One-Time Password (OTP) Authentication without requiring an external device or application

A One-Time Password (OTP) is an easy way to add an additional level of security to a user’s sign-in to the system, using an OTP function to the user’s email, without requiring the user to utilize an external device or application. Requiring an OTP (via email instead of a device app) as part of the sign in experience can be enabled in a user’s security role using the permission.

One-Time Password (OTP) Emailed

The OTP Required security permission setting controls whether users are required to provide an OTP when logging in. Users who are configured (via a different security permission) to be encouraged or required to setup an MFA/2FA account on an Authenticator App on an external device will use that for their MFA/2FA instead. Only one OTP will be requested at sign in.

User Experience as OTP Required via Email

The user manually logs in with their username/email and then keys in their unique password.

Once their username and password have been authenticated, they will be prompted to select an OTP notification method.

Extra Authentication Needed

In order to utilize the OTP email method, the user must have their email address on their chart and/or user screen in the Enterprise Health system.

1. Their next screen will ask for Extra Authentication Needed.
2. The user will need to click on the bar/button to Email to their email address. Clicking on the email notification option will request an OTP (one-time password) be created and delivered by the Enterprise Health system.

The user will then be alerted that the OTP has been sent. For security reasons, replacement OTPs may only be requested after a certain amount of time has elapsed since the previous request. The time remaining will be shown, and decrement accordingly.

Once the request timer terminates, and if the user had not entered their unique generated OTP (that was emailed to them), the screen will allow the user to request a new OTP and can click on the bar/button to Email to their email address again.

However, if the user attempts to request a new OTP before the timer has expired, the user will receive a rejection notice if they click the bar/button to Email to their email address again.

Regardless of the number of OTPs requested, after 30 minutes have elapsed, a user will need to restart the login request before being permitted to request additional OTPs.

Email Notification of OTP

The default email notification of OTP is the following, however your Enterprise Health system may have a customized OTP Email Layout to provide other verbiage.

Incorrect Entered OTP

Entering an incorrect OTP will result in an error message, as well as counting as a failed log in attempt.

Email OTP Configuration Options

System Settings

The following system settings relate to the OTP Email functionality:

• Enable Bypass 2FA OTP: defaults as disabled, but when enabled allows users whose device is detected as having an IP Address within a configured “In Network” location are able to bypass the prompt for an OTP prior to sign in. See other help guide Multi-Factor Authentication MFA / Require 2FA System Configuration on how System Administrators can configure IP addresses to bypass MFA/2FA.
• OTP CSRF Valid Minutes: defaults to 30 minutes and specifies the maximum amount of time that a user may continue to request OTPs before they must re-enter their manual username and password. This setting allows tightening the window of time when replay attacks are available against the user’s account.
• OTP Length: defaults to 6 and sets the number of characters present in the generated OTP. This setting can allow for a longer OTP, up to 20 characters, to further increase the difficulty of attackers attempting to compromise a user account.
• OTP Request Delay Seconds: defaults to 30 seconds and specifies the minimum amount of time which must elapse before an additional OTP request may be made against the system. This setting allows rate-limitting a potential attacker in order to further protect a compromised account against unwanted OTP forcing.
• OTP Valid Seconds: defaults to 15 minutes (900 seconds) and specifies the maximum amount of time during which a generated OTP will be accepted by the system before it expires. User entry of expired OTPs count as a login failure and are counted as such, potentially resulting in locked user accounts. This setting allows shortening the window during which an OTP delivered to an account can be utilized for attacks against the account.
• Failure Delays: is shared with the standard sign-in system and introduces a set minimum processing duration for executing user credential validation in order to mitigate timing attacks against the system. This duration should be as close to the duration of a successful authentication as possible to minimize the delay experienced by the user while also hiding failure details from potential attackers.
• Autoreply: is shared with many other functions within the system and specifies the sending ‘from’ email address used for email-based OTP notification messages.

Translations

English strings presented to the end user are translatable using the context of “Login”. These include UI prompts shown on the OTP screens, error strings returned by an OTP generation request and dynamically generated elements related to the OTP generation and validation.

Compatibility with User 2FA

A user who has chosen to configure an Authentication Device or 2FA Mobile Application for themselves will be prompted for the OTP from their device or application instead of a system generated OTP delivered by the system via email.

While it is possible to “Encourage” or “Require” using the “Require 2FA” security permission, while at the same time setting a security role to “Yes” for the “OTP Required” security permission - only one OTP will be requested at sign in.

Instead, the user entering the generated OTP at their first sign in would then be prompted to also provision their 2FA application or device. Doing so would then allow them to skip the generated OTP request and only utilize the OTP from their 2FA device during future sign in attempts.

While the system setting “Enable Bypass 2FA OTP” allows specific configured IP addresses to bypass the OTP prompt, MFA/2FA device users who selected the “Every Login (Maximum Security)” option when they provisioned their device will ignore this ‘bypass 2FA’ configuration and still be prompted for their 2FA OTP every time they attempt a sign in, regardless of their IP Address at the time.

Additional Resources

• Multi-Factor Authentication MFA / Require 2FA System Configuration
• Encourage Multi-Factor Authentication MFA/2FA User Experience
• Force Multi-Factor Authentication MFA/2FA User Experience