Multifactor Authentication for athenaOne Login

MFA adds a layer of protection for sensitive information in athenaOne by requiring users to provide two or more pieces of evidence (factors) to confirm their identity during login, where one of these factors is their password. This feature allows athenaOne customers to enable MFA that is built natively within athenaOne’s login functionality and extends to all applications accepting athenaOne user credentials, including athenaOne Mobile and athenaText mobile apps.

• MFA for athenaOne Login must be enabled by a practice administrator: Users will not be enabled for MFA automatically and will only be prompted to set up or verify this additional authentication upon login if their practice administrator has enabled this feature.
  
  

• When MFA is enabled, users are not prompted to verify an additional factor on every login: Each login event is automatically assigned a risk score based on inputs such as the user’s device, geolocation, IP address, and past login behavior. If the risk score is low (for example, if the user is logging in from a familiar device and location), additional authentication is not required, and the user can proceed to log into athenaOne with only their username and password.
  
  

• MFA does not replace other authentication methods already supported in athenaOne: MFA for athenaOne login does not apply to or interfere with electronic prescribing of controlled substances (EPCS) in athenaOne (which relies on Symantec VIP for additional authentication), nor does it replace security questions used for additional authentication when resetting an athenaOne password.

MFA for athenaOne offers four different authentication factors, in addition to a user’s password.

If a practice administrator wants to enable MFA for their practice, they must choose from two policies that determine which of those factors above are available to their users. Policies are tiered by security level, reflecting the minimum ability of factors in that policy to accurately confirm a user’s identity and prevent security breaches.

• Lower security: Okta Verify App, Google Authenticator App, SMS Authentication, Voice Call Authentication
• Higher security: Okta Verify App, Google Authenticator App

If you are a Master User Admin, you can enable MFA for your practice by navigating in athenaOne to > Admin | Practice Manager > MFA Policy Settings.

You should not enable MFA for your users without first reviewing our Onboarding Checklist and Troubleshooting FAQ.

The first time you visit the page, you will see that all settings are unselected and the toggle at the top of the page indicates MFA is currently disabled. To enable MFA for some or all users at your practice, click the toggle and complete each of the on-screen steps to finish setup, detailed below. Changes to your MFA policy settings will not be applied or saved until you have completed your selections and clicked Submit at the bottom of the page.

You must first choose the MFA policy that will apply to your users, selecting from either the lower security or higher security tier. As described in the previous section, the selected policy will determine which factors users can choose from when enrolling MFA for their account.

Choose Lower security to allow users to enroll in additional authentication using any of the following:

• Okta Verify App

• Google Authenticator App

• SMS Authentication

• Voice Call Authentication

Choose Higher security to allow users to enroll in additional authentication using either of the following:

• Okta Verify App

• Google Authenticator App

You must then choose which users at your practice will be enabled for MFA, selecting from two options:

• Click Turn on for everyone to enable your selected MFA policy for all users with access to your practice. Selecting this option will automatically enable new users that are added to your practice.

• Click Turn on for individual users to enable your selected MFA policy only for users you specify. Selecting this option will display a table to Manage Users for Limited Rollout, where you will add those users for which you would like MFA enabled. You can look up users and add them by clicking or upload the list of users in a spreadsheet by clicking .

1. Search for individual users: To look up an individual user to add to your MFA rollout, click , then use the search box to look up a user by their first name, last name, or their athenaOne username. Click Searchto display results, which are sorted alphabetically by username.
   Note only the first few results are displayed, therefore you may need to use multiple search terms to filter to a specific user.

2. Add selected users: From the search results, click the checkbox next to one or more users you would like included in your MFA rollout, then click Add User.
   The search box will close automatically, and your selected users will then be reflected in the table under Manage Users for Limited Rollout. You can click again and repeat the process above to continue adding users to the table.
   

Add multiple users to the MFA rollout

To specify many users at once to add to your MFA rollout, you can upload a spreadsheet of athenaOne usernames. You do not need to edit this spreadsheet for duplicate or non-existent usernames, as those will be filtered out automatically during file upload.

1. To populate the usernames in your spreadsheet to the table in Manage Users for Limited Rollout, click .
   A file navigator will appear for you to search and open the CSV file from your computer.

2. Click Open and observe that all eligible usernames have been added to the rollout table. Any usernames that fail validation and are excluded from file upload will be summarized above the table with a button to Download Report for the full list of usernames and corresponding error reasons.
   
