Securing OpenEMR, 2FA?


(Cyril) #1

I’m looking into securing the existing OpenEMR installation, considering adding 2FA. What are the additional steps you take to secure the installation? (This is for the general users who’d be logging into the system)


(Dan Ehrlich) #2

Cyril:

2FA is one of the top priorities for OpenEMR and extremely important to me personally (am a cybersecurity engineer).

There is code we have already written that allows user or admin to use U2F keys like Yubikey. They are highly secure, but the drawback being they aren’t super common / cost $20+ each.

The next 2FA being added will use TOTP 2FA where you scan a QR code and then get a 6 digit rotating number on your phone. It will not be SMS text message based 2FA.

I am either going to write the code myself / find someone / pay someone to write it within 2 months and then deploy immediately on the next release.

QUICK QUESTION: where are you located out of and how many users do you have using the system now?


(Cyril) #3

Hello Dan,

Yeah that is quite understandable, I am at the moment looking into integrating 2FA to OpenEMR (literally at the moment looking at the code for it). The TOTP 2FA is the commonly looked after feature for it I guess.

That is quite exciting to hear, would you be able to help me out with it? (I’m trying to figure out where the authentication happens (the username and pw from the form is validated from the database).

I’m at the moment in US, but the system is been used in Sri Lanka (roughly 100+ users).


(Dan Ehrlich) #4

Cyril:

Can you message me on the chat server? I didn’t fully understand your question (couple of ways of interpreting it).

https://chat.open-emr.org