Multi-factor Authentication

rmagauran · May 5, 2018, 11:23am

Login security has to be improved for cloud based systems.

I’ve seen a few posts mention 2FA but they all seem to have a commercial bent.
Seems today we should be able to implement a free open-source option.
Has anyone implemented any sort of Multi-factor authentication for openEMR?
Maybe someone knows of an opensource project that has already done this?

I imagine strengthening the login security in several ways, each portion optional/configurable at the admin level:

Fixed ip whitelist on 2 levels: for the practice and for the user.
Login from an IP on whitelist and the login is the same as it is right now
Temporary whitelist
Once logged in and a session is created, that IP address is added to a temporary whitelist, for a period of time (eg. 24 hours or perhaps X hours).
Kind of like fail2ban but backwards…
Second login attempts from the same IP by the same user look just like it is right now - username/password.
A second login from a new IP will require another MFA after username/password is entered.
That IP address is stored for X hours, and on it goes
MFA
Knowledge-based - security questions type
OR
E-mail link to whitelist IP.
OR
Google authenticator type action, using free app to send security code to user
OR
SMS (although very common today, not really needed in my opinion and will fade for small business due to cost)
OR
Biometrics - ?finger print, retinal scan, DNA verification - idea is to be able to change with the times…
OR
Others that would work for openEMR’s userbase.

Please consider adding improving login security to the 5.0.2 Roadmap, even if it is just emailing a link for IP whitelisting.

robert.down · May 5, 2018, 7:15pm

MFA would definitely be a great feature. But the cloud can be secured if done properly, which includes mostly locking down your access to your static IP at work, or using a VPN to tunnel in

rmagauran · May 5, 2018, 8:44pm

Thanks @robert.down for the VPN advice for the openemr portion.
I have staff using their phones and laptops logging in from a variety of IPs, some fixed and some dynamic.
That was why I was thinking about temporary IP whitelists or similar MFA.
I imagine maintaining VPNs on all their devices would be an IT headache?
It was a hassle just adding our secure mail server to their phones…

Also how about the portal? I’m noticing my personal physicians who have Apps for their portal are all starting to require MFA, the most common on the iphone being the finger print (like banks too).
I know there is no App (yet) but once e-mail confirmation is assured, isn’t it just a username/password? (I’m not using the new portal yet so I’m not sure)

This is not really in my wheelhouse and judging by the FHIR and docker solutions out there I’m sure there are gurus in our community who have thought about this, or perhaps implemented it elsewhere?
We need to be a step of ahead of the hackers. I think we need it even though we don’t know it yet.
And in the end, I think it should all be optional. No sense in doing this if the server is in house with no internet connection…

sjpadgett · May 5, 2018, 10:14pm

Really am not too ready to talk about 2F but I have done some research for FHIR. It is my intentions that when I do for FHIR will also do for OpenEMR. The biggest hurtle will be the authentication server but there are several open source libraries available. I just need to get back on FHIR here soon. Although, I certainly would not complain if someone were to take it up:)

robert.down · May 6, 2018, 12:22am

I’m not against MFA by any means, it’d be a great feature and would definitely beat up security. I tend to fall on the side of security, which means I’d want physicians that access PHI from their phones to be running under VPN. Perhaps @jesdynf has some insight into streamlined ways of doing this. It may not be as hard as you think.

From what I can tell, there are a few methods for our handling MFA, we really just need a security guru to take charge and do an analysis and provide a plan.

jesdynf · May 6, 2018, 1:24am

Free (virtual) MFA is entirely feasible and well within the range of what we can do — it was /intended/ to be the first project I had planned to undertake, but I got distracted with some documentation and things sort of got out of hand.

What I envision is a whitelist of IPs that don’t require MFA (the office), and then MFA access for remote providers.

visolve · May 18, 2018, 7:25am

@R Magauran:
You have a very valid business request.
As every on is concerned about security and privacy, this is definitely a MUST enhancement.

As a starter, if none is available with opensource, we can provide one. Just checking if some solution is already there or not!
-ViSolve Open Source Support Team