Multi-Factor Authentication MFA
Covered by this topic
Multi-Factor Authentication
Overview
WebChart EHR Multi-Factor Authentication (MFA) is available in all systems (RC202009+) but is disabled by default. Once MFA is enabled for a system, each user requiring MFA needs to be set up individually.
Security Level
WebChart EHR supports three levels of MFA. The level of security can be selected on a per-user basis to meet your organization’s needs.
- Only for Super-User functions (Least Security)
- When the system deems appropriate (More Security)
- At every login (Maximum Security)
Password Type
WebChart EHR supports two options for the second factor password:
- Time-based
- Counter-based
MIE strongly recommends a time-based password; however, a counter-based password is an available option for those users that may have difficulty quickly typing a 6-digit number or have a device which does not reliably keep the current time.
General Set Up
Once MFA is enabled for a system, each user can be configured from their Edit User page. Setup is completed most easily on a device that has 2D barcode scanning capability by following the prompts in WebChart and on your device; however, setup can also be completed with a device that does not support barcode scanning.
WebChart/Enterprise Health 2FA Provisioning
Setup
Screen change in User Edit:
Setup Help Bubble:
Click the Setup link, JS Window (TOTP and HOTP available):
Device setup, options selected (HOTP and TOTP available) or initial view (only HOTP or TOTP):
Device setup, post-“Click Here”:
Enter the OTP from your device to enable the ‘Complete Setup’ button
Tabbing through the OTP input without entering a value actively prompts the user for an OTP
Click ‘Complete Setup'
User Edit screen, with 2 Step enabled:
Click ‘Change’ link, JS Window:
Click ‘Setup New Device’ loads the original Setup link JS Window.
Click ‘Disable':
Change to My Settings page:
Change to My Settings page, 2 Step enabled:
Change to View User, 2 Step disabled:
Change to View User, 2 Step enabled:
Verify help bubble:
View User screen, after clicking ‘Verify':
User Experience
Login validation using OTP
This workflow applies when the user’s challenge level is set higher than ‘Only for Super-User functions'.
To receive the prompt on every login, select the ‘Every Login’ option at signup.
The login page functions as normal
The user will then be prompted for their OTP
Verify
Corresponds to the Check Key Value option in Google Authenticator:
Which displays the OTP for counter=0:
Require 2FA Upon Log In
Setup
Set the WebChart/Login/Require2FA system setting value to ‘Encourage’. When this system setting is configured with the value of “Encourage”, users will be prompted to set up 2 factor authentication after completing their initial login. Users can opt to bypass the 2FA set up process upon logging in, but they will be prompted each time they log in to set up 2FA until they do so.
The user must also have a valid username and password set.
User Experience
Log in using your Enterprise Health or WebChart login
Enter your Enterprise Health or WebChart Password
Enter the appropriate response to the question, “Does your device support scanning a barcode?” Yes/No and “Which password type would you like to use” Time Based/Counter Based. Users can click the X in the upper right hand corner and bypass setting up the 2FA process. The user will continue to be prompted upon each login to set up 2FA until they do so.
If using a phone or other device with a camera, scan the QR code from your authentication application. (For example, Google authenticator, MS authentication, etc)
Obtain the OTP (One Time Password)/code from the authenticator application.
Enter the OTP (One Time Password) in the Enter the OTP from your device field and then click the Complete Setup button.
A confirmation message will display once the set up is complete.
Super User Approval
Setup
Update to View of 2FA’d Users when Super User is active.
Authorize Help Bubble
Authorize 2FA for Super User access
Successful Authorization
Update to View User when Super User is active and user has been Authorized.
Remove Super User access
Super User authorization successfully revoked
Super User Portlet without Super User access
Super User Portlet with Super User access
User Experience
Enter the OTP from the Super User authorized 2FA device
If OTP is accepted:
NMC 2FA Provisioning
Setup
Addition of Account Security on Member Summary page:
New Account Security Page (More verbiage to follow):
After clicking Setup (TOTP and HOTP available):
After clicking ‘Create’ with barcode ‘Yes’ selected (HOTP and TOTP available) or after clicking ‘Setup’ (HOTP or TOTP only):
After clicking ‘Create’ with barcode ‘No’ selected:
After clicking ‘Complete Setup':
Account Security screen, with 2FA configured (more verbiage to follow):
After clicking ‘Change':
After clicking ‘Disable':
After clicking ‘Setup New Device’ (HOTP and TOTP available) else, barcode screen shows:
User Experience
Login Screen:
After Log On:
After failed Verification (increments failed login count):
Correct Verification code allows login.
Google Authenticator Images
ByPass 2FA OTP
System Administrators may opt to bypass 2FA from certain IP’s. It is recommended that customers have reviewed this feature with their Network IT security department and have authorization before proceeding with configuration. Before enabling, define the IP’s which 2FA is allowed to bypass. This can be done in the IP Settings (Control Panel->System->IP Settings)
Select the Add Acceptable IP Rule link in the upper right hand corner of the screen. Enter the appropriate IP address, Netmask, Timeout, and ensure the Bypass 2FA box is selected, then click Add.
Once the IP address(es) have been added to the IP Settings, enable the “Enable Bypass 2FA OTP” system setting value to “Enabled”.
Enterprise Health Documentation
Last Updated:
Last Build:
Fri, 10 Jan 2025 20:20:58 UTC
WikiGDrive Version: 14369108b4618bce79d4c23f4d172a439fb63721