we experience from our users, the introduction phase always is a nice short phase of demonstrating an MFA solution. And by demonstrating it and by telling the customers, guys, you no longer need to change your passwords again.

Helmut Dansachmueller [00:14:25]:
Don’t worry about different passwords for different systems. Your MFA system will solve it for you, and it will solve it in the background. Don’t worry about private key, public key, random number generators, or whatever challenge response mechanisms. Don’t worry about that. Use your token. Connect it with your PC. Maybe touch it when necessary to log in, and then everything works by magic. And this is what customers love.

Helmut Dansachmueller [00:14:57]:
It works by magic, and it works more secure than anything else.

KB [00:15:01]:
So I wanna slightly shift gears for a moment, and I’m keen to hear thoughts around the need for passwordless authentication to support Australia’s health care system and identity management. So everything that we’ve mentioned and spoken about, people people are busy. They don’t have time. People working in health care, they don’t wanna sit there and think, oh, I can’t remember my password. I gotta reset it because there’s a crisis happening beside me. So I’m really curious now to get into this, because this is a very different situation to someone sitting in a head office in a air conditioned building, for example. It’s a very different scenario.

Helmut Dansachmueller [00:15:40]:
You really hit the nail on its head. Just thinking about the nurse having a lot of stress, then changing the computer system, they need to log in into a special PC to end to enter the treatment or to verify the treatment which is documented. Then logging out, changing rooms, need to log in again, and all that kind of stuff. When it is seamless and you can log in very easily without having thoughts about your password, it just works because you have maybe your smart cut around your neck or you have the token on your key ring, then it’s so easy, and it it’s a natural behavior. It is like opening a door. You use the key. You hold the key to your lock. The door opens.

Helmut Dansachmueller [00:16:31]:
You hold the MFA to your notebook or to your computer, to your terminal, or maybe even in the surgery room, having it on your, wristwatch systems, like Nimi, for example. And this is the kind of security customers need. And the good thing is with these wristbands in combination with certain readers, which are also IP 67, That’s a standard for resistance against water, against chemicals. We can also implement a clean room environment where you have multifactor considering clean roomy trial requirements, and also the disinfection and the cleaning of the equipment if it is needed. So that’s very important. Getting a cheap reader from the street, that’s nothing which can be accepted by professionals in the health care system. It needs to be a clean room reader. It needs to be a seamless again, sorry for repeating that, but I think this is key to success, a seamless system which works in a natural way.

Helmut Dansachmueller [00:17:44]:
Our customers are managing their access to private issues, to private topics automatically just by using a credential, holding it to a reader, and then you are logged in. There’s nothing more to do.

KB [00:18:00]:
So what happens when the nurse forgets the key?

Helmut Dansachmueller [00:18:04]:
That’s a great question, and that’s the same question like with when a user forgets his password. You can always have replacement the devices in the system, and you can easily reactivate and activate the other tokens as a replacement of the former one if you have the right measurements in place. But that’s an organizational issue. This has nothing to do with security. The organization needs to ensure the replacement activities and the second replacement parts are available, and there are processes within the organization to take care of this.

KB [00:18:47]:
So okay. That’s interesting because when you said before the right measurements in place, what do you mean by that?

Helmut Dansachmueller [00:18:54]:
So when having a real emergency and you don’t have the key, then you’re really having a big problem. You’re having also a big problem in having no passwords or when you forget the password or the password is hacked. So you always need to have an emergency procedure, how to make sure you can log in when it’s important. And this is, for example, a vanilla token or a token which is not used by anybody, and then you can activate this emergency token as a temporary token to access the system, or you start replacing the older one with the new one. But this is quite complicated. I would rather vote for a system where you have a temporary token until you get the original token. That’s from my point of view, and that’s what our customers usually implement as an emergency procedure.

KB [00:19:54]:
To So Gomax is a temporary token for a moment. Is that based on it expires after x amount of time, or it only works once and then it doesn’t work? Or or there’s there’s a different sort of controls around that again?

Helmut Dansachmueller [00:20:08]:
That’s the good thing with all those systems. All those systems can remotely be activated and deactivated. You can deprovision keys. You can provision keys over the air automatically quite simple. And that allows you to implement a solution where users can maybe use it for limited amount of logins, five, ten, 15, 20, whatever, or they can use it for a limited amount of time, maybe within the next twenty four hours, maybe within the next twelve hours. But regardless what it is, the most important thing that it is documented because documentation, especially with sensitive data in the health care systems, documentation is very much important. You need to know who has changed the recording, who had access to controlled substances, and all this kind of stuff. But you never start sharing the MFA token with your colleague.