   
   

3. You can delete users you have previously added to the table by selecting them individually from the list and clicking the delete icon.
   

This step applies only to practices that have enabled inbound single sign-on (SSO) to athenaOne from one or more of their own identity providers (i.e., using login credentials managed by the practice instead of an athenaOne username and password) and is hidden for all other practices. If this step is visible, your practice’s enabled SSO connections will be listed here with toggles indicating whether MFA is enabled for users that access athenaOne through that identity provider.

• If the toggle for an identity provider is left OFF, all users that access athenaOne through that SSO connection will be excluded from your selected MFA policy, even if those users were specified in Step 2.

• If the toggle for an identity provider is turned ON, any users that access athenaOne through that SSO connection and were specified in Step 2 will be enabled for your selected MFA policy. Users excluded from Step 2 will not be enabled for MFA, even if their identity provider used to access athenaOne is toggled ON for this step.

Note
A practice might prefer to leave the toggle OFF for an SSO connection if MFA has been separately implemented and enforced through that identity provider. Otherwise, if the toggle for that SSO connection were turned ON, those users might be prompted twice for an additional factor (once through their identity provider’s MFA policy and again by the practice’s MFA policy in athenaOne) upon login to athenaOne.

To save and apply your MFA policy settings, click Submit at the bottom of the page, then review the confirmation prompt and click Confirm if you are ready to enable MFA for the selected users. If you would instead like to back out or discard your changes, click Cancel at the bottom of the page.

Once you have submitted policy settings to enable MFA, you will be shown a summary of your current settings and rollout status. On this page:

• If you chose rollout to individual users, you can click View List of Users or Download CSV for details on those users currently enabled for MFA.

• You can click Edit to make further changes to your settings.

• You can click the toggle at the top of the page to quickly disable or re-enable MFA for all users specified for MFA rollout.

If you have recently updated your settings for a large number of users, you may see a different-colored badge next to Rollout Status indicating those changes are still being applied. A yellow status indicates changes are in progress and reports how many users have so far been enabled, while a red status indicates changes are stalled due to a known service outage.

Managing MFA across your reporting network

If your practice is part of a reporting network, you can optionally manage MFA rollout across all practices in that reporting network by logging in to the reporting network’s parent context in athenaOne and navigating to the MFA Policy Settings there. In the MFA Policy Settings for the parent context, you can search, add, or upload users from all child practices, and you can view and toggle MFA on or off for all single sign-on connections to those child practices.

If a Master User Admin at the child practice navigates to the MFA Policy Settings when the parent context has MFA enabled, they will not be able to edit their settings and the Summary page will display the policy chosen by the parent context.

When MFA is enabled for your account, you will be presented with the setup page for MFA on your next athenaOne login. This page appears immediately after entering your username and password on the athenaOne login page and requires you to set up one or more factors as your second layer of authentication before proceeding into athenaOne.

Important
Each user may have a different choice in factors than those shown above, depending on the athenaOne MFA policy enabled by their practice administrator(s).

If your practice administrator has chosen higher security policy for MFA, you only have the option to set up the Okta Verify app or Google Authenticator app.

If your practice administrator has chosen the lower security policy for MFA, you have the option to set up any of the four factors – Okta Verify App, Google Authenticator App, SMS Authentication, or Voice Call Authentication.

Users belonging to multiple athenaOne practices with different policies will have the option to set up only those factors included in the most secure policy enabled by those practices.

On the Non-Clinician home page, click a patient name in the scheduleFollowing are the steps that you will perform to set up Okta Verify as an additional factor for athenaOne login:

1. On the setup page, click Set Up below the Okta Verify App option.
2. Select the type of device – iOS or Android – on which you will install and use the Okta Verify app for additional authentication, then click Next. To set up a different factor instead, click Choose a different security option.

3. Follow the onscreen instructions to open the Okta Verify app (you will need to download the app if you have not done so in the previous step) and scan the QR code with your mobile device’s camera.

4. If you can’t scan a QR code or your device does not have a camera, click Can’t scan? below the QR code to activate Okta Verify using a different setup option.

1. To set up Okta Verify using the QR code, open the Okta Verify app on your mobile device, tap Add Account, choose Other as your account type, and then tap Yes, Ready to Scan to open your device’s camera to scan the QR code. When your device recognizes the QR code, it will automatically show the account as added in both the Okta Verify app and the device on which you are logging in to athenaOne.

