Two-Factor Authentication?

Day-to-Day Users
#1

jesdynf wrote on Friday, November 25, 2016:

Hello,

Is anyone interested in users being configured to use two-factor authentication to log in? I’m looking at using OpenEMR in the context of a non-profit providing telementalhealth services, with remote, offsite providers interacting with patients and headquarters, and 2FA seems the minimum I’d be comfortable with to allow remote access to OpenEMR.

I’d be happy to take a crack at patching it in myself, if anybody thinks it’s something they’d like to see. I know that OpenEMR would need a lot more customization than that to be what I’m envisioning, but this is a good a starting point as any.

Thanks!

#2

bradymiller wrote on Saturday, November 26, 2016:

Hi Asher,

Definitely feel free to take a crack at it. Anything to improve security would be a useful addition to the codebase. And always feel free to ask questions regarding git, codebase, and anything else.

Also check out here for some guidance on OpenEMR security:
http://www.open-emr.org/wiki/index.php/Securing_OpenEMR

thanks,
-brady
OpenEMR

#3

jesdynf wrote on Sunday, November 27, 2016:

Thanks, Brady! No promises – I don’t have a strong PHP background, to put it gently – but I don’t think it should be too hard to slip in, since it’s just a tweak to the login flow, the initial 2FA setup, and a couple user fields and the buttons to administer them.

#4

bradymiller wrote on Sunday, November 27, 2016:

Sounds great and always feel free to ask any questions along the way.
-brady

#5

sunsetsystems wrote on Tuesday, December 06, 2016:

Are you thinking SMS for the additional authentication method?

As an alternative consider configuring to use client SSL certificates. This authenticates the browser to the host and does not require any change to OpenEMR. It’s a 1-time certificate installation for each client PC, but is a lot less hassle than dealing with something like SMS for each login.

Rod
http://www.sunsetsystems.com/

#6

jesdynf wrote on Sunday, December 11, 2016:

No, Rod, I was thinking token-based 2FA with Google Authenticator or a similar tool. I can pull in libraries to make a QR code a suitable app can scan in. No SMS costs and no having to try to walk remote users through certificate installations or renewals, you just touch the app and get the 2FA code.

I have messed with client certificates before, and I really loathe them, and that was when I had complete control over the webserver and the client devices in question.

I would add IP locks, to allow you to create two classes of users, administrative users in a central office who didn’t need 2FA because they’re coming from a whitelisted netmask, and then the remote users who can’t complete a login without configured 2FA.

#7

mdsupport wrote on Monday, December 12, 2016:

It would be also good if we give patients an option to login with their google oauth as long as their email address matches and may be have a flag that indicates consent by user has been recorded.

#8

sunsetsystems wrote on Monday, December 12, 2016:

Thanks Asher. So your problem with client certificates was that users had a hard time installing them? What I really like about them is they protect against security vulnerabilities in OpenEMR or any other web app on the server in question.

Rod
http://www.sunsetsystems.com/

#9

jesdynf wrote on Wednesday, December 14, 2016:

You’re not wrong, Rod, but I think client certs are beside the point anyways, because I’m not sure how much support for client certs it’d be appropriate to bake /into OpenEMR/. If you really want signed client certs you can break out the CA tools and grind them out, then configure Apache SSL to require them – you don’t need a developer to add anything, and nothing I’m proposing would make it harder to implement them.