The passwordless approach : Securing access to genetic data

If you had an online account to access your dna based, how would you protect it? With a password?

One of the first things that come to mind when you talk to people about genetics is security : how can we protect something so private, so personal as your own DNA code? Take for example the BRCA1 and BRCA2 genes (linked to breast and ovarian cancer risks). Mutations in those genes can change the life expectancy of carriers, enough so that some may choose to go through surgical procedures to reduce risks, as was the case for Angelina Jolie. If you were a 20-something year old carrier of one of those mutations, wouldn’t you want this information to be as secure as possible? If you had an online account to access the report containing the results, how would you protect it? With a password?

Passwords are inherently not safe. They are either too hard to remember, too short, too easy to guess or worse, re-used between services. Get one account compromised or hacked (like the recent LinkedIn passwords leak), and all of your accounts are compromised. Oops!

Interestingly, on most sites that you visit, like Facebook, LinkedIn and such, there is the infamous “Forgot My Password” option. For all those sites, the basics are the same: enter your email and a secure link (let’s call it a Magic Link) is sent to your inbox. Click on the Magic Link and Voila! You are now connected. This approach has been there for years and, by design, is inherently more safe. How does it work?

The Magic Link sent to your email account contains a unique key (think of a very, very long password). The key is only meant to be used once (it gets destroyed once it is consumed). Furthermore, the key is valid only for a limited time (from 15 minutes to 24 hours). Basically, it is like creating an insanely long, time limited password, each time you log in! And the good news is? You don’t even have to invent the password, much less memorize it. Why aren’t we using that approach everywhere then?

Why not! If you secure your emails properly (ie. with two factor authentication, a strong password and ssl connection), then your email account becomes the single password you need to remember.

BiogeniQ secures its clients reports that way: when you want to log in, you enter your email address and a clickable Magic Link is sent to your inbox within 10 seconds. And that’s just one of the features we put in place to protect our clients data. Next time you need to do a genetic test, take your personal information’s security into account. It’s not Magic, it’s Science.

Olivier Caron-Lizotte
CTO — BiogeniQ

Initially posted here : https://biogeniq.ca/en/articles/securing-access-to-genetic-and-personal-information-without-a-password/