Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Purpose and Benefits
2FA is additional security mechanism to protect the user from fraudulent act. Bahmni using basic authentication (username, password) from OpenMRS so far. We are introducing 2FA in Bahmni to enhance the security. This feature only covers login through the Bahmni application. It doesn't apply to direct login through OpenMRS or OpenELIS or OpenERP. This feature is optional for an implementation. When this feature is enabled then user will be authenticated with username and password first and on success, the user will get SMS with OTP (One Time Password) in his/her registered mobile. The user has to authenticate with OTP before proceed to use the system.
The generated OTPs use Java's SecureRandom. They are random enough that the user can't guess. If you are curious, you can see the implementation here. OTPs are stored in memory. All operations like generation, validation, expiry are handled in memory only. There is no database involved.
Steps
1. How to enable/disable 2FA?
To enable/disable 2FA, add the following snippet in the /etc/bahmni-installer/setup.yml file before Bahmni installation.
| Code Block |
|---|
two_factor_auth: enabled/disabled |
2. How to add SMS gateway service?
Bahmni gives flexibility add SMS gateway service to the implementer.
| Info |
|---|
Please refer bahmni-sms-plugins for more info. |
3. How to add user's mobile number?
We don't have UI to enter user's mobile number currently. So, please use the below SQL query to add into the system.
The contact table is present in the openmrs database. It has 3 columns.
- user_name must be exactly same as the username in OpenMRS.
country_code can be found here.
Warning Country_code mustn't contain the preceeding +.
- mobile_number is the mobile number of that user.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
insert into contact(user_name, country_code, mobile_number) values('Leo','91','9955273623'); |
4. Audit Logs
Every event is captured in audit log. The log file will be created for every day and only recent 90 days files are kept.
| Info | ||
|---|---|---|
| ||
Audit logs are located at /var/log/bahmni-two-factor-auth/audit-logs directory |
| Expand | ||
|---|---|---|
| ||
|
There are many more events captured than those mentioned above.
5. OTP configurations
These settings can be overridden by configuring in application.properties file.
| Info | ||
|---|---|---|
| ||
application.properties is located at /home/bahmni/.bahmni-security directory |
| Property | Description | Default Value |
|---|---|---|
| OTP_LENGTH | Number of digits in the generated OTP | 6 |
| OTP_EXPIRES_AFTER | Number of minutes the OTP should be valid after it is generated | 15 |
| OTP_MAX_ATTEMPTS | Number of times the user is allowed to enter a wrong OTP, before the user is redirected to the login screen | 3 |
| OTP_MAX_RESEND_ATTEMPTS | Number of times the user can request a new OTP by clicking on resend button, before the user is redirected to the login screen | 3 |
Prerequisites:
- If reports module is installed, then for reports-user 'bypass2fa' role should be added in openmrs.
| Tip | ||||
|---|---|---|---|---|
| ||||
|
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||