Difference between revisions of "Multi-factor Authentication"
Bradymiller (talk | contribs) (Created page with ":OpenEMR supports multi-factor authentication. Both TOTP and U2F are supported. :User can set up multi-factor authentication at user menu->MFA Management. :Administrator can see ...") |
(→Canceling a user’s MFA: Remove chattyness and vagueness) |
||
(24 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
==Overview== | |||
:OpenEMR supports multi-factor authentication. Both TOTP and U2F are supported. | :OpenEMR supports multi-factor authentication. Both TOTP and U2F are supported. | ||
:User can set up multi-factor authentication at user menu->MFA Management. | |||
:Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states ' | :Use case: | ||
::*User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions). When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication. Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication). | |||
==Configure== | |||
:User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions): | |||
<br> | |||
[[File:mfa-1.png|1000px|border|link=]] | |||
[[File:mfa-2.png|1000px|border|link=]] | |||
[[File:Totp_mfa_502.png|1000px|border|link=]] | |||
[[File:u2f_mfa_502.png|1000px|border|link=]] | |||
<br> | |||
<br> | |||
<br> | |||
==Use== | |||
: When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication: | |||
<br> | |||
[[File:mfa-5.png|1000px|border|link=]] | |||
[[File:mfa-6.png|1000px|border|link=]] | |||
[[File:mfa-7.png|1000px|border|link=]] | |||
<br> | |||
<br> | |||
<br> | |||
==Audit== | |||
:Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication). | |||
<br> | |||
[[File:mfa-3.png|1000px|border|link=]] | |||
[[File:mfa-4.png|1000px|border|link=]] | |||
<br> | |||
<br> | |||
<br> | |||
== Canceling a user’s MFA == | |||
[https://community.open-emr.org/t/how-to-turn-off-2fa/21774/3 As per Stephen Waite on the OpenEMR Forum:] | |||
"the OpenEMR GUI offers no way for a system admin to un-do another user's MFA. For example, I am OpenEMR admin on a system, and if a user has activated MFA for themself, I would not be able to de-activate it through the OpenEMR GUI. However, I can do it if I have access to the OpenEMR instance's database." | |||
For example, using a graphical database management utility: | |||
0. As shown in the ‘Audit’ section in the documentation above, if the user’s entry has ‘yes’ in the MFA column they have it activated. | |||
1. Open the OpenEMR database's 'user' table. | |||
2. Note the value in the ID column (2<sup>nd</sup> column) of the row for the desired username (rectangle) in the 4<sup>th</sup> column. | |||
Our desired user's ID is 24. | |||
[[Image:unmfa02.png]] | |||
3. Open the table 'login_mfa_registration' (below) | |||
If the user has MFA set they will have an entry in this table. | |||
And there is user 24 in the oval. | |||
[[Image:unmfa03.png]] | |||
4. Click 'edit', which is a link (oval above) | |||
5. ...then click 'Delete' (oval below). | |||
Click ‘OK’ to confirm you're sure (not pictured) and the table returns without the offending line. | |||
[[Image:unmfa04.png]] | |||
7. Go back to the user’s MFA screen in the EMR and see that show no method is now enabled. | |||
[[Image:unmfa06.png]] |
Latest revision as of 06:11, 3 May 2024
Overview
- OpenEMR supports multi-factor authentication. Both TOTP and U2F are supported.
- Use case:
- User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions). When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication. Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication).
Configure
- User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions):
Use
- When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication:
Audit
- Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication).
Canceling a user’s MFA
As per Stephen Waite on the OpenEMR Forum:
"the OpenEMR GUI offers no way for a system admin to un-do another user's MFA. For example, I am OpenEMR admin on a system, and if a user has activated MFA for themself, I would not be able to de-activate it through the OpenEMR GUI. However, I can do it if I have access to the OpenEMR instance's database."
For example, using a graphical database management utility:
0. As shown in the ‘Audit’ section in the documentation above, if the user’s entry has ‘yes’ in the MFA column they have it activated.
1. Open the OpenEMR database's 'user' table.
2. Note the value in the ID column (2nd column) of the row for the desired username (rectangle) in the 4th column.
Our desired user's ID is 24.
3. Open the table 'login_mfa_registration' (below)
If the user has MFA set they will have an entry in this table.
And there is user 24 in the oval.
4. Click 'edit', which is a link (oval above)
5. ...then click 'Delete' (oval below).
Click ‘OK’ to confirm you're sure (not pictured) and the table returns without the offending line.
7. Go back to the user’s MFA screen in the EMR and see that show no method is now enabled.