Helmut Dansachmueller [00:21:16]:
A nurse cannot share it with another nurse because then she’s not logging in as the person she is. She’s then logging in as the person the the colleague is. And this generates many problems in the documentation, especially in the health care systems. Because in health care, you really need to know who has changed the record, who has used the controlled substance, and all this kind of stuff. That’s why it is important to use MFA, not sharing the login process with others because the others need the token by themselves. They need the token for every login, and therefore, they can’t share it with a colleague.

KB [00:22:01]:
Okay. So let’s let’s roll through a scenario. I’m just really curious to understand. So I’m Carissa. I’m a nurse. I’m stressed out. I was running late for work, forgot my security key because I’m forgetful, which I am in real life, actually. Go to work, panicked, got a bunch of meetings, gotta get stuff done, can’t log into my system because I don’t have the key.

KB [00:22:21]:
So then I call up the help desk and say, hey. I’ve got my key. It’s at home. Like, I have it’s not lost. I know where it is. Sure. We’re gonna give you a temporary token, which is gonna last to the end of the day, for example. Again, depending on the measurements that companies have implemented to your earlier point, they can go about their day.

KB [00:22:39]:
And then after that time period expires, for example, that temporary token would elapse, and then they can go back to using their their physical security key.

Helmut Dansachmueller [00:22:51]:
Yes. That’s the usual procedure.

KB [00:22:54]:
So then following this on a little bit more, in terms of you said before, obviously, we gotta know who’s who’s logging into what, who’s got the temporary key, etcetera, with documentation. How do people monitor that to make sure, like, hey. This is Carissa calling up, and I know that’s sort of more of a a business operational sort of process. But what are some of the risks that you see then in that? Because there is a potential window that opens up more risk.

Helmut Dansachmueller [00:23:20]:
Yes. It opens the door a little bit. I’m very sorry. I don’t know the English term for this topic. It’s called in more or less in German, four eye principle. Because you, as a user, you can’t claim, hey. I’m Clarissa. I have lost my token.

Helmut Dansachmueller [00:23:39]:
Please provide me a temporary token and log I log in as Clarissa. But I’m not Clarissa. I’m Helmut. No. Then you go to a second colleague, ask to verify your identity with a set. Please forgive me that I don’t know the English term for a four I principle. And this second person verifies and confirms I am Carissa. I need to have a temporary token for the day, and then this person verify that and can prove that you are Carissa, and then the system works.

Helmut Dansachmueller [00:24:15]:
For a principle is, I think, the most convenient way of doing that. Instead of hurrying up to the IT department, which isn’t the they’re on a different floor in a total different office. No. Just asking your colleague, verifying your identity, but not sharing your password. Yeah. The person doesn’t share your password with you. Because usually, in password based systems, you tell your colleague, hey. I have forgotten my password.

Helmut Dansachmueller [00:24:43]:
Please give me yours, and I promise I will not use it again. Forget about that stuff. This is all yeah. DS is, I think, the politically correct term for that. You need to be sure that the other person just verifies your identity but isn’t sharing any secret. And so you have a good system where the entity can be proven by a trusted colleague without sharing passwords, without sharing tokens.

KB [00:25:14]:
Mhmm. Okay. This is now this is interesting. So then in terms of someone, like, loses it completely, maybe they’re traveling on a train, they left, they had their keys in their hands. It had everything on it. They ask keys included and included. They leave it. Then what happens? What does that scenario then look like?

Helmut Dansachmueller [00:25:31]:
Then the system is locked. I have no idea how you could solve this issue. If you have not access to a replacement token and if you have no access to a colleague who colleague who can prove your identity. You can then maybe use different systems that the system will ask you for the first dog you have, the name of the first dog, asking for the first car brand you used when getting your driving license and all this kind of stuff. Those mechanisms are still valid, but to be honest, they’re, again, still based on shared secrets on the host system. And with social engineering, maybe they can get the name of your dog. Maybe they can get your name of your car because you have posted it on Instagram, for example. So all those systems are not really secure, and you as an organization need to decide, okay, when you’re on the road, you have forgotten your token.

Helmut Dansachmueller [00:26:35]:
Should I provide you access to the system? Should I provide you limited access to the system that you can maybe just read limited data? But from my point of view, this is the point where security is more important than convenience. And when you’re on the road and we have your notebook with you, but having forgotten the token, I’m very sorry Because of the higher security requirements, you can’t have access to the system at this moment. This is the only disadvantage.

