Multi-Factor Authentication MFA
Covered by this topic
Multi-Factor Authentication
Overview
WebChart EHR Multi-Factor Authentication (MFA) is available in all systems (RC202009+) but is disabled by default. Once MFA is enabled for a system, each user requiring MFA needs to be set up individually.
Security Level
WebChart EHR supports three levels of MFA. The level of security can be selected on a per-user basis to meet your organization’s needs.
- Only for Super-User functions (Least Security)
- When the system deems appropriate (More Security)
- At every login (Maximum Security)
Password Type
WebChart EHR supports two options for the second factor password:
- Time-based
- Counter-based
MIE strongly recommends a time-based password; however, a counter-based password is an available option for those users that may have difficulty quickly typing a 6-digit number or have a device which does not reliably keep the current time.
General Set Up
Once MFA is enabled for a system, each user can be configured from their Edit User page. Setup is completed most easily on a device that has 2D barcode scanning capability by following the prompts in WebChart and on your device; however, setup can also be completed with a device that does not support barcode scanning.
WebChart/Enterprise Health 2FA
WebChart 2FA Provisioning
Setup
Screen change in User Edit:
Setup Help Bubble:
Click the Setup link, JS Window (TOTP and HOTP available):
Device setup, options selected (HOTP and TOTP available) or initial view (only HOTP or TOTP):
Device setup, post-“Click Here”:
Enter the OTP from your device to enable the ‘Complete Setup’ button
Tabbing through the OTP input without entering a value actively prompts the user for an OTP
Click ‘Complete Setup'
User Edit screen, with 2 Step enabled:
Click ‘Change’ link, JS Window:
Click ‘Setup New Device’ loads the original Setup link JS Window.
Click ‘Disable':
Change to My Settings page:
Change to My Settings page, 2 Step enabled:
Change to View User, 2 Step disabled:
Change to View User, 2 Step enabled:
Verify help bubble:
View User screen, after clicking ‘Verify':
Use
Login validation using OTP
This workflow applies when the user’s challenge level is set higher than ‘Only for Super-User functions'.
To receive the prompt on every login, select the ‘Every Login’ option at signup.
The login page functions as normal
The user will then be prompted for their OTP
Verify
Corresponds to the Check Key Value option in Google Authenticator:
Which displays the OTP for counter=0:
Super User Approval
Setup
Update to View of 2FA’d Users when Super User is active.
Authorize Help Bubble
Authorize 2FA for Super User access
Successful Authorization
Update to View User when Super User is active and user has been Authorized.
Remove Super User access
Super User authorization successfully revoked
Super User Portlet without Super User access
Super User Portlet with Super User access
Use
Enter the OTP from the Super User authorized 2FA device
If OTP is accepted:
NMC 2FA Provisioning
Setup
Addition of Account Security on Member Summary page:
New Account Security Page (More verbiage to follow):
After clicking Setup (TOTP and HOTP available):
After clicking ‘Create’ with barcode ‘Yes’ selected (HOTP and TOTP available) or after clicking ‘Setup’ (HOTP or TOTP only):
After clicking ‘Create’ with barcode ‘No’ selected:
After clicking ‘Complete Setup':
Account Security screen, with 2FA configured (more verbiage to follow):
After clicking ‘Change':
After clicking ‘Disable':
After clicking ‘Setup New Device’ (HOTP and TOTP available) else, barcode screen shows:
Use
Login Screen:
After Log On:
After failed Verification (increments failed login count):
Correct Verification code allows login.
Google Authenticator Images
Enterprise Health Documentation
Last Updated:
Last Build:
Wed, 09 Oct 2024 23:08:26 UTC
WikiGDrive Version: 2aacb51f060d0354a678419290943a99bd16aad1