Hi Folks-
Working with an OpenEMR with a .de domain trying to set up self- registration from the portal and I’m having problems getting the email address verified.
The google reCaptcha simply times out without verification and this error:
In the process of checking this out I ran across some articles talking about how google’s reCaptcha security does not meet EU requirements, so I’m wondering a few things:
Does it look like that timeout could be related to an EU domain/ reCaptcha conflict?
In the OpenEMR portal globals, when it says, ‘Google reCAPTCHA V2 site key’ does that imply that it won’t accept any of the EU - compatible captcha tools?
if so, what are the options for making an OpenEMR.de portal do self registration?
I don’t know concerning Google you’ll need to research with them. Perhaps you need an account set up for EU.
Whatever the case this is not an openemr bug but perhaps a limitation we need to visit.
Let me know what you come up with and thanks for taking the time to bring this up.
Would love to be corrected on this but it according to my searches the results look pretty consistent: The use of Google recaptcha can be made to be compatible with GDPR requirements but it mostly is a case of getting consent from users to do the info processing that GDPR bans. But if they consent to it, it’s ok. Multiple EU-compatible bot-blockers exist (just search on ‘recapcha alternative’) but I guess OpenEMR doesn’t work with them.
‘As we’ll consider below, it might be impossible to use reCAPTCHA legally under EU law, but no data protection authority has said this.’
lots of legal requirements to usg recaptcha legally
details on how to use it legally
SO-- it seems like changing OpenEMR’s ‘recaptcha - only’ capability so it handles any arbitrary bot-blocker would do the trick. Or, if only one is to be used, find one of the alternatives that works in the US in addition to the rest of the world. But of course I haven’t the least clue what that would involve from a dev perspective.
Hi,
Could make a global that turns off this requirement, if needed, (would have this default to keep the captcha on so admins would need to explicitly turn it off since it is there for security purposes)
Thanks for the research Harley. I’m rethinking portal log in by perhaps issuing a token or two factor or custom using our authentication server.
But for now I’ll set up a global as Brady suggest to turn on/off reChptcha by admins choice. On by default. Next patch
Yer welcome for the research
So the global recaptcha switch being off would not prevent self- registration through the portal, would it? Although that self- registration would be unsecured.
I’m interested in self- registration, not only logging into the portal.
