Account Security

Multi-Factor Authentication (MFA) improves the security of your account by requiring a secondary code to verify your identity. This extra layer of protection ensures that someone cannot misuse your account, even if they have your username and password. MFA is required to access portions of the UserWeb, App Orchard, and Epic on FHIR to protect your account and any proprietary information.

What do I need to do?

Install an Authenticator App

Use your favorite authenticator app or install one on your smartphone:

Configure UserWeb MFA with your Authenticator App

If you are accessing the UserWeb, App Orchard, and Epic on FHIR from your computer, open your authenticator app and scan the QR code. If you are accessing the UserWeb, App Orchard, and Epic on FHIR from your phone, click the Copy icon next to your secret key. Open your authenticator app and manually add a new site. Paste your secret key into the Secret Key field.

Configuring the authenticator app manually?

  • Epic Authenticator
    • Open the app and click to create a new Manual Entry
    • Enter the account name of your choice and enter organization as UserWeb
    • Enter the secret key displayed under the QR code on the UserWeb configure page
    • Select the duration/period as 30 seconds, the number of digits to be 6 and the algorithm to be SHA1
    • Finish the setup and enter the code when prompted for it
  • Microsoft Authenticator
    • Open the app and click to create a new Manual Entry
    • Enter the account name of your choice
    • Enter the secret key displayed under the QR code on the UserWeb configure page
    • Finish the setup and enter the code when prompted for it
  • Google Authenticator
    • Open the app and click to create a new Manual Entry
    • Enter the account name of your choice
    • Enter the key displayed under the QR code on the UserWeb configure page
    • Set the key to be Time Based
    • Finish the setup and enter the code when prompted for it
  • Duo Mobile
    • Open the app and click to create a new Manual Entry
    • Select the Other option from the list of accounts
    • Enter the account name of your choice
    • Enter the key displayed under the QR code on the UserWeb configure page
    • Finish the setup and enter the code when prompted for it

Why should I use MFA?

Single-factor authentication allows you to access your account when you provide a valid username and password. The security of this method relies solely on the strength and security of your password. As a result, if your password becomes compromised, a malicious actor might be able to gain immediate access to your UserWeb, App Orchard, and Epic on FHIR account.

Multi-factor authentication allows you to access your account only when you successfully present several separate pieces of information to an authentication process. MFA requires you to provide something you know, like a password or personal identification number (PIN), and something you have, like a push notification acknowledgement or token code sent to a smartphone. If the initial factor (such as your password) is compromised, a malicious actor still needs the second factor to access the system. This level of protection is particularly important when you access sensitive systems over unsecured or public networks.

What type of MFA is supported by the UserWeb, App Orchard, and Epic on FHIR?

We've implemented the Time-based One-time Password (TOTP) authentication protocol, which is an extension of the one-time password (OTP) protocol that considers the uniqueness of the current time when generating the code. The UserWeb supports the use of any authenticator application installed on your phone.

The codes generated by your authenticator app through the TOTP authentication protocol are synchronized with the codes generated by the UserWeb. For security, each code is valid only for 30 seconds. Your authenticator app will work even when your phone cannot connect to the Internet. In cases where you don't have access to your phone, you can receive a secondary code by email instead. Emailed codes are valid only for 15 minutes.

Frequently Asked Questions

Can my healthcare organization use its own MFA solution? Yes, if your healthcare organization already requires MFA when accessing the UserWeb, you can continue using your organization's MFA solution. Reach out to your Epic representatives to discuss more about this option.

Do I have to install the Epic Authenticator on my phone? You can use any authenticator application of your choice and configure it to generate one-time passcodes to authenticate into the UserWeb, App Orchard, and Epic on FHIR.

What do I do if I don't have my phone with me? The MFA login prompt has an option to send the code to the email address associated with your account. If you do not receive any emails or do not have a valid email associated with your account, contact UserWeb Support for help.

What do I do if I lose my phone or get a new phone? The MFA login prompt has an option to reset your MFA configuration. Instructions will be sent to the email address associated with your account. If you do not receive any emails or do not have a valid email address associated with your account, contact UserWeb Support for help.

What if I don't own a smartphone and therefore cannot install an authenticator app? The MFA login prompt has an option to send the code to the email address associated with your account.

Can I reset the MFA configuration on my account? Yes, the MFA login prompt has an option to reset the MFA configuration for UserWeb users. UserWeb users can also edit their UserWeb profile after logging in to the site to update this setting.

What if I experience MFA login errors or codes aren't working? Make sure the time on your phone is synced with Internet time: under "Date / Time", make sure "Set automatically" is turned on. Then, enter the code again. If that doesn't work, try clearing the browser cache.

What happens if I select the Remember me on this browser option? Selecting this option will not prompt you for the code on this browser for the specified number of days, unless you clear the browser cache. Accessing the site on another browser on the same device will continue to prompt you for MFA.

What if I still have questions? If you have issues you can't resolve, contact UserWeb Support for help.

How do I configure an authenticator app on my phone?