Securing OpenEMR, 2FA?


(Cyril) #1

I’m looking into securing the existing OpenEMR installation, considering adding 2FA. What are the additional steps you take to secure the installation? (This is for the general users who’d be logging into the system)


(Dan Ehrlich) #2

Cyril:

2FA is one of the top priorities for OpenEMR and extremely important to me personally (am a cybersecurity engineer).

There is code we have already written that allows user or admin to use U2F keys like Yubikey. They are highly secure, but the drawback being they aren’t super common / cost $20+ each.

The next 2FA being added will use TOTP 2FA where you scan a QR code and then get a 6 digit rotating number on your phone. It will not be SMS text message based 2FA.

I am either going to write the code myself / find someone / pay someone to write it within 2 months and then deploy immediately on the next release.

QUICK QUESTION: where are you located out of and how many users do you have using the system now?


(Cyril) #3

Hello Dan,

Yeah that is quite understandable, I am at the moment looking into integrating 2FA to OpenEMR (literally at the moment looking at the code for it). The TOTP 2FA is the commonly looked after feature for it I guess.

That is quite exciting to hear, would you be able to help me out with it? (I’m trying to figure out where the authentication happens (the username and pw from the form is validated from the database).

I’m at the moment in US, but the system is been used in Sri Lanka (roughly 100+ users).


(Dan Ehrlich) #4

Cyril:

Can you message me on the chat server? I didn’t fully understand your question (couple of ways of interpreting it).

https://chat.open-emr.org


(Pete Boyd) #5

Hi Dan, I’m new to OpenEMR and intending to deploy it in a situation that would be best suited to 2FA. You said “I am either going to write the code myself / find someone / pay someone to write it within 2 months and then deploy immediately on the next release”. Do you have a status update on any progress with this please?

Thanks


(Dan Ehrlich) #6

Hey Pete:

Funny you should ask…

I did wind up paying someone, and they committed most of their code here 6 days ago: https://github.com/openemr/openemr/pull/2250

This should be rolled into the next release. I’m not sure when that will happen, but my guess is within the next month?

Brady Miller can comment for more context because ultimately he’ll pull the trigger.


(Pete Boyd) #7

That’s great news on both counts. It will really help the project I’m working on move forward. Thanks


(Brady Miller) #8

hi,
Hopefully this will be in the codebase within the next week.
-brady


(ViSolve) #9

Will this meet your requirement?
https://www.visolve.com/hc/openemr-pro/2fa.html