Multi-Factor Authentication MFA

Multi-Factor Authentication

Overview

WebChart EHR Multi-Factor Authentication (MFA) is available in all systems (RC202009+) but is disabled by default. Once MFA is enabled for a system, each user requiring MFA needs to be set up individually.

Security Level

WebChart EHR supports three levels of MFA. The level of security can be selected on a per-user basis to meet your organization’s needs.

  • Only for Super-User functions (Least Security)
  • When the system deems appropriate (More Security)
  • At every login (Maximum Security)

Password Type

WebChart EHR supports two options for the second factor password:

  • Time-based
  • Counter-based

MIE strongly recommends a time-based password; however, a counter-based password is an available option for those users that may have difficulty quickly typing a 6-digit number or have a device which does not reliably keep the current time.

General Set Up

Once MFA is enabled for a system, each user can be configured from their Edit User page. Setup is completed most easily on a device that has 2D barcode scanning capability by following the prompts in WebChart and on your device; however, setup can also be completed with a device that does not support barcode scanning.

WebChart/Enterprise Health 2FA

WebChart 2FA Provisioning

Setup

Screen change in User Edit:

Setup Help Bubble:

Click the Setup link, JS Window (TOTP and HOTP available):

Device setup, options selected (HOTP and TOTP available) or initial view (only HOTP or TOTP):

Device setup, post-“Click Here”:

Enter the OTP from your device to enable the ‘Complete Setup’ button

Tabbing through the OTP input without entering a value actively prompts the user for an OTP

Click ‘Complete Setup'

User Edit screen, with 2 Step enabled:

Click ‘Change’ link, JS Window:

Click ‘Setup New Device’ loads the original Setup link JS Window.

Click ‘Disable':

Change to My Settings page:

Change to My Settings page, 2 Step enabled:

Change to View User, 2 Step disabled:

Change to View User, 2 Step enabled:

Verify help bubble:

View User screen, after clicking ‘Verify':

Use

Login validation using OTP

This workflow applies when the user’s challenge level is set higher than ‘Only for Super-User functions'.

To receive the prompt on every login, select the ‘Every Login’ option at signup.

The login page functions as normal

The user will then be prompted for their OTP

Verify

Corresponds to the Check Key Value option in Google Authenticator:

Which displays the OTP for counter=0:

Super User Approval

Setup

Update to View of 2FA’d Users when Super User is active.

Authorize Help Bubble

Authorize 2FA for Super User access

Successful Authorization

Update to View User when Super User is active and user has been Authorized.

Remove Super User access

Super User authorization successfully revoked

Super User Portlet without Super User access

Super User Portlet with Super User access

Use

Enter the OTP from the Super User authorized 2FA device

If OTP is accepted:

NMC 2FA Provisioning

Setup

Addition of Account Security on Member Summary page:

New Account Security Page (More verbiage to follow):

After clicking Setup (TOTP and HOTP available):

After clicking ‘Create’ with barcode ‘Yes’ selected (HOTP and TOTP available) or after clicking ‘Setup’ (HOTP or TOTP only):

After clicking ‘Create’ with barcode ‘No’ selected:

After clicking ‘Complete Setup':

Account Security screen, with 2FA configured (more verbiage to follow):

After clicking ‘Change':

After clicking ‘Disable':

After clicking ‘Setup New Device’ (HOTP and TOTP available) else, barcode screen shows:

Use

Login Screen:

After Log On:

After failed Verification (increments failed login count):

Correct Verification code allows login.

Google Authenticator Images


Enterprise Health Documentation

Last Updated:

Last Build: Wed, 09 Oct 2024 23:08:26 UTC
WikiGDrive Version: 2aacb51f060d0354a678419290943a99bd16aad1