Two Factor Authentication
Smile CDR supports Two Factor Authentication using the Time-based One-time Password algorithm defined in RFC 6238.
This algorithm is generally known as TOTP. TOTP works by using a mobile device as a soft token, where the user is required to register a service with an app on their device, and the app then generates codes that can be used as a second factor for login.
Many free implementations of TOTP exist for mobile devices, making TOTP an excellent low-cost mechanism for enhancing security. Popular implementations include:
Any user account in Smile CDR can be configured with a TOTP key. An overview of the enable flow is shown below:
There are different ways that users can go through this flow:
The JSON Admin API User Management Endpoint provides APIs that can be used to generate keys, confirm keys, and validate codes at runtime.
In the Web Admin Console, a logged-in user can click on the Profile link from the menu in the top-right corner of the console. In the profile section there is an option to enable TOTP based Two Factor Authentication.
It is important to note that not all authenticated endpoints presently enforce Two Factor Authentication.
|Web Admin Console||If a user has 2FA enabled for their account, they will be required to enter a code upon each login.|
|SMART Outbound Security||If a user has 2FA enabled for their account, they will be required to enter a code upon each login for a code exchange.|
|FHIRWeb Console||FHIRWeb Console does not currently enforce 2FA, so it should not be enabled for platforms that require 2FA.|
|FHIR Endpoint||FHIR Endpoint modules do not enfore 2FA directly. This means that if the endpoint supports HTTP Basic Auth, correct user credentials will be accepted without requiring a 2FA code even if the user has 2FA enabled. For enforcement of 2FA on FHIR endpoints, OpenID Connect should be used so that the 2FA code can be verified at the time that the token is issued.|