On your mobile device:

On the device from which you are logging in to athenaOne:

The above image indicates the Okta Verify app has been activated on your device and your factor setup is complete.

2. If you instead clicked Can’t scan? to activate Okta Verify on your mobile device without a QR code, select from the Setup Options drop-down menu to choose your method, complete any required fields, then click Send; a link will be sent by the chosen method to your mobile device. Tap the link to automatically open and activate the Okta Verify app, to complete your factor setup.

On your mobile device:

On the device from which you are logging in to athenaOne:

If you have previously set up Okta Verify App as a factor, you may receive the following prompt for additional authentication immediately after entering your username and password on the athenaOne login page.

1. Click Send Push to receive a notification on the mobile device you originally used to set up Okta Verify.
2. If you cannot or prefer not to receive a push notification, click Or enter code to manually input the one-time code shown in your Okta Verify app.
3. If you have previously set up multiple factors, you can click the toggle next to the Okta Verify icon to choose another one of your factors for authentication.

4. If you click Send Push, you can complete authentication on your mobile device by tapping the notification and, when redirected to the Okta Verify app, tapping Yes, it’s Me.
5. On your mobile device a pop-up appears at the bottom of your screen indicating successful authentication, and on your login device you will automatically be redirected into athenaOne.

6. If you click Or enter code, a field will appear to input the one-time code generated by your Okta Verify app. This code changes every 30 seconds (as indicated by a progress bar at the top of the app window) and will expire and not be accepted for authentication once a new code is generated. Therefore, you must be quick to input this code on the device on which you’re logging in to athenaOne. Enter a valid code in the Enter Code field and click Verify to complete authentication and get redirected into athenaOne.

In the Okta Verify app on your mobile device:

On the device from which you’re logging in to athenaOne:

Following are the steps that you will perform to set up Google Authenticator as an additional factor for athenaOne login:

1. On the setup page, click Set Up below the Google Authenticator App option.
2. Select the type of device – iOS or Android – on which you will install and use the Google Authenticator app for additional authentication, then click Next.
3. To set up a different factor instead, click Choose a different security option.

4. Follow the onscreen instructions to open the Google Authenticator app (you will need to download the app if you have not done so in the previous step) and scan the QR code with your mobile device’s camera. If you can’t scan a QR code or your device does not have a camera, click Can’t scan? below the QR code to activate Okta Verify using a different setup option.

5. To set up Google Authenticator;

1. Using the QR code - open the Google Authenticator app on your mobile device and when prompted to add an account, tap Scan a QR code to open your device’s camera to scan the QR code. When your device recognizes the QR code, it will automatically show the account as added in the Google Authenticator app. You can repeat this step using any other devices for which you would like to set up your Google Authenticator factor.

2. If you instead clicked Can’t scan? to activate Google Authenticator on your mobile device without a QR code, you are presented with a secret key. Open the Google Authenticator app on your mobile device and when prompted to add an account, tap Enter a setup key. Enter a label of your choice (e.g., “athenaOne”) in the Account field, and enter the secret key in the Key field. The secret key is not case-sensitive, so you can ignore capitalization. Tap Add to show your account as added in the Google Authenticator app. You can repeat this step using any other devices for which you would like to set up your Google Authenticator factor.

In the Google Authenticator app on your mobile device:

On the device from which you’re logging in to athenaOne:

6. On the device on which you are logging in to athenaOne, click Next. A field will appear to input the one-time code generated by your Google Authenticator app. This code changes every 30 seconds (as indicated by a circular progress indicator to the right of the code) and will expire and not be accepted for authentication once a new code is generated. Therefore, you must be quick to input this code on the device on which you’re logging in to athenaOne. Enter a valid code in the Enter Code field and click Verify to complete authentication and get redirected into athenaOne.

If you have previously set up Google Authenticator App as a factor, you may receive the following prompt for additional authentication immediately after entering your username and password on the athenaOne login page. If you have previously set up multiple factors, you can click the toggle next to the Google Authenticator icon to choose another one of your factors for authentication.

To complete verification using Google Authenticator, first enter the one-time code generated by your Google Authenticator app in the Enter Code field. This code changes every 30 seconds (as indicated by a circular progress indicator to the right of the code) and will expire and not be accepted for authentication once a new code is generated. Therefore, you must be quick to input this code on the device on which you’re logging in to athenaOne. Enter a valid code and click Verify to complete authentication and get redirected into athenaOne.

