Multi-Factor Authentication MFA

Multi-Factor Authentication

Overview

WebChart EHR Multi-Factor Authentication (MFA) is available in all systems (RC202009+) but is disabled by default. Once MFA is enabled for a system, each user requiring MFA needs to be set up individually.

Security Level

WebChart EHR supports three levels of MFA. The level of security can be selected on a per-user basis to meet your organization’s needs.

• Only for Super-User functions (Least Security)
• When the system deems appropriate (More Security)
• At every login (Maximum Security)

Password Type

WebChart EHR supports two options for the second factor password:

• Time-based
• Counter-based

MIE strongly recommends a time-based password; however, a counter-based password is an available option for those users that may have difficulty quickly typing a 6-digit number or have a device which does not reliably keep the current time.

General Set Up

Once MFA is enabled for a system, each user can be configured from their Edit User page. Setup is completed most easily on a device that has 2D barcode scanning capability by following the prompts in WebChart and on your device; however, setup can also be completed with a device that does not support barcode scanning.

WebChart/Enterprise Health 2FA Provisioning

Setup

Screen change in User Edit:

Setup Help Bubble:

Click the Setup link, JS Window (TOTP and HOTP available):

Device setup, options selected (HOTP and TOTP available) or initial view (only HOTP or TOTP):

Device setup, post-“Click Here”:

Enter the OTP from your device to enable the ‘Complete Setup’ button

Tabbing through the OTP input without entering a value actively prompts the user for an OTP

Click ‘Complete Setup'

User Edit screen, with 2 Step enabled:

Click ‘Change’ link, JS Window:

Click ‘Setup New Device’ loads the original Setup link JS Window.

Click ‘Disable':

Change to My Settings page:

Change to My Settings page, 2 Step enabled:

Change to View User, 2 Step disabled:

Change to View User, 2 Step enabled:

Verify help bubble:

View User screen, after clicking ‘Verify':

User Experience

Login validation using OTP

This workflow applies when the user’s challenge level is set higher than ‘Only for Super-User functions'.

To receive the prompt on every login, select the ‘Every Login’ option at signup.

The login page functions as normal

The user will then be prompted for their OTP

Verify

Corresponds to the Check Key Value option in Google Authenticator:

Which displays the OTP for counter=0:

Require 2FA Upon Log In

Setup

Set the WebChart/Login/Require2FA system setting value to ‘Encourage’. When this system setting is configured with the value of “Encourage”, users will be prompted to set up 2 factor authentication after completing their initial login. Users can opt to bypass the 2FA set up process upon logging in, but they will be prompted each time they log in to set up 2FA until they do so.

The user must also have a valid username and password set.

User Experience

Log in using your Enterprise Health or WebChart login

Enter your Enterprise Health or WebChart Password

Enter the appropriate response to the question, “Does your device support scanning a barcode?” Yes/No and “Which password type would you like to use” Time Based/Counter Based. Users can click the X in the upper right hand corner and bypass setting up the 2FA process. The user will continue to be prompted upon each login to set up 2FA until they do so.

If using a phone or other device with a camera, scan the QR code from your authentication application. (For example, Google authenticator, MS authentication, etc)

Obtain the OTP (One Time Password)/code from the authenticator application.

Enter the OTP (One Time Password) in the Enter the OTP from your device field and then click the Complete Setup button.

A confirmation message will display once the set up is complete.

Super User Approval

Setup

Update to View of 2FA’d Users when Super User is active.

Authorize Help Bubble

Authorize 2FA for Super User access

Successful Authorization

Update to View User when Super User is active and user has been Authorized.

Remove Super User access

Super User authorization successfully revoked

Super User Portlet without Super User access

Super User Portlet with Super User access

User Experience

Enter the OTP from the Super User authorized 2FA device

If OTP is accepted:

NMC 2FA Provisioning

Setup

Addition of Account Security on Member Summary page:

New Account Security Page (More verbiage to follow):

After clicking Setup (TOTP and HOTP available):

After clicking ‘Create’ with barcode ‘Yes’ selected (HOTP and TOTP available) or after clicking ‘Setup’ (HOTP or TOTP only):

After clicking ‘Create’ with barcode ‘No’ selected:

After clicking ‘Complete Setup':

Account Security screen, with 2FA configured (more verbiage to follow):

After clicking ‘Change':

After clicking ‘Disable':

After clicking ‘Setup New Device’ (HOTP and TOTP available) else, barcode screen shows:

User Experience

Login Screen:

After Log On:

After failed Verification (increments failed login count):

Correct Verification code allows login.

Google Authenticator Images

ByPass 2FA OTP

System Administrators may opt to bypass 2FA from certain IP’s. It is recommended that customers have reviewed this feature with their Network IT security department and have authorization before proceeding with configuration. Before enabling, define the IP’s which 2FA is allowed to bypass. This can be done in the IP Settings (Control Panel->System->IP Settings)

Select the Add Acceptable IP Rule link in the upper right hand corner of the screen. Enter the appropriate IP address, Netmask, Timeout, and ensure the Bypass 2FA box is selected, then click Add.

Once the IP address(es) have been added to the IP Settings, enable the “Enable Bypass 2FA OTP” system setting value to “Enabled”.