KB [00:27:13]:
So then just say I’m on the train. I left it there. Someone else finds it. I mean, they’d have to really know who I was, where I worked, what it was for, or would you then still call up your, I don’t know, IT department and say, hey. I’ve I’ve completely lost it. I have no idea where it is. What sort of then the process then?

Helmut Dansachmueller [00:27:32]:
If you really know that you have forgotten it, it’s quite easy. You can immediately deactivate the token in your systems remotely, or IT can deactivate the system and can deprovision the keys automatically. And then you start from the very beginning with a replacement token the next day or the day when you have access to your new token, and then you can replace it. But then it always requires the support of the IT system, and then it’s no longer convenient, then it’s no longer seamless. But, yeah, as I said, you need to die one test, and you can’t have high security with convenience. That’s still possible. But when the token is no longer available, when the token becomes defect, then you need to have an emergency procedure. And this procedure maybe doesn’t work when you’re on the road.

Helmut Dansachmueller [00:28:30]:
I’m very sorry for that, but that’s the price you need to pay for security. But we are rather talking about health care systems. In health care systems, I’m assuming you are working in an organization where you have the IT centrally in your hospital, in your building, and not when being on the road. The being on the road syndrome is rather for street warriors, for salespeople, for technicians, but not so much in the health care systems.

KB [00:29:03]:
So how long you talk about as well, this process will improve clinical workflows. What do you mean by clinical workflows?

Helmut Dansachmueller [00:29:13]:
Clinical workflows, they start and end with the recording of data and storing the data and making sure that you know who has entered the data, who has changed the data. And hospitals at the very beginning, they do not ask, okay. How secure do I need to be? They are asking, what would it cost when it’s not secure? So having seamless processes who which make sure that you can have access to data saves a lot of money because you are you are having faster access to systems. You comply with local legislation and regulations in making sure that you protect the data with appropriate mechanisms. I think this is the most important benefit from it. And by having that, I think it makes the risk of being on the road, having no credential. It softens the disadvantage of the systems by having much more processes and being very easy. So I can tell you, we are offering, for example, and I don’t do not want to make too much promotion, but we are having credentials which are placed in the surgery room.

Helmut Dansachmueller [00:30:34]:
You can report every tool which you are using for the surgery with an RFID reader. And at the end of the surgery, you press one button, and you get the entire report of which tools are used, which systems have been used, and then you’re getting immediately the the receipt for the surgery. And this can be then used in the back end systems for asking the health insurance companies to pay for that and to document the entire surgery, for example. So documenting the systems, having controlled access to substances, and always having a record who did what on the systems. This is the value, and this saves the money, which in every health care system and in every region, customers and administrators in the health care systems are asking for. Especially the health insurance companies, they also would like to know, okay, what really happened on a on on the system and who has done what with it. That’s why it is so important to have reliable data and reliable process documentation.

KB [00:31:51]:
So let’s zoom out for a moment. How do you see passwordless moving forward? What what do you what what do you see on the horizon? What are your thoughts?

Helmut Dansachmueller [00:32:02]:
It’s further development of passwordless systems could be the use of biometric data. You can either use biometric data directly, or you can use biometric data locally to activate your token, and then the token will do the rest with the back end systems. So a further development could be biometric authentication. However, in certain countries, customers are very reluctant to use their fingerprint and to use their face recognition because then they might say, no. Somebody can take a fingerprint of mine and can use the fingerprint on the systems. Sometimes they are saying, yeah. Somebody can take a photograph, and the photograph could be manipulated to do biometric authentication. However, as we all know in in the IT security environments, face recognition can be easily proven by having lidar systems by making sure that it is a three-dimensional model in front of the camera.

Helmut Dansachmueller [00:33:10]:
All those things, I think, is the further development. But please don’t do step three before step two or step one. Let’s start with passwordless systems, and then maybe over the time, biometric authentication becomes the most relevant new innovative system. And, yes, of course, we are also offering biometric systems like fingerprint and face recognition.

KB [00:33:38]:
So, Helmut, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Helmut Dansachmueller [00:33:44]:
Educate your users to gain acceptance by the users because the security of the system always depends on the acceptance of the users and making easy making it easy for them to use it. And don’t blame them if something goes wrong. Help them to understand what went wrong and make sure they are doing it better the next time. This will guarantee consistent and, yeah, consistent and secure systems. And consistent and secure systems is not a stupid story about data consistency. No. This is vital to survive. Remember, all the systems which went down because ransomware conquered the systems.

Helmut Dansachmueller [00:34:31]:
Make sure users are understanding what you are doing and what they are doing and that they are the entry to your IT systems. They need to feel the responsibility, but making it easy for them to increase the security these organizations need nowadays because of all the threats which are happening.

Share This