How to setup 2FA authenticator for IRIS users

Introduction

In the modern digital age, securing applications, particularly those handling sensitive health data, is paramount. The confidentiality, integrity, and availability of such data are crucial, necessitating robust security measures. Two-factor authentication (2FA) stands out as a critical enhancement in safeguarding access, adding an extra layer of security beyond just passwords. Recognizing the significance of this feature, InterSystems provides built-in support for 2FA in its database solutions. This tutorial aims to guide you through the process of configuring two-factor authentication in your InterSystems environment, ensuring that your data remains secure and accessible only to authorized users.

Understanding Two-Factor Authentication

Two-Factor Authentication (2FA) is a security process that requires users to provide two different authentication factors to verify themselves. This method significantly enhances security by adding an extra layer of verification beyond just a password, making unauthorized access considerably more challenging. In the context of healthcare data, which is highly sensitive and subject to stringent regulatory protections, 2FA is particularly critical. It ensures that access to medical records, patient information, and other critical health data is tightly controlled and only available to authenticated users. By implementing 2FA, healthcare providers and organizations can significantly mitigate the risk of data breaches and unauthorized access, ensuring compliance with privacy regulations and safeguarding patient trust.

Prerequisites

• InterSystems IRIS Installation: Ensure you have InterSystems IRIS installed and properly configured on your system. This is the core platform you will be working with.
• Mobile Device with Authentication Software: Possession of a mobile device equipped with an authentication app, such as Google Authenticator or Microsoft Authenticator. This device will be used to receive or generate the second factor of authentication, crucial for completing the two-factor authentication setup and verification process within the InterSystems IRIS environment.
• System Access: You should have administrative or the necessary privileged access to the InterSystems IRIS environment where you intend to set up two-factor authentication.

Step-by-Step Guide to Configuring Two-Factor Authentication in InterSystems IRIS

Step 1: Accessing the Authentication Settings

1. Navigate to the InterSystems IRIS Management Portal.
2. In the portal, go to System Administration > Security > System Security > Authentication / Web Session Options.  
3. Here, you will find various authentication settings. Look for the option labeled Allow Two-factor Time-based One-time Password authentication check this box to enable it and save.

Step 2: Enabling Two-Factor Authentication for the Terminal Service

1. Within the InterSystems IRIS Management Portal, navigate to System Administration > Security > Services.
2. Find the service named %Service_Terminal. Click on it to view its properties.
3. Look for an option titled Two-factor Time-based One-time Password check this box and save. This step is crucial as it ensures that the terminal service will require two-factor authentication for users who have this feature enabled in their profiles.

By completing this step, you're setting up a foundational layer of security that mandates a two-factor authentication process for terminal access, enhancing the security for users accessing the system.

Step 3: Configuring Two-Factor Authentication for Web Applications

1. Proceed to System Administration > Security > Applications > Web Applications in the InterSystems IRIS Management Portal.
2. Locate and select the path /csp/sys/ within the web applications list.  
3. In the settings, find Allowed Authentication Methods. Here, ensure you check the option Two-Factor Time-Based One-Time Password and then save your changes.

Activating this setting is imperative to enforce two-factor authentication for accessing the management portal, thereby augmenting security for administrative functionalities.

Step 4: Enabling Two-Factor Authentication for a User

1. In the InterSystems IRIS Management Portal, navigate to System Administration > Security > Users.
2. Select the user account for which you want to enable two-factor authentication.
3. Find and check the option Time-Based One-Time Password Enabled under the Two-Factor Authentication settings for that user.
4. Upon enabling this, a QR code will be generated. The user must scan this QR code using an authentication app (such as Google Authenticator or Microsoft Authenticator). This app will then generate the token numbers required for the user to access the database securely with two-factor authentication.

This step ensures individual user accounts are fortified with an additional security layer, requiring a generated token for database access, enhancing the overall security posture.

Verification Process

Once you've enabled two-factor authentication (2FA) for your user account in InterSystems IRIS, the next time you attempt to log in through the portal, the system will prompt you for the second factor of authentication. Here's how this process generally unfolds:

1. Upon entering your standard login credentials, the portal will now request a time-based one-time password (TOTP).
2. Open your authentication app (e.g., Google Authenticator or Microsoft Authenticator) to retrieve the current TOTP.
3. Enter this code into the portal's authentication prompt to gain access.

This added step verifies that the user is authorized with both something they know (their password) and something they have (access to the token generated by their authenticator app), significantly increasing account security.

P.S. Terminal Access: In a similar vein to portal access, when you enter the terminal, the system will also require the time-based one-time password (TOTP) provided by your authenticator app. This step is crucial to ensure a consistent and reinforced security layer is maintained across various access interfaces, safeguarding every point of entry with the robust two-factor authentication.