Two-Factor Authentication is a feature that provides an additional level of security for Ocean users. As an Ocean Site Administrator, you have the ability to enforce Two-Factor Authentication for all users on your Ocean Site.
To set Two-Factor Authentication as mandatory for your Ocean Site:
-
- Click on the Site Features area. .
- Set the Two Factor Authentication feature to "Mandatory for all users".
Note: In order to set Two-Factor Authentication as mandatory for all users on your Ocean site, you must first ensure that all pre-existing Ocean users on your Ocean site have Two-Factor Authentication enabled on their own individual user accounts. Please see below for more information on how to manage individual user compliance.
Managing Individual User Compliance
Before you can set Two-Factor Authentication as mandatory for all users on your Ocean site, all pre-existing users must first enable Two-Factor Authentication on their own Ocean user account. This is most easily done by running a Two-Factor Authentication Compliance Report. The "2FA Configured" column in the report indicates if the user has Two-Factor Authentication enabled or not. For users who do not have it enabled, you can instruct them to Enable Two-Factor Authentication for their Ocean user account.
Once all pre-existing users have enabled Two Factor Authentication, you can then set it as mandatory for your Ocean site so that all newly invited users will be forced to configure Two-Factor Authentication before they can successfully join your Ocean site.
Alternatively, you can remove non-compliant individuals from your Ocean Site within the Users area, then set Two-Factor Authentication as mandatory for your Ocean site, and then re-invite the removed users so that they are forced to enable Two-Factor Authentication upon rejoining your Ocean site.
Newly Invited Ocean Users
Once Two-Factor Authentication has been set as mandatory for your Ocean site, newly invited users who do not have Two-Factor Authentication enabled will be prompted to enable it before they can join your Ocean site.
- Upon accepting the invitation, users will see a message indicating that the Ocean site they are joining requires Two-Factor Authentication, and be instructed to download an authenticator application before proceeding.
- Users are then presented with a QR code to scan with their authenticator application. They can then enter their Ocean user account password, and the 6-digit code provided by the authenticator application. Pressing Enable & Join Site enables Two-Factor Authentication for their user account, and allows them to join the Ocean site.
Single Sign-On Implications for Integrated EMRs
When users access Ocean through a Single Sign-On launch from their EMR or point-of-service system (using SMART on FHIR), it replaces the Two-Factor Authentication requirement.
As part of setting up Ocean, users perform a one-time linkage between their Ocean user account and their EMR user account (i.e., when initiating a Patient Message or initiating an eReferral) to facilitate Single Sign-on.
At the time of establishing the linkage between the EMR user account and the Ocean user account, the user will be required to enter the authorization code generated by their authentication application.
Note: If the user has previously logged in directly to the Ocean Portal using the same browser and device that is now being used to establish the linkage between the EMR user account and the Ocean user account, and the user enabled the 'Trust this device for 30 days' checkbox during a previous log in, they will not be prompted to enter the authorization code generated by their authentication application.
Once the linkage between the EMR user account and the Ocean user account has been successfully established, the user will never be required to enter an authentication code when launching from the EMR directly into Ocean.