Gnosis version 1.2.933 adds the option to enable Two Factor Authentication on your Gnosis system in order to fully implement HIPAA (USA) and PHIPA (Canada) recommendations for your system if you store Electronic Protected Health Information (ePHI/PHI).
Two Factor Authentication (commonly abbreviated to 2FA or TFA) is an authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to the system that together, proves they are entitled to login. When signing into a Gnosis system with 2FA enabled, the user will need to supply a username, password, and a 5 or 6 digit 2FA numeric code in order to gain access to the system.
The 2FA numeric code is sent to the user at the time of attempted login by Email and/or Text Message (if Text Messaging is enabled) and is only valid for 30 minutes. Gnosis also supports using Authenticator apps such as Google's and Microsoft's which can be installed on a mobile phone by the user and then used to obtain a shortlived 2FA code.
Before turning on 2FA on your system, please consider the following:
- All users will need to be running at least Gnosis version 1.2.933 or later.
- All your active users will need to have email addresses, mobile phone numbers (if using text messaging notifications), or both on the user administration screen
- All users should be referred to the "Logging in with 2FA" article in the Gnosis Help Center.
Turning on 2FA
To enable 2FA on your system:
- Go to the Settings | Administration | User Management area of Gnosis
- Review all active users (especially the user you have logged in with) to ensure that at least their email address or mobile phone number is correct (preferably both). NOTE: Phone numbers must include a "+" character, followed by the country code and then all digits.
- Switch to the 2FA Settings Tab:
- Check on the "Enable 2FA Security" option, and then check on the methods you wish to allow for 2FA codes to be sent to users.
You will need to include at least one of the text message and email options in your setup choices so that new users can get codes that allow them to initially log in and if desired set up their authenticator apps on their phones (Note: Text messaging will only be usable if you have our text messaging service enabled in your Gnosis system). Thereafter, you may turn off unwanted options at any time. Note - individual users can select a subset of the choices you enable here for their own use.
- Lastly, you may enter the number of days that a 2FA authentication will last for each user before they are again prompted to provide their 2FA code to log in. A value of "0" indicates that a 2FA code is required every time a user logs in.
- To finish, press "Save & Close" to save your setup options and activate 2FA logins.
To continue setting up your own 2FA access to your account, you should follow the instructions in the Logging in with 2FA article in the Help Center.
Glossary of Terms
- Electronic Protected health information (ePHI) under the U.S. law (PHI under Canadian Law) is any electronically stored information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual.
- HIPAA Act. Title II of the Health Insurance Portability & Protection Act (HIPAA) establishes policies and procedures for maintaining the privacy and the security of individually identifiable health information. PHIPA is the Canadian equivalent to the US HIPAA act.