Enabling Multifactor Authentication (MFA) for Your Practice

Multifactor authentication (MFA) helps secure your practice data and prevent unauthorized access to patients' health records. MFA requires users to provide more than one form of identification, which may be something they know (e.g., passwords), something they have (e.g., smartphone app, token), or something they are (e.g., Touch ID, Face ID).

When you enable MFA for your practice, staff are prompted to establish an MFA profile, using an authenticator app of their choice (e.g., Microsoft Authenticator, Google Authenticator, Duo Mobile), the next time they log in. Practice users will be required to use the authenticator app to generate a login token each time they log in to Eyefinity EHR.

To learn more about the end-user MFA experience, go to Setting up Multifactor Authentication (MFA) for Your User Account.

MFA settings apply only to practice staff and administrator accounts. Patients won't be required to set up MFA to log into the patient portal.

MFA is not compatible with single sign-on (SSO) at this time.

When MFA is enabled, practice users will be prompted to enter two forms of authentication every time they log in to Eyefinity EHR.

What do you want to do?

When you enable MFA, staff are prompted to establish an MFA profile with an authenticator app the next time they log in, and they will be required to enter a code from the authenticator app each time they log in.

Users of the iPad app who use Touch ID/Face ID to log in will not be prompted to establish an MFA profile or enter a code until they change their password.

Here's how to set up MFA:

  1. Log in to the Eyefinity EHR web application as an administrator.
  2. Locate and expand the Security Policy section and click Edit Security Policy.
  3. Select the Enable Multifactor Authentication for Staff check box.
  4. Click Save.

When you enable MFA, staff are prompted to use MFA to authenticate every time they log in. You can alleviate authentication fatigue by setting how often a user is prompted to authenticate with MFA on each device.

Here's how to set the MFA grace period:

  1. Log in to the Eyefinity EHR web application as an administrator.
  2. Locate and expand the Security Policy section and click Edit Security Policy.
  3. Select the Enable Multifactor Grace Period for User/ Login Device check box.
  4. Click the Multifactor Grace Period Time Unit drop-down menu and select one of the following options:
    • Once per Device (Unlimited)
    • Hours
    • Days
  5. Click the Multifactor Grace Period Length text box and type the number of days/hours you want to give users between MFA prompts.
  6. Click Save.

You can make it easier for practice users to log in from specific locations by excluding specific IP addresses from MFA requirements. For example, you can enter the IP addresses used by your practice's network to make it easier for user to log in while at a practice location but still require MFA if a user logs in from home. Here's how to exclude IP address from MFA:

  1. Log in to the Eyefinity EHR web application as an administrator.
  2. Locate and expand the Security Policy section and click Edit Security Policy.
  3. Paste or enter the IP addresses that shouldn't require MFA in the Disable Multifactor from the Following IP Addresses: text box.
  4. Click Save.

If a user accidentally deletes the Eyefinity EHR profile from their authenticator app or loses access to the app or device, they will need to re-establish MFA. To make sure the user is again prompted to setup MFA when they next login, you must reset the user's MFA profile.

  1. Log in to the Eyefinity EHR web application as an administrator.
  2. Open the user's account.
    1. In the Practice Accounts section, enter search criteria, as needed, and click Apply Filter.
    2. Click a user’s Username.
  3. On the Demographics tab, locate the Reset Multifactor Authentication option and select Yes.
  4. Click Save.

    The user's MFA profile is removed, and the user will be prompted to set up MFA again the next time they log in.

Before enabling MFA in your practice, you should thoughtfully consider how it will impact your practice staff. Here are a few questions to help you get started:

  • Will you allow internal IP addresses to bypass MFA requirements?
  • When will you toggle the MFA requirement on?
  • How often should practice users have to authenticate each device? In other words, what's the right balance between security and usability for your practice?
  • How will you communicate the MFA requirements to practice users?
  • How will you handle situations where the user lost or forgot their smartphone at home?
  • How will you accommodate users who don't have a smartphone or don't want to install an authenticator app?
  • Who should practice users contact if they are having trouble setting up or logging in with MFA?