Login security has to be improved for cloud based systems.
I’ve seen a few posts mention 2FA but they all seem to have a commercial bent.
Seems today we should be able to implement a free open-source option.
Has anyone implemented any sort of Multi-factor authentication for openEMR?
Maybe someone knows of an opensource project that has already done this?
I imagine strengthening the login security in several ways, each portion optional/configurable at the admin level:
-
Fixed ip whitelist on 2 levels: for the practice and for the user.
Login from an IP on whitelist and the login is the same as it is right now -
Temporary whitelist
Once logged in and a session is created, that IP address is added to a temporary whitelist, for a period of time (eg. 24 hours or perhaps X hours).
Kind of like fail2ban but backwards…
Second login attempts from the same IP by the same user look just like it is right now - username/password.
A second login from a new IP will require another MFA after username/password is entered.
That IP address is stored for X hours, and on it goes -
MFA
Knowledge-based - security questions type
OR
E-mail link to whitelist IP.
OR
Google authenticator type action, using free app to send security code to user
OR
SMS (although very common today, not really needed in my opinion and will fade for small business due to cost)
OR
Biometrics - ?finger print, retinal scan, DNA verification - idea is to be able to change with the times…
OR
Others that would work for openEMR’s userbase.
Please consider adding improving login security to the 5.0.2 Roadmap, even if it is just emailing a link for IP whitelisting.