Configuring Multi-Factor Authentication

Multi-Factor Authentication provides enterprise an additional layer of security for user log ins, as it requires the user logging in to provide an additional verification method. When enabled, users will be required to enter a One Time Passcode that they receive via Text or Email into an Authorization Required form after entering their User ID and Password.

 

Please review the Before You Begin help file before doing any Multi-Factor Authentication configuration.

 

Permissions

The following permissions may be needed for various steps in the configuration and audit of this feature:

  • Enterprise Configuration
  • Center Configuration
  • User Profile / Password Reset
  • Employee Profile
  • Physician Profile
  • Reports – Center List Reports (CT6021)
  • Utility – Data Import
  • Utility – Data Export

 

Enterprise Configuration

HST Support personnel can work with clients to enable Multi-Factor Authentication and determine the best configuration for the center’s Enterprise. These options only accessible by HST Support.

Below is an explanation of each of the options and how they affect Multi-Factor Authentication for the Enterprise.

Option Description / Action / Rules
Enable

This check box defaults to OFF and when its OFF Multi-Factor Authentication cannot be used for any Center in the Enterprise

When this check box is ON, all Multi-Factor Authentication options become enabled so an the rest of the settings can be configured.

Please review the Before You Begin help file prior to having this feature enabled.
Require for All Centers

This check box defaults to OFF and is optional.

This option defines if all Centers are automatically opted in for MFA or they can be opted in individually.

When Require for All Centers is OFF and Enable is ON, each Center in the Enterprise can access Center Configuration and turn MFA ON or OFF for the Center without HST Support intervention.

When Require for All Centers is ON and Enable is ON, all Centers are automatically Opted in for MFA and it cannot be turned OFF at the Center Configuration level.

See Center Configuration for more details.

This option allows Enterprise Administrators, where there are many Centers, to turn on MFA at each Center incrementally to help to avoid a large influx of calls to their help desk for user access issues. See the Before You Begin help file for information on rolling out M-FA.
User Default

This is required and can be either Email or Text. This option will default to Email when MFA is initially configured.

This option acts only as a default setting for the user for their first time log in after MFA has been enabled for the Enterprise to which the user is logging in. For example, if this setting is Email and the user does not have a viable email upon first attempt to log in after MFA is enabled, the system will automatically change the user’s default to text. If they have no viable option for MFA authentication, then the user will not be able to log in.

“…Using a phone number as the primary way to prove account ownership is faster than email and more accurate.” 1
Remember Me (In Days)

This is configurable, required and the value must be greater than zero (0). The default is 30.

This option defines how long the user will be remembered in days before needing to re-authenticate upon log in. This will only be enforced for users who have permissions to Centers in the Enterprise that have MFA set to ON at the Center level either by manually enabling the Center MFA option, or by automatically opting in all Centers by using the Require for All Centers above in this section.
Code Expiration (In Min)

This is configurable, required, defaults to 10 and the values must be a number, 1 through 99.

This option defines the number of minutes the One Time Passcode (OTP) can be used before it expires. If a code expires, the user needs to get a new One Time Passcode code by clicking the Resend button on the Authentication dialog or attempting to log in again which would generate a new OTP.

See Authentication Dialog for more details and using the Resend button
Max Attempt Limit

This is configurable, required and the value in this field can be a number from 1 through 10. The default for this field is 3.

This option defines the number of passcodes the user can get before their account becomes locked. Once the Max Attempt Limit has been reached, their account is locked and can only be reset by another user that has access to User Profile > Password Reset.

See the Unlocking Accounts help file for details.
Security Code Length

This is configurable, required and the values can be a number from 6 through 10. The default is 6. This option defines the length of the One Time Passcode.

“…The most common method for confirming a working [mobile] number belongs to the account holder is by sending a one-time code—usually a 4-to-6 digit token—via SMS and asking the recipient to enter that code back into the application. Using a phone number, in conjunction with two-factor authentication (2FA) at log in, ranks high among the options to increase the protection of user accounts and reduce the cost of fraud to the business.”2

Foot Notes:

1 Twilio. https://www.twilio.com/hub/strong-customer-authentication-best-practices-using-phone-numbers-protect-your-users

2 Twilio. https://www.twilio.com/hub/strong-customer-authentication-best-practices-using-phone-numbers-protect-your-users

 

Center Configuration

Center Tab

Option Description / Action / Rules
Enable Multi-Factor Authentication

Access to this check box is controlled by the Enterprise MFA options. This field defaults to OFF.

When its OFF, Multi-Factor Authentication is not enabled for the center.

When this check box is ON, either by manually turning it ON here, or by it being forced ON by Enterprise settings, MFA will be enforced for users who have access to this Center.

 

PLEASE NOTE:

If a user has permissions to a center that is using MFA, that user will be required to Multi-Factor Authenticate into ANY center to which they have access, when their PW has been changed or their Remember Me (In Days) setting has expired.

 

 

Address Tab

Option Description / Action / Rules
CTR Administration Number CTR Administration Number This field is used in providing the user direction on what number to call if there are issues with receiving their One Time Passcode. If this is not configured the General Number will be used as a backup. See Authentication Required Dialog for more detail.
CTR General Number

This field is used as back up to CTR Administration Number, in providing the user direction on what number to call if there are issues with receiving their OTP. If neither the CTR Administration nor the General Number are configured, no phone number will display on the Authentication Required dialog and other messages.

See the Before You Begin section for planning a roll out of MFA.

