Configure MFA
Multi-Factor Authentication (MFA) adds an extra layer of security to the authentication procedure. It requires more than one form of identification and prevents unauthorized access to sensitive information.
Enabling MFA for your Charm account is highly recommended as it increases the security of Patient data and prevents unauthorized access. Here are a few reasons why EHR users should enable MFA:
- Enhanced security and protection against data breaches: MFA makes it difficult for unauthorized users to access sensitive Patient data.
- Compliance: HIPAA compliance mandates security measures to ensure the confidentiality, integrity, and availability of PHI.
- Patient trust: Maintain Patient trust and confidence in the healthcare systems to keep their personal information confidential and secure.
Enable MFA
The Practice Admin can make MFA sign-in mandatory for all the Practice Members using the steps below:
- Go to the 'Settings > Security > Policies' section.
- Enable the toggle button under Two-Factor Authentication (TFA) for Practice Members.
- Click on the 'Save' button
Note: Click on this link to view CharmHealth's Security and Password Policy.
MFA for Selective Members
The Practice Admin can enable or disable TFA for selective members from the 'Settings > Facility > Facility Members' section.
- Click on the 'More Options' icon alongside the member profile.
- Choose the 'TFA Preference' option
- Enable the TFA toggle and enter the Practice Admin account password.
- Click on the 'Save' button.
Configure MFA Method
Once enabled, Practice Members can set up one of the second-level authentication methods listed below for their account.
Authenticator Apps
OTP authenticator apps are highly secure, free, accessible in low network areas, and have backup codes for seamless login. Charm supports Zoho and Google authenticator apps.
- Go to the 'Settings > Account > Two-Factor Authentication' section. The system will redirect you to the MFA setup page.
- Click on the 'Set Up Now' link available under the OTP Authenticator section.
- Scan the QR code or manually enter the alpha-numeric code in any authenticator app.
- Click on the 'Next' button
- Enter the OTP displayed in your authenticator app and 'Verify'.
Once enabled, the Charm system will prompt you to enter the OTP displayed on your Authenticator app when you log in with your email address and password.
Note: If you are offline during a login, choose the 'Sign-in another way' option in the authenticator app to view offline OTP or enable QR scan-in.
Hardware Tokens
To set up a security key authentication, you will require:
- The latest version of Google Chrome or Opera browser. If you're using Mozilla Firefox, enable U2F support.
- A U2F-enabled Hardware Token.
- Go to the 'Settings > Account > Two-Factor Authentication' section. The system will redirect you to the MFA setup page.
- Select the 'Set Up Now' link available under the Security Key section.
- Click on the 'Next' button and verify yourself
- Insert your Hardware Token into your computer's USB port and click 'Next'
- Wait for the Token to blink. Then, tap on the golden disc to name your Security Token.
- Click on the 'Configure' button.
Supported Devices: YubiKey NEO, YubiKey 4 Nano, YubiKey 4, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO-n, YubiKey Edge, YubiKey Edge-n.
Once enabled, you can use your hardware token while logging into your CharmHealth EHR account.
SMS
- Go to the 'Settings > Account > Two-Factor Authentication' section. The system will redirect you to the MFA setup page.
- Select the 'Set Up Now' link available under the SMS-Based OTP section.
- Enter your 'Phone Number' and click 'Next'.
- Enter the SMS-based OTP received on your phone and 'Verify'.
Once enabled, you will receive your login OTP via SMS to the registered phone number. Provide a backup phone number to which we can send the verification code if your primary device becomes inaccessible.
Passkey
- Go to the 'Settings > Account > Two-Factor Authentication' section. The system will redirect you to the MFA setup page.
- Click on the 'Set Up Now' link available under the Passkey section.
- Enter a name for the passkey to identify it, then click 'Next'.
- Select 'A Different Device' in the prompt.
- Scan the QR code using your mobile device's camera.
- Your device will prompt you with a setup flow. Follow the instructions to generate a passkey.
If the login and passkey devices are in sync, verify using your device's screen lock in the prompt. If they are not synced, follow the steps below:
- Enable Bluetooth on the passkey device and your login device.
- Go to the Charm sign-in page
- Enter your username
- Select the 'Passkey from nearby device/A different device' option.
- Scan the QR code using your mobile device's camera.
- When prompted, verify using your device's screen lock.
Exostar Authentication
Note: This option is available only for prescribers who have completed the EPCS registration process. Before choosing this option, make sure you have completed the EPCS registration process and obtained Two-Factor authentication from Exostar.
- Go to the 'Settings > Account > Two-Factor Authentication' section. The system will redirect you to the MFA setup page.
- Click on the 'Set Up Now' link available under the Exostar Authentication section.
- Choose the mode of Exostar authentication option, either Hardware token or Software token (Authentication app).
- Enter the verification code
- Software Token (OTP value displayed in the registered mobile's Authentication app)
- Hardware Token (OTP value displayed in your Hardware token device)
- Click on the 'Next' button.
- Enter the OTP and click on the 'Verify' button.
Once enabled, you can generate Hardware or Software OTPs based on your MFA configuration while logging in.
MFA Recovery Options
Charm MFA offers backup codes that enable users to access their accounts in situations where they cannot use MFA.
You should generate and download a copy of the codes from the MFA setup page beforehand using the following steps:
- Go to the 'Settings > Account > Two-Factor Authentication' section.
- Click on the 'Generate Codes' button available under the 'MFA Recovery Options' section.
- Save the downloaded copy in a safe vault on your local device.
If you have your backup code with you, follow the steps below to log in:
- Go to the Charm login page
- Enter your username and password and click on the 'Sign in' button
- Choose the 'Can't access your device' link
- Select the 'Backup Verification Code' option
- Enter the backup code and click on the 'Verify' button
If you are still unable to use TFA or reset your password, your Practice Admin can help you to reset the password or the TFA option using the steps below:
- Go to the 'Settings > Facility > Facility Members' section
- Click on the 'More Options' icon alongside the member name
- Choose any one of the options based on Member requirement
- Reset Password - Enter and confirm the new password, the reason for reset, and 'Update'.
- Reset TFA - Enter the Practice Admin password and 'Save'. This enables the member to reconfigure MFA from the beginning.
If you are a Practice Admin and unable to log in using MFA, please contact support@charmhealth.com.