Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Purpose and Benefits
2FA is additional security mechanism to protect the user from fraudulent act. Bahmni using uses basic authentication (username, password) from OpenMRS so far. We . However, it is optimal to have additional security mechanisms to protect users from fraudulent acts. Thus we are introducing 2FA in Bahmni to enhance the security. This feature only covers login through the Bahmni application. It doesn't apply to direct login through OpenMRS or OpenELIS or OpenERP. This feature is optional for an implementation. When this feature is enabled then the user will be authenticated with username and password first and on success, the user will get an SMS with OTP (One Time Password) in with an OTP to his/her registered mobile. The user has to authenticate with the OTP before proceed proceeding to use the system.
The generated OTPs use Java's SecureRandom. They are random enough that the user can't guess. If you are curious, you can see (see details of the implementation here). OTPs are stored in memory. All The OTPs and all operations like generation, validation, expiry are handled in memory only. There is no database involved.
Steps
1.
How to enableEnable/disable 2FA
?To enable/disable 2FA, add the following snippet in the /etc/bahmni-installer/setup.yml file before Bahmni installation.
| Code Block |
|---|
two_factor_auth: enabled/disabled |
2.
How to addAdd SMS gateway service
?Bahmni gives flexibility add SMS gateway service to the implementer.
| Info |
|---|
Please refer bahmni-sms-plugins for more info. |
3.
How to addAdd user's mobile number
?We don't have UI to enterAdd the user's mobile number currently. So, please use the below SQL query to add into the systemOpenMRS database.
The contact table is present in the openmrs OpenMRS database. It has 3 columns.
- user_name must be exactly the same as the username in OpenMRS.
country_code can be found here.
Warning Country_code mustn't should not contain the preceeding preceding "+."
- mobile_number is the mobile number of that user.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
insert into contact(user_name, country_code, mobile_number) values('Leo','91','9955273623'); |
| Note |
|---|
If reports module is installed, then for reports-user 'bypass2fa' role should be added to OpenMRS. |
4. Check Audit Logs
Every event is captured in the audit log. The log file will be created for every day and only recent , but only recent files from the past 90 days files are are kept.
| Info | ||
|---|---|---|
| ||
Audit logs are located at /var/log/bahmni-two-factor-auth/audit-logs directory | ||
| Expand | title | Click here to expand the example
Sample log entries
...:
- OTP 623704 generated for doctor1
- Failed attempt #1 using OTP 123131 by doctor1
- OTP 623704 validation successful for doctor1
There are many more events captured than those mentioned above.
5. Override OTP configurations
These settings can be overridden by configuring in applicationadding configuration to the application.properties file.
| Info | ||
|---|---|---|
| ||
application.properties is located at /home/bahmni/.bahmni-security directory |
| Property | Description | Default Value |
|---|---|---|
| OTP_LENGTH | Number of digits in the generated OTP | 6 |
| OTP_EXPIRES_AFTER | Number of minutes the OTP should be valid after it is generated | 15 |
| OTP_MAX_ATTEMPTS | Number of times the user is allowed to enter a wrong OTP, |
before the user is redirected to the login screen | 3 |
| OTP_MAX_RESEND_ATTEMPTS | Number of times the user can request a new OTP by clicking on resend button, |
before the user is redirected to the login screen | 3 |
Prerequisites:
- If reports module is installed, then for reports-user 'bypass2fa' role should be added in openmrs.
| Tip | ||||
|---|---|---|---|---|
| ||||
|
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||