MFA Rules
There are several rules that help to define who, when and where a user should Multi-Factor Authenticate. This section helps to explain these rules for a better understanding of the feature and to assist with user access issues.
Who Multi-Factor Authenticates
If MFA is turned on for a given Center the following users will need to Authenticate in ALL Centers in the Enterprise:
-
ALL Active Corporate Administrators
-
ALL Active users identified as a Center Administrator in the Center that has MFA enabled.
-
ALL Active users assigned a Role in the Center that has MFA enabled.
-
ALL Active users with at least 1 Individual Permission in the Center that has MFA enabled.
If MFA is turned on for ALL Centers either by the Enterprise Require All Centers option being set to ON or manually turning ON MFA for all centers, then ALL users in the Enterprise must MFA.
Who Does Not Multi-Factor Authenticates
Users who have access limited to ONLY those centers that do not have MFA enabled at the Center level.
When do Users Multi-Factor Authenticate
User required to MFA, will encounter the Authentication Required dialog under the following circumstances.
-
Their Remember Me (In Days) has been exceeded.
-
It is the user’s first log in after MFA is turned on for any Center the user has access due to
-
the Require for All Centers MFA option in Enterprise Configuration being enabled.
-
the user’s password been changed, either by an Admin or by changing an existing or expired password.
-
Where do Users Multi-Factor Authenticate
The grid below is a sample that shows where a user must MFA. This sample has a variety of users and 2 centers. One with MFA enabled at the Center Level and one without.
| Enterprise MFA Enable | ON | |||
| Enterprise Require All | OFF | |||
| Center 1 - MFA ON | Center 2 - MFA OFF | |||
| User | Access | Must MFA ? | Access | Must MFA? |
| User 1 |
Corporate Admin |
Y | Corporate Admin | Y |
| User 2 | Center Admin/Role | Y | Role | Y |
| User 3 | Role | Y | Individual Perms | Y |
| User 4 |
Individual Perms |
Y | Individual Perms | Y |
| User 5 | Individual Perms | Y | Center Admin | Y |
| User 6 | NONE | No Access | Center Admin | N |
| User 7 | NONE | No Access |
Role |
N |
| User 8 | NONE | No Access | Individual Perms | N |
| Enterprise MFA Enable | ON | |||
| Enterprise Require All | ON | |||
| Center MFA Enable | Center 1 - ON | All Users | Center 2 - ON | All Users |
| Enterprise MFA Enable | OFF | |||
| Enterprise Require All | OFF | |||
| Center MFA Enable | Center 1 - OFF | NO Users | Center 2 - OFF | NO Users |
Log In Attempt Rules
There are also a variety of rules in place that will prevent a user from logging in and continuing to attempt to log in.
If the user
-
enters an invalid code.
-
does not have a valid email or mobile phone for getting a code.
-
enters a One Time Passcode that expired.
-
has tried to get a new code too many times.
One Time Pass Code Delivery Rules
The delivery of One Time Passcodes is reliant upon system set up. Understanding these rules can help to better assist users with access issues.
When the Authentication form loads, the user’s notification methods will display if they are populated in User Profile. The notification method to which the One Time Passcode was sent will be listed at the top of the form and be selected in the radio selector in the bottom of the dialog.
The default notification method is based on Enterprise Configuration. If the Enterprise Configuration default setting is Email and the user only has a Mobile Phone number, the system will send a Text for their initial log in since email is not available. Once successfully logged in, the method used will be remembered for the next time MFA is required.
To change where a code is delivered, click the other option if available and click Resend. After a successful log in, this change will be remembered for the next time Multi-Factor Authentication is required. This gives the user another option in the event they forgot their phone and they have been using Text as their notification method.
Log In or Switch to Other Center Rules
Given a users' Remember Me (In Days) has not expired, when they log into or switch to another center on the same Enterprise or Replicated Enterprise, the user is not required to go through the Authentication Required dialog.
However, if the user is changing their Login URL (the URL entered in the Server Location field on the Log In form), then MFA authentication rules for that Enterprise being accessed will be in effect.
When a user’s Remember Me (In Days) expires while using the application and the user attempts to switch to another Center via the Center hyperlink on the tool bar at the bottom of the Home page or use the Log In form to access another HST instance, and the user fails to Multi-Factor Authenticate into the second Center, the user is brought back to the first Center and the new instance of HST Practice Management does not launch.
Code Generation Rules
• Clicking the Log In button on the Log In form generates a new code.
• Clicking Yes after changing a password to the question “Log in to the system?” generates a new code.
• Clicking Resend Generates a new code.
• Codes are only generated once and not re-used or regenerated.
• Codes expire and cannot be used after their expiration time.