UserWeb Multi-Factor Authentication (2024)

Account Security

Multi-Factor Authentication (MFA) improves the security of your account by requiring a secondary code to verify your identity. This extra layer of protection ensures that someone cannot misuse your account, even if they have your username and password. MFA is required to access portions of the UserWeb, Cosmos, Vendor Services, and Epic on FHIR to protect your account and any proprietary information.

What do I need to do?

Install an Authenticator App

Use your favorite authenticator app or install one on your smartphone:

Configure UserWeb MFA with your Authenticator App

If you are accessing the UserWeb, Cosmos, Vendor Services, and Epic on FHIR from your computer, open your authenticator app and scan the QR code.If you are accessing the UserWeb, Cosmos, Vendor Services, and Epic on FHIR from your phone, click the Copy icon next to your secret key. Open your authenticator app and manually add a new site. Paste your secret key into the Secret Key field.

Configuring the authenticator app manually?

  • Epic Authenticator
    • Open the app and click to create a new Manual Entry
    • Enter the account name of your choice and enter organization as UserWeb
    • Enter the secret key displayed under the QR code on the UserWeb configure page
    • Select the duration/period as 30 seconds, the number of digits to be 6 and the algorithm to be SHA1
    • Finish the setup and enter the code when prompted for it
  • Microsoft Authenticator
    • Open the app and click to create a new Manual Entry
    • Enter the account name of your choice
    • Enter the secret key displayed under the QR code on the UserWeb configure page
    • Finish the setup and enter the code when prompted for it
  • Google Authenticator
    • Open the app and click to create a new Manual Entry
    • Enter the account name of your choice
    • Enter the key displayed under the QR code on the UserWeb configure page
    • Set the key to be Time Based
    • Finish the setup and enter the code when prompted for it
  • Duo Mobile
    • Open the app and click to create a new Manual Entry
    • Select the Other option from the list of accounts
    • Enter the account name of your choice
    • Enter the key displayed under the QR code on the UserWeb configure page
    • Finish the setup and enter the code when prompted for it

Why should I use MFA?

Single-factor authentication allows you to access your account when you provide a valid username and password. The security of this method relies solely on the strength and security of your password. As a result, if your password becomes compromised, a malicious actor might be able to gain immediate access to your UserWeb, Vendor Services, and Epic on FHIR account.

Multi-factor authentication allows you to access your account only when you successfully present several separate pieces of information to an authentication process. MFA requires you to provide something you know, like a password or personal identification number (PIN), and something you have, like a push notification acknowledgement or token code sent to a smartphone. If the initial factor (such as your password) is compromised, a malicious actor still needs the second factor to access the system. This level of protection is particularly important when you access sensitive systems over unsecured or public networks.

What type of MFA is supported by the UserWeb, Cosmos, Vendor Services, and Epic on FHIR?

We've implemented the Time-based One-time Password (TOTP) authentication protocol, which is an extension of the one-time password (OTP) protocol that considers the uniqueness of the current time when generating the code. The UserWeb supports the use of any authenticator application installed on your phone.

The codes generated by your authenticator app through the TOTP authentication protocol are synchronized with the codes generated by the UserWeb. For security, each code is valid only for 30 seconds. Your authenticator app will work even when your phone cannot connect to the Internet. In cases where you don't have access to your phone, you can receive a secondary code by email instead. Emailed codes are valid only for 15 minutes.

Frequently Asked Questions

Can my healthcare organization use its own MFA solution?Yes, if your healthcare organization already requires MFA when accessing the UserWeb, you can continue using your organization's MFA solution. Reach out to your Epic representatives to discuss more about this option. Some sites, such as Cosmos, require the use of UserWeb MFA even when your organization uses its own MFA solution.

Do I have to install the Epic Authenticator on my phone?You can use any authenticator application of your choice and configure it to generate one-time passcodes to authenticate into the UserWeb, Cosmos, Vendor Services, and Epic on FHIR.

What do I do if I don't have my phone with me?The MFA login prompt has an option to send the code to the email address associated with your account. If you do not receive any emails or do not have a valid email associated with your account, contact UserWeb Support for help.

What do I do if I lose my phone or get a new phone?The MFA login prompt has an option to reset your MFA configuration. Instructions will be sent to the email address associated with your account. If you do not receive any emails or do not have a valid email address associated with your account, contact UserWeb Support for help.

What if I don't own a smartphone and therefore cannot install an authenticator app?The MFA login prompt has an option to send the code to the email address associated with your account.

Can I reset the MFA configuration on my account?Yes, the MFA login prompt has an option to reset the MFA configuration for UserWeb users. UserWeb users can also edit their UserWeb profile after logging in to the site to update this setting.

