Multi-factor Authentication

From OpenEMR Project Wiki
Revision as of 21:47, 4 January 2024 by Harley Tuck (talk | contribs) (adding section)

Overview

OpenEMR supports multi-factor authentication. Both TOTP and U2F are supported.
Use case:
  • User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions). When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication. Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication).

Configure

User can set up multi-factor authentication at user menu->MFA Management (and then follow on screen instructions):


Mfa-1.png Mfa-2.png Totp mfa 502.png U2f mfa 502.png


Use

When a user (that has configured multi-factor authentication) logins to OpenEMR, user will be required to pass multi-factor authentication:


Mfa-5.png Mfa-6.png Mfa-7.png


Audit

Administrator can see which users are using multi-factor authentication at top menu->Administration->Users (The MFA column in the table shown states 'yes' if the specified user is using multi-factor authentication).


Mfa-3.png Mfa-4.png


Canceling a user’s MFA

Stephen Waite informed the forum the other day...

(https://community.open-emr.org/t/how-to-turn-off-2fa/21774/3)

...that the OpenEMR GUI offers no way for a system admin to un-do another user's MFA. For example, I am OpenEMR admin on a system, and if a user has activated MFA for themself, I would not be able to de-activate it through the OpenEMR GUI. However, I can do it if I have access to the OpenEMR instance's database.

My MySQL is not up to the task so I won't offer a query to do the job. But the query would say something to the effect of,

"delete the row in table 'login_mfa_registration' that has user_id = [desired user id]"


But here’s a somewhat easier method, using a graphical database management utility (phpMyAdmin, adminer, etc). I used adminer.


0. As shown in the ‘Audit’ section in the documentation above, if the user’s entry has ‘yes’ in the MFA column they have it activated.


1. Open the OpenEMR database's 'user' table.


2. Note the value in the ID column (2nd column) of the row for the desired username (rectangle) in the 4th column.

Our desired user's ID is 24.

Unmfa02.png


3. Open the table 'login_mfa_registration' (below)

If the user has MFA set they will have an entry in this table.

And there is user 24 in the oval.

Unmfa03.png


4. Click 'edit', which is a link (oval above)


5. ...then click 'Delete' (oval below).

Click ‘OK’ to confirm you're sure (not pictured) and the table returns without the offending line.

Unmfa04.png


7. Go back to the user’s MFA screen in the EMR and see that show no method is now enabled.


Unmfa06.png