 

Enterprise/Center Configuration Settings Working Together

The Center/Enterprise Administrator can work with HST Support to determine the best configuration for the organization. MFA can be piloted at one Center then gradually turned on for each remaining Center over time. Once MFA has been implemented at all Centers, Required for All Centers in the Enterprise can be turned ON. This configuration would automatically opt in all centers for MFA and not allow the Center setting to be changed.

When Center MFA Enable is ON, the users with permissions to that Center adhere to all Enterprise configured Multi-Factor Authentication settings regardless of the center they log into.

 

Below are the options that can be configured.

Centers can opt-in manually in Center Configuration.

Enterprise: Enable MFA is ON And Require for All Centers is OFF

Center: Enable MFA Defaults to OFF

 

Centers are automatically opted in and center setting cannot be changed.

Enterprise: Enable MFA is ON and Require for All Centers is ON

Center: Enable MFA is ON

 

Center setting cannot be changed and MFA is not enabled for the Enterprise.

Enterprise: Enable MFA is OFF

Center: Enable MFA is OFF

 

 

User Profile

Basic Information Tab

Users must have at least one (1) method of notification (Mobile Phone or Email) to receive a One Time Password (OTP) to log in to HST Practice Management after Multi-Factor Authentication has been enabled.

Option Description / Action / Rules
Email

This field should be populated with a valid email, if email will be used for MFA.
Mobile Phone This field should be populated with a valid Mobile Phone number if text will be used for MFA.

 

PLEASE NOTE:

If an Enterprise determines that Text will be the User Default notification method, then each user will need a valid Mobile Phone configured in the User Profile. Mobile Phone has been added to this form for the purposes of Multi-Factor Authentication.

However, if Mobile Phone is selected in Enterprise Configuration and users do not have one populated in their Profile, for the user’s initial log in after MFA is turned on, the system will default over to email if one is present.

See the Before You Begin section for details on getting started with MFA.

Physician and Employee Validations

Validating Employees is being introduced along with MFA. This validation permits only one Employee to be attached to one User Profile. Since this validation is new and there may already be more than one User Profile with the same Employee, editing one of those User Profiles would generate a validation message and would require removing the other affected User Profile(s) before adding the Employee ID to another User Profile and saving.

Validation for Physicians linked to User Profile records is already in place. However, the message will now indicate to which User ID the Physician is linked.

A similar message will be presented when attempting to attach an Employee to a User Profile if that Employee ID is already attached to another User Profile.

 

When this occurs a red error ball will display next to the field that is preventing the record from being saved.

In order to save the current record, it would require the following steps.

  • Take note of the User IDs that the Physician or Employee need to be removed from.

  • Access and remove the applicable ID(s) from those Profiles and save.

  • Go back to the first Profile to be updated and add the applicable Physician or Employee ID and Save.

PLEASE NOTE:

This validation will only occur when either the Physician or the Employee field is changed. If the User Profile record is existing with a duplicated Linked ID, and some other field is changed, there will not be a validation for either of these fields.

Please use the User Profile Data Export to determine if there are any duplicated linked records.

See the Before You Begin help file for directions on finding duplicated linked records.

 

 

Reset Password Tab

Option Description / Action / Rules
Reset Password

The button label has been changed from Reset to Reset Password. When MFA is enabled, and Reset Password is clicked, the user will be required to change their password from the temporary password and to re-Authenticate via MFA on their first log in after password reset. The hover message for this button is “Reset Password and MFA”. This action, resets the user's MFA Max Attempt Limit and Remember Me (In Days) to 0 in the database. If MFA is not enabled, the user will only be required to change their password upon login.
Reset MFA Lockout

This button is only enabled if MFA is enabled at a center this user has access to and their account is locked.

When an account is not locked, the following message will display next to the button: User is not locked out.

When the account is locked the message next to the button displays: Account is locked.

When this button is clicked, the account is reset and the message will display

The Account has been reset.

This option can be accessed by those users who have permission to Reset Passwords.

The hover message for this button reads Reset MFA Lockout Only. This option does not affect user passwords.

Please see the Resetting Locked Accounts help file for details on unlocking accounts.

 

Employee Profile

Contact Tab

Option Description / Action / Rules
Linked User ID This section to the right will display when there are liked User Profiles associated to this Employee record.
Mobile Phone When a linked User Profile exists, this field will be Read Only. This data can only be updated from the User Profile form and can be synchronized up to the Employee Record.
Email When a linked User Profile exists, this field will be Read Only. This data can only be updated from the User Profile form and can be synchronized up to the Employee Record.

 

 

Physician Profile

General Information Tab

User, Physician and Employee Profile Synchronization

Every user that logs in needs a User Profile (and either an email or a Mobile Phone for MFA), but not every user has an Employee Record or a linked Physician record. This makes the User Profile the source of truth for Authentication purposes. To assist with keeping linked Employees and Physicians up to date, when Email or Mobile Phone is updated in the User Profile, that data is sent to the linked record(s) through synchronization.

Option Description / Action / Rules
Linked User ID This section to the right will display when there are liked User Profiles associated to this Physician record.

 

Changes Related to Synchronization

Email and Mobile Phone number fields labels have been named the same throughout the application and the format of the email fields in both Employee and Physician Profile forms will adhere to the same formatting requirements as other Email fields in the application (I.E., requiring an @ symbol, a domain, etc.).

 

Please see the Updating Linked Records help file for details.