2FA is additional security mechanism to protect the user from fraudulent act. Bahmni using basic authentication (username, password) from OpenMRS so far. We are introducing 2FA in Bahmni to enhance the security. This feature only covers login through the Bahmni application. It doesn't apply to direct login through OpenMRS or OpenELIS or OpenERP. This feature is optional for an implementation. When this feature is enabled then user will be authenticated with username and password first and on success, the user will get SMS with OTP (One Time Password) in his/her registered mobile. The user has to authenticate with OTP before proceed to use the system.
The generated OTPs use Java's SecureRandom. They are random enough that the user can't guess. If you are curious, you can see the implementation here. OTPs are stored in memory. All operations like generation, validation, expiry are handled in memory only. There is no database involved.
Steps
1. How to enable/disable 2FA?
To enable/disable 2FA, add the following snippet in the /etc/bahmni-installer/setup.yml file before Bahmni installation.
two_factor_auth: enabled/disabled
2. How to add SMS gateway service?
Bahmni gives flexibility add SMS gateway service to the implementer.