2FA is additional security mechanism to protect the user from fraudulent act. Bahmni using basic authentication (username, password) from OpenMRS so far. We are introducing 2FA in Bahmni to enhance the security. This feature only covers login through the Bahmni application. It doesn't apply to direct login through OpenMRS or OpenELIS or OpenERP. This feature is optional for an implementation. When this feature is enabled then user will be authenticated with username and password first and on success, the user will get SMS with OTP (One Time Password) in his/her registered mobile. The user has to authenticate with OTP before proceed to use the system.
The generated OTPs use Java's SecureRandom. They are random enough that the user can't guess. If you are curious, you can see the implementation here. OTPs are stored in memory. All operations like generation, validation, expiry are handled in memory only. There is no database involved.
To enable/disable 2FA, add the following snippet in the /etc/bahmni-installer/setup.yml file before Bahmni installation.
two_factor_auth: enabled/disabled |
Bahmni gives flexibility add SMS gateway service to the implementer.
Please refer bahmni-sms-plugins for more info. |
We don't have UI to enter user's mobile number currently. So, please use the below SQL query to add into the system.
The contact table is present in the openmrs database. It has 3 columns.
country_code can be found here.
Country_code mustn't contain the preceeding +. |
insert into contact(user_name, country_code, mobile_number) values('Leo','91','9955273623'); |
Every event is captured in audit log. The log file will be created for every day and only recent 90 days files are kept.
Audit logs are located at /var/log/bahmni-two-factor-auth/audit-logs directory |
|
There are many more events captured than those mentioned above.
These settings can be overridden by configuring in application.properties file.
application.properties is located at /home/bahmni/.bahmni-security directory |
Property | Description | Default Value |
---|---|---|
OTP_LENGTH | Number of digits in the generated OTP | 6 |
OTP_EXPIRES_AFTER | Number of minutes the OTP should be valid after it is generated | 15 |
OTP_MAX_ATTEMPTS | Number of times the user is allowed to enter a wrong OTP, before the user is redirected to the login screen | 3 |
OTP_MAX_RESEND_ATTEMPTS | Number of times the user can request a new OTP by clicking on resend button, before the user is redirected to the login screen | 3 |