While reviewing OpenEMR’s authentication logging behavior, I noticed that failed MFA attempts (TOTP, U2F, and OAuth2) are not recorded in the audit log. Only successful logins and
password failures are currently logged.
This appears to be a gap against ASVS 16.3.1, which requires all authentication operations - including unsuccessful attempts - to be logged along with metadata such as the authentication
type used. This maps to CWE-223: Omission of Security-relevant Information.
I’ve submitted a PR that adds audit log entries for each of these failure cases, including the username, auth group, client IP, and MFA type: feat(auth): add audit logging for failed TOTP, U2F, and OAuth2 MFA attempts by aanand-1706 · Pull Request #11912 · openemr/openemr · GitHub
Would appreciate any feedback from the community, especially on whether the logging approach aligns with how similar events are handled elsewhere in the codebase.
▎ This is my first contribution to OpenEMR, so any guidance on the approach is very welcome. 