Multi-Factor Authentication (MFA) improves the security of your account by requiring a secondary code to verify your identity. This extra layer of protection ensures that someone cannot misuse your account, even if they have your username and password. MFA is required to access portions of the UserWeb, Cosmos, Vendor Services, and Epic on FHIR to protect your account and any proprietary information.
Install an Authenticator App
Use your favorite authenticator app or install one on your smartphone:
Configure UserWeb MFA with your Authenticator App
If you are accessing the UserWeb, Cosmos, Vendor Services, and Epic on FHIR from your computer, open your authenticator app and scan the QR code. If you are accessing the UserWeb, Cosmos, Vendor Services, and Epic on FHIR from your phone, click the Copy icon next to your secret key. Open your authenticator app and manually add a new site. Paste your secret key into the Secret Key field.
Configuring the authenticator app manually?
Single-factor authentication allows you to access your account when you provide a valid username and password. The security of this method relies solely on the strength and security of your password. As a result, if your password becomes compromised, a malicious actor might be able to gain immediate access to your UserWeb, Vendor Services, and Epic on FHIR account.
Multi-factor authentication allows you to access your account only when you successfully present several separate pieces of information to an authentication process. MFA requires you to provide something you know, like a password or personal identification number (PIN), and something you have, like a push notification acknowledgement or token code sent to a smartphone. If the initial factor (such as your password) is compromised, a malicious actor still needs the second factor to access the system. This level of protection is particularly important when you access sensitive systems over unsecured or public networks.
We've implemented the Time-based One-time Password (TOTP) authentication protocol, which is an extension of the one-time password (OTP) protocol that considers the uniqueness of the current time when generating the code. The UserWeb supports the use of any authenticator application installed on your phone.
The codes generated by your authenticator app through the TOTP authentication protocol are synchronized with the codes generated by the UserWeb. For security, each code is valid only for 30 seconds. Your authenticator app will work even when your phone cannot connect to the Internet. In cases where you don't have access to your phone, you can receive a secondary code by email instead. Emailed codes are valid only for 15 minutes.
Can my healthcare organization use its own MFA solution? Yes, if your healthcare organization already requires MFA when accessing the UserWeb, you can continue using your organization's MFA solution. Reach out to your Epic representatives to discuss more about this option. Some sites, such as Cosmos, require the use of UserWeb MFA even when your organization uses its own MFA solution.
Do I have to install the Epic Authenticator on my phone? You can use any authenticator application of your choice and configure it to generate one-time passcodes to authenticate into the UserWeb, Cosmos, Vendor Services, and Epic on FHIR.
What do I do if I don't have my phone with me? The MFA login prompt has an option to send the code to the email address associated with your account. If you do not receive any emails or do not have a valid email associated with your account, contact UserWeb Support for help.
What do I do if I lose my phone or get a new phone? The MFA login prompt has an option to reset your MFA configuration. Instructions will be sent to the email address associated with your account. If you do not receive any emails or do not have a valid email address associated with your account, contact UserWeb Support for help.
What if I don't own a smartphone and therefore cannot install an authenticator app? The MFA login prompt has an option to send the code to the email address associated with your account.
Can I reset the MFA configuration on my account? Yes, the MFA login prompt has an option to reset the MFA configuration for UserWeb users. UserWeb users can also edit their UserWeb profile after logging in to the site to update this setting.
What if I experience MFA login errors or codes aren't working? Make sure the time on your phone is synced with Internet time: under "Date / Time", make sure "Set automatically" is turned on. Then, enter the code again. If that doesn't work, try clearing the browser cache.
What happens if I select the Remember me on this browser option? Selecting this option will not prompt you for the code on this browser for the specified number of days, unless you clear the browser cache. Accessing the site on another browser on the same device will continue to prompt you for MFA. Some sites, such as Cosmos, will continue to prompt you for MFA even if the browser is set to remember MFA for other UserWeb sites.
What if I still have questions? If you have issues you can't resolve, contact UserWeb Support for help.
How do I configure an authenticator app on my phone?