On the device from which you’re logging in to athenaOne:

In the Google Authenticator app on your mobile device:

Following are the steps that you will perform to set up SMS as your additional factor for athenaOne login:

1. On the setup page, click Set Up below the SMS Authentication option.
2. Select the country code and enter the number in the Phone number field of the mobile phone you would like to use as your additional authentication factor.
3. Click Send Code to send a text message with a one-time code to your phone number.
4. To set up a different factor instead, click Choose a different security option.

5. Open the text message with your one-time code on your mobile phone, then enter this code in the Enter Code field and click Verify. If the code is valid, your authentication is complete, and you will be automatically redirected into athenaOne. If after a minute you have not received a text message with your one-time code, you will see a prompt to click Re-Send Code to receive a new one.

If you have previously set up SMS Authentication as a factor, you may receive the following prompt for additional authentication immediately after entering your username and password on the athenaOne login page. If you have previously set up multiple factors, you can click the toggle next to the SMS icon to choose another one of your factors for authentication.

To complete verification using SMS Authentication:

1. Click Send Code to receive a text message at the mobile number you originally used to set up your SMS factor, for which the last four digits are shown on your screen.
2. Enter the code received in that text message in the Enter Code field and click Verify to be redirected into athenaOne.

Following are the steps that you will perform to set up a phone call as your additional factor for athenaOne login:

1. On the setup page, click Set Up below the Voice Call Authentication option.
2. Select the country code and enter the number in the Phone number field of the mobile phone or landline you would like to use as your additional authentication factor
3. If your phone number has an extension, you can provide it in the Extension field.
4. Click Send Code to receive a phone call with a one-time code.
5. To set up a different factor instead, click Choose a different security option.

6. Answer the phone call and listen for the one-time code. If you do not answer this call, you will receive a voicemail with the code. Enter this code in the Enter Code field and click Verify. If the code is valid, your authentication is complete, and you will be automatically redirected into athenaOne. If after a minute you have not received a phone call with your one-time code, you will see a prompt to click Redial to receive a new one.

If you have previously set up Voice Call Authentication as a factor, you may receive the following prompt for additional authentication immediately after entering your username and password on the athenaOne login page. If you have previously set up multiple factors, you can click the toggle next to the phone icon to choose another one of your factors for authentication.

To complete verification using Voice Call Authentication, first click Call to receive a phone call at the number you originally used to set up your voice call factor, for which the last four digits are shown on your screen. If you do not answer this call, you will receive a voicemail. Enter the code received in that call or voicemail in the Enter Code field and click Verify to be redirected into athenaOne.

You can manage the authentication factors that you have already enrolled in or set up a new factor by navigating to athenaOne > Settings > My Configurations | User Profile > Update User Profile page > Authentication tab.

• The factors which you have already setup will have a .
• To update your factors, enter your current password in the provided field to verify your identity.

• After verification of your password, you can update/set up the factors for your account.

To update SMS Authentication

1. Select Country, enter the required Phone number, and click Send Code.
2. Enter the code received through SMS in the Verify Code field and click Verify.

To update Okta Verify App

1. Open the app on your mobile device and follow the app’s instructions to add an account.
2. Once you have added the new account, you can delete the old one as it will no longer be accepted for authentication.
3. Scan the QR code to authenticate this factor.

4. You can choose to update manually as shown below.

5. You can choose to update by receiving an activation link via SMS as shown below.

To update Google Authenticator App

1. Open the Google Authenticator app on your mobile device and follow the app’s instructions to add an account.
2. Once you have added the new account, you can delete the old one as it won’t be accepted.
3. Scan the QR code to authenticate this factor.

4. You can choose to update manually as shown below.

To update Voice Call Authentication

1. Select Country, enter the required Phone number, and click Call.
2. Enter the code received through call in the Verify Code field and click Verify.

If you are a User Admin, you will be able to view and reset authentication factors for a particular user or user group. To do this, you can navigate to athenaOne > > Admin | User > Users > User Admin page.

1. Search for the user whose factors you want to view or reset.
2. Click on Update next to the user's name.
3. In this page under the Security tab, you can now view the Active Multifactor Authentication section which lists all the factors enabled for that user.

4. You can click on the trash can next to the factor which you want to remove for that user.

5. When you attempt to remove the last enrolled factor for a user, you will be prompted to confirm your action because user will be required to set up at least one factor on their subsequent login.