What if I experience MFA login errors or codes aren't working?Make sure the time on your phone is synced with Internet time: under "Date / Time", make sure "Set automatically" is turned on. Then, enter the code again. If that doesn't work, try clearing the browser cache.

What happens if I select the Remember me on this browser option?Selecting this option will not prompt you for the code on this browser for the specified number of days, unless you clear the browser cache. Accessing the site on another browser on the same device will continue to prompt you for MFA. Some sites, such as Cosmos, will continue to prompt you for MFA even if the browser is set to remember MFA for other UserWeb sites.

What if I still have questions?If you have issues you can't resolve, contact UserWeb Support for help.

How do I configure an authenticator app on my phone?

UserWeb Multi-Factor Authentication (2024)

FAQs

Do security questions count as MFA? ›

When to Use Security Questions. Applications should generally use a password along with a second authentication factor (such as an OTP code) to authenticate users. The combination of a password and security questions does not constitute MFA, as both factors as the same (i.e. something you know)..

Why is my multi-factor authentication not working? ›

Clear your browser's cookies and cache by deleting temporary internet files or cached files. After clearing your browser's cache, update the password associated with your account. Using your new password, sign in to your account and complete the steps in Multi-factor authentication setup.

Is 2FA the answer? ›

2FA is an effective way to ensure that an organization or individual doesn't fall victim to a cyberattack or hacker. 2FA utilizes time-sensitive token generators, or passcodes, to help prevent identity theft and data loss.

How do I complete multi-factor authentication? ›

  1. Step 1 - sign into Office 365 on your computer or laptop. ...
  2. Step 2 - installing the authenticator app on your mobile phone. ...
  3. Step 3 - return to your personal or.
  4. Step 4 - using your mobile.
  5. Step 5 - testing the authentication is working on your computer.

What does not count as a form of MFA? ›

Proper multi-factor authentication uses factors from at least two different categories. Using two from the same category does not fulfill the objective of MFA. Despite wide use of the password/security question combination, both factors are from the knowledge category--and don't qualify as MFA.

Is MFA full proof? ›

While multi-factor authentication (MFA) is an important security measure, it is not foolproof against determined hackers. To enhance your overall security posture and protect against hacking attempts, it is essential to implement additional cybersecurity measures.

Can you bypass multi-factor authentication? ›

Attackers use various methods in MFA bypass attacks, including social engineering, phishing, and exploiting vulnerabilities in the authentication process.

What triggers multi-factor authentication? ›

When a user with MFA-enabled logs into a website, they are prompted for their username and password (the first factor–what they know), and an authentication response from their MFA device (the second factor–what they have). If the system verifies the password, it connects to the other items.

Is 2FA unbeatable? ›

While 2FA does improve security, it is not foolproof. Two-factor authentication goes a step further in verifying identity from the user simply entering a PIN or CVV number from their credit card. However, hackers who acquire the authentication factors can still gain unauthorized access to accounts.

Can hackers beat 2FA? ›

Most 2FA methods involve sending temporary codes via SMS or emails, but these can be easily intercepted by hackers through account takeover, SIM swapping, and/or MitM attacks.

Is 2FA good enough? ›

With 2FA in place, the likelihood of unauthorized individuals gaining access to user accounts is significantly reduced. This is particularly crucial for sensitive accounts such as financial or email accounts.

How do I skip multi-factor authentication for requests? ›

Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Conditional Access > Named locations. On the Service Settings page, under trusted IPs, select Skip multifactor-authentication for requests from federated users on my intranet. Click save.

What is an example of a multi-factor authentication? ›

Three Main Types of MFA Authentication Methods
  • Things you know (knowledge), such as a password or PIN.
  • Things you have (possession), such as a badge or smartphone.
  • Things you are (inherence), such as a biometric like fingerprints or voice recognition.

Is security question a two-factor authentication? ›

Security questions, such as "what is the name of your first pet?" are not 2FA because they substitute to your password. In 2FA, you need to input the two factors to authenticate (log in).

What constitutes MFA? ›

Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.

Is biometrics considered MFA? ›

To supplement the DoD's Identity Credential and Access Management (ICAM) strategy, and to enable alignment with Zero Trust principles, the Army needs innovative approaches and solutions to use biometrics as one of several factors in multi-factor authentication (MFA).

Is Passwordless considered MFA? ›

The biggest difference between passwordless authentication and MFA is that passwordless authentication eliminates the use of passwords. This differs from MFA which is used in conjunction with a username and password. When MFA is enabled on an account, users still have to enter their username and password.

References

Top Articles
Latest Posts
Article information

Author: Sen. Emmett Berge

Last Updated:

Views: 5753

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.