Wanted to mention that I’m working on 2FA using FIDO U2F. Thus a USB device such as the Security Key by Yubico or the similar product from Key-ID. After a normal OpenEMR login you would be prompted to use the physical key to further verify your identity.
This particular type of device is attractive because it’s effective and cheap, around $10. The work should also be adaptable other 2FA methods.
Rod
PR is here:
Rod, great job by developing and implementing a Multi-Factor Authentication feature in 5.0.2. Thank you. For the U2F device examples you provide in the GitHub, one of them is ‘Security Key by Yubico’ – I wonder if you had also worked and tested using Yubico’s YubiKey 5 NFC USB device?
Since this YubiKey 5 NFC U2F device does also a full support including FIDO2 and U2F it should be fully transparent and compatible to use with OpenEMR its latest version 5.0.2. Any affirmation, advice and comments are appreciated. Thanks.
Hi TechMed, thanks. Any key that supports U2F should be fine. The one you mention may be overkill unless you have another need for those features.
Cheers,
Rod
I love this concept for login security. Still though, it harkens me back to the day of rs232 dongles for software decrypt. Always fun to hack:)
What’d be even cooler is to add a thumbprint scanner to the usb stick ensuring ownership of the keys drive.
WebAuthn would be the the next step, and has the option for going passwordless. Last I checked with Yubico they did not have PHP libraries for it yet.
Thanks Rod for confirming that any key that supports U2F should be fine. Acknowledged that YubiKey 5 NFC key might be an overkill. Cheers.
There are fido keys with built in fingerprint readers but to be totally honest I actually believe the PIN code option is more secure (the trouble with fingerprint readers is that they are likely to be covered in the very fingerprints that are meant to be preventing access by others. Whilst it is true there are still hurdles that would need to be overcome it is clearly a security weakness (especially as the user cannot change his fingerprint).