Difference between revisions of "Multi-factor Authentication"
Harley Tuck (talk | contribs) (added section) |
(→Canceling a user’s MFA: Remove chattyness and vagueness) |
||
Line 36: | Line 36: | ||
== Canceling a user’s MFA == | == Canceling a user’s MFA == | ||
Stephen Waite | [https://community.open-emr.org/t/how-to-turn-off-2fa/21774/3 As per Stephen Waite on the OpenEMR Forum:] | ||
"the OpenEMR GUI offers no way for a system admin to un-do another user's MFA. For example, I am OpenEMR admin on a system, and if a user has activated MFA for themself, I would not be able to de-activate it through the OpenEMR GUI. However, I can do it if I have access to the OpenEMR instance's database." | |||
For example, using a graphical database management utility: | |||
Latest revision as of 06:11, 3 May 2024
Overview
- OpenEMR supports multi-factor authentication. Both TOTP and U2F are supported.
- Use case:
- User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions). When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication. Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication).
Configure
- User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions):
Use
- When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication:
Audit
- Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication).
Canceling a user’s MFA
As per Stephen Waite on the OpenEMR Forum:
"the OpenEMR GUI offers no way for a system admin to un-do another user's MFA. For example, I am OpenEMR admin on a system, and if a user has activated MFA for themself, I would not be able to de-activate it through the OpenEMR GUI. However, I can do it if I have access to the OpenEMR instance's database."
For example, using a graphical database management utility:
0. As shown in the ‘Audit’ section in the documentation above, if the user’s entry has ‘yes’ in the MFA column they have it activated.
1. Open the OpenEMR database's 'user' table.
2. Note the value in the ID column (2nd column) of the row for the desired username (rectangle) in the 4th column.
Our desired user's ID is 24.
3. Open the table 'login_mfa_registration' (below)
If the user has MFA set they will have an entry in this table.
And there is user 24 in the oval.
4. Click 'edit', which is a link (oval above)
5. ...then click 'Delete' (oval below).
Click ‘OK’ to confirm you're sure (not pictured) and the table returns without the offending line.
7. Go back to the user’s MFA screen in the EMR and see that show no method is now enabled.