Enabling MFA for AthenaHealth to Enhance Security

Hello, MFM Team!

As part of our ongoing efforts to keep our data secure and protect against potential data breaches, we are implementing Multi-Factor Authentication (MFA) for AthenaHealth. MFA adds an extra layer of security by requiring more than just your password to access the system. This will be going live by March 7th.

Please take a moment to review the video and Common Q&A below, which explains the process and addresses common questions. If you have any questions or concerns, please direct them to Andrew Ting.

Thank you for your attention to this important security measure.

https://www.loom.com/share/8f3fd7b334434f8b86e5a5a2a92107a1?sid=3fa1156e-e962-4d26-8cd3-c05c2ef2097c

Q: What authentication methods are supported?

A: MFA for athenaOne login supports the following authentication methods, in addition to a user’s password:

• Text Message (SMS): Receive a text with a one-time passcode to a phone number supplied by the user (distinct from the phone number in their athenaOne user profile).

• Voice Call: Receive a phone call with a one-time passcode to a phone number supplied by the user (distinct from the phone number in their athenaOne user profile).

• Authenticator App (TOTP): Use a time-based one-time passcode (TOTP) from an authenticator app (e.g., Google Authenticator, Microsoft Authenticator, Duo Mobile).

  • Users can freely download and set up any app using the TOTP standard with this authentication method: There is no requirement that your organization have a contractual relationship with the app’s developer, and there is no way to restrict users to a particular app (although for simplicity, they may prefer to use an app already deployed by your organization).

• Okta Verify: Use the Okta Verify mobile app to receive a one-time passcode or push notification. As with other authenticator apps, users are free to use Okta Verify regardless of whether your organization has a contractual relationship with Okta.

Q: Which authentication methods can be used without a mobile device?

A: While mobile is the most convenient format for additional authentication, users without a mobile device may consider the following methods:

• Voice Call by setting up a landline (e.g., desk phone associated with that user).

• Text Message (SMS) or Voice Call using a phone number accessed over the internet (e.g., Google Voice).

• Authenticator App (TOTP) by setting up a desktop app supporting the TOTP standard, or by recording (or memorizing) their setup key and using a TOTP generator like those available online.

Note that end user automations (like those configured by athenahealth’s Automation Services team) are likewise compatible with the above mobile alternatives.

Q: Where do users encounter MFA?

A: Like users’ passwords, MFA settings apply across all applications (e.g., athenaOne Mobile) and environments (such as Preview) where those athenaOne credentials are used. Users will encounter MFA when logging in to any application accessed with athenaOne credentials.

Q: How does MFA impact password reset?

A: MFA introduces an additional layer of authentication that does not replace email and security question verification used for password recovery. Therefore, resetting a password may be immediately followed by an additional authentication prompt before the user can access athenaOne.

Q: Why am I being asked to set up additional authentication?

A: If you are logging in as an athenaOne user for the first time, or MFA has been recently enabled for your account, you will be prompted to set up at least one authentication method in addition to your username and password. We strongly recommend you enroll a method that you’ll have access to regularly when using athenaOne, since losing access to this method could prevent you from logging in. If possible, we also recommend you enroll methods on different devices (for example, SMS on a cell phone and Voice Call with a desk phone) to reduce your chances of losing access.

Q: Can I change my authentication methods later?

A: Yes. At any time when you are logged into athenaOne, you can navigate to Settings (gear icon) > MY CONFIGURATIONS > User Profile, click on the Authentication tab where you and view, add, update, or delete your authentication methods.

Q: Why can I only choose from these methods?

A: The authentication methods shown reflect the strictest MFA policy enabled at organizations to which you have access. The stricter the policy, the fewer methods are available to you.

Q: Why am I getting prompted for my additional authentication method?

A: If you have previously set up authentication methods and your login is unrecognized (new device, IP, geolocation, login behavior, etc.), then you will be prompted for additional authentication using the method(s) you set up previously. Low-risk logins (e.g., those with the same characteristics as previous successful logins) will still allow access to athenaOne with just your username and password.

Q: If I set up multiple authentication methods, can I choose which one to use?

A: Yes. For convenience, the additional authentication prompt defaults to the last method you set up or verified. However, if you want to choose a different one, you can click the dropdown arrow next to the icon of your authentication method, then select your preferred method to use instead. You will not see this dropdown arrow if you only enrolled one authentication method, or if your other authentication methods are no longer allowed by your organization’s MFA policy.

Q: What do I do if my authenticator app or Okta Verify isn’t working?

A: Your device will not receive push notifications if it does not have an active Wi-Fi or cellular data connection. However, authenticator apps and Okta Verify will continue to provide valid one- time passcodes even if that device is offline. If your app is otherwise not loading, generating a passcode, or sending a push notification, then it could be a problem with your app or mobile device. These issues may be resolved by closing and re-opening the app or restarting your device, but do not delete and re-install the app – doing so will unlink that method from your athenaOne account, requiring you to delete and re-enroll that authentication method.