Overview

4D EMR Version 6.0 implements multi-factor authentication (MFA) to provide an additional layer of security beyond traditional username and password credentials. MFA requires users to verify their identity using a second authentication factor before accessing protected health information within the system.

This documentation describes the MFA capabilities, configuration options, enrollment process, and authentication workflow as required by 45 CFR § 170.315(d)(13).

Authentication Method

4D EMR uses Time-based One-Time Password (TOTP) as the multi-factor authentication method, conforming to RFC 6238. TOTP generates a unique six-digit verification code that changes every 30 seconds, based on a shared secret key and the current time.

Users authenticate with a TOTP-compatible authenticator application installed on their mobile device or computer. Supported authenticator applications include:

• Google Authenticator (iOS, Android)
• Microsoft Authenticator (iOS, Android)
• Authy (iOS, Android, Desktop)
• Any application that supports the TOTP standard (RFC 6238)

Additionally, Twilio SendGrid is integrated as a communication service to deliver email-based MFA verification codes for users who require an alternative to authenticator applications.

Configuration Options

4D EMR provides flexible MFA configuration to accommodate different practice security requirements. MFA can be managed at both the administrative and individual user levels.

Administrator Controls

Practice administrators can configure MFA policies for staff members through Practice > Settings > Staff Management:

User Controls

Individual users can manage their own MFA settings through the Account Security section of their user profile:

MFA Enrollment Process

The following steps describe how a user enrolls in multi-factor authentication within 4D EMR:

Step 1 — Initiate Setup

The user navigates to their Account Security settings and clicks Enable to begin the two-factor authentication setup process.

Step 2 — Generate Secret Key

The system generates a unique TOTP secret key for the user. This secret is used to produce the time-based one-time passwords. The secret is presented in two formats:

• QR Code — A scannable QR code image that can be read by any TOTP-compatible authenticator application.
• Manual Entry Key — A text-based secret key for users who prefer to enter the key manually into their authenticator application.

Step 3 — Configure Authenticator Application

The user opens their preferred authenticator application and either scans the QR code or enters the manual key. The authenticator application will then begin generating six-digit verification codes for the 4D EMR account.

Step 4 — Verify Setup

To confirm that the authenticator is correctly configured, the user enters the current six-digit code displayed by their authenticator application into the verification field. The system validates the code against the stored secret to confirm a successful enrollment.

Step 5 — Activation

Upon successful code verification, MFA is activated for the user's account. All subsequent logins will require both the user's password and a valid TOTP code.

Authentication Workflow

Once MFA is enabled, the login process follows this sequence:

Factor 1 — Credentials

The user navigates to the 4D EMR login page and enters their username and password. The system validates these credentials against the stored identity using ASP.NET Identity. If the credentials are invalid, the login attempt is rejected.

Factor 2 — TOTP Verification

Upon successful credential validation, the system detects that MFA is enabled for the account and redirects the user to the Verify Code page. The user opens their authenticator application and enters the current six-digit code. The system validates the code using the TOTP algorithm (RFC 6238) against the user's stored secret key and the current time window.

Access Granted

If the TOTP code is valid, the user is fully authenticated and granted access to 4D EMR with all privileges associated with their role. If the code is invalid, the user is prompted to try again.

Technical Implementation

Security Considerations

• Secret Key Protection — Each user's TOTP secret is stored encrypted in the application database and is never transmitted after initial enrollment.
• Brute Force Protection — The TOTP algorithm's 30-second time window and six-digit code space provide protection against brute-force attempts. Failed verification attempts are logged.
• Security Stamp Validation — ASP.NET Identity's SecurityStamp mechanism ensures that changes to MFA settings immediately invalidate existing sessions.
• Transport Encryption — All authentication traffic, including MFA code submission, is encrypted via TLS 1.2/1.3 over HTTPS.
• Administrator Oversight — Practice administrators can enforce MFA for specific users and reset MFA enrollment when necessary (e.g., lost device).

Regulatory Compliance

The 4D EMR multi-factor authentication implementation satisfies the requirements of 45 CFR § 170.315(d)(13), which states that a Health IT Module must support multi-factor authentication for users with access to electronic health information. Specifically:

• § 170.315(d)(13) — The system requires authentication through at least two of the following factors: something the user knows (password) and something the user has (authenticator application generating TOTP codes).
• User-Level Configurability — MFA can be enabled or required on a per-user basis, allowing practices to tailor their security posture to their needs.
• Standards-Based — The TOTP implementation follows RFC 6238, an industry-standard algorithm widely supported by authenticator applications.