On this page:

7.21Two Factor Authentication

 

Smile CDR supports Two Factor Authentication using the Time-based One-time Password algorithm defined in RFC 6238.

This algorithm is generally known as TOTP. TOTP works by using a mobile device as a soft token, where the user is required to register a service with an app on their device, and the app then generates codes that can be used as a second factor for login.

Many free implementations of TOTP exist for mobile devices, making TOTP an excellent low-cost mechanism for enhancing security. Popular implementations include:

7.21.1User Activating TOTP

 

Any user account in Smile CDR can be configured with a TOTP key. An overview of the enable flow is shown below:

TOTP Flow

There are different ways that users can go through this flow:

User Activating TOTP via APIs

The JSON Admin API User Management Endpoint provides APIs that can be used to generate keys, confirm keys, and validate codes at runtime.

User Activating TOTP via Web Admin Console

In the Web Admin Console, a logged-in user can click on the Profile link from the menu in the top-right corner of the console. In the profile section there is an option to enable TOTP based Two Factor Authentication.

7.21.2Enforcing Two Factor Authentication

 

It is important to note that not all authenticated endpoints presently enforce Two Factor Authentication.

Module Enforced
Web Admin Console If a user has 2FA enabled for their account, they will be required to enter a code upon each login.
SMART Outbound Security If a user has 2FA enabled for their account, they will be required to enter a code upon each login for a code exchange.
FHIRWeb Console FHIRWeb Console does not currently enforce 2FA, so it should not be enabled for platforms that require 2FA.
FHIR Endpoint FHIR Endpoint modules do not enfore 2FA directly. This means that if the endpoint supports HTTP Basic Auth, correct user credentials will be accepted without requiring a 2FA code even if the user has 2FA enabled. For enforcement of 2FA on FHIR endpoints, OpenID Connect should be used so that the 2FA code can be verified at the time that the token is issued.