15.18.1Two Factor Authentication

 

Smile CDR supports Two Factor Authentication using the Time-based One-time Password algorithm defined in RFC 6238.

This algorithm is generally known as TOTP. TOTP works by using a mobile device as a soft token, where the user is required to register a service with an app on their device, and the app then generates codes that can be used as a second factor for login.

Many free implementations of TOTP exist for mobile devices, making TOTP an excellent low-cost mechanism for enhancing security. Popular implementations include:

15.18.2User Activating TOTP

 

Any user account in Smile CDR can be configured with a TOTP key. An overview of the enable flow is shown below:

TOTP Flow

There are different ways that users can go through this flow:

15.18.2.1User Activating TOTP via APIs

The JSON Admin API User Management Endpoint provides APIs that can be used to generate keys, confirm keys, and validate codes at runtime.

15.18.2.2User Activating TOTP via Web Admin Console

In the Web Admin Console, a logged-in user can click on the Profile link from the menu in the top-right corner of the console. In the profile section there is an option to enable TOTP based Two Factor Authentication.

15.18.3Enforcing Two Factor Authentication

 

It is important to note that not all authenticated endpoints presently enforce Two Factor Authentication.

For brand-new users not yet configured, Two-Factor Authentication is enforced via the new config key: 2fa.required. Any user attempting to login, irrespective of whether 2FA is set up for that user, on providing correct credentials will be redirected to the 2FA prompt.

In the event that a user is not yet set up for Two-Factor Authentication, upon login they will be redirect to a Enable Two-Factor Authentication page where they will be prompted to enable Two-Factor Authentication, scan a QR code, and enter that code for the first time, similar to the functionality in the User Profile page.

Once Two-Factor Authentication has been enabled, the user will be able to click on a "Start" button to begin using the WAC.

Module Enforced
Web Admin Console If a user has 2FA enabled for their account, they will be required to enter a code upon each login.
SMART Outbound Security If a user has 2FA enabled for their account, they will be required to enter a code upon each login for a code exchange.
FHIRWeb Console FHIRWeb Console does not currently enforce 2FA, so it should not be enabled for platforms that require 2FA.
FHIR Endpoint FHIR Endpoint modules do not enfore 2FA directly. This means that if the endpoint supports HTTP Basic Auth, correct user credentials will be accepted without requiring a 2FA code even if the user has 2FA enabled. For enforcement of 2FA on FHIR endpoints, OpenID Connect should be used so that the 2FA code can be verified at the time that the token is issued.