Preventing Brute-Force Attacks

Multi-Factor Authentication User Guide

Configure TOTP Integration Settings

Log on to the Mirth® Connect by NextGen Healthcare Administrator, and open the Settings view: The Settings link opens the Mirth Connect Settings View Select the MFA settings tab to view the current Multi-Factor Authentication Settings. Next to Enabled, select Yes to enable MFA. Next to MFA Type, select TOTP. Select the Save task on the left-hand side to save changes. Multi-Factor Authentication Settings Advanced Settings Typically none of these settings need to be changed beyond the default values, which should work with most multi-factor authenticator apps (such as, Google Authenticator, Authy, and so on). Account Name: The name associated with the private key. This is used when importing a key into an authenticator app to give the key a unique name. This name is also embedded into the generated QR code. Time Step Size: The amount of time (in milliseconds) to create time windows from. These windows are used to account for differences between the client and server clocks. The larger th

Multi-Factor Authentication User Guide

Logging In With TOTP

After self-enrolling and logging in for the first time, on subsequent login attempts you will no longer be shown the QR code / secret key. Instead you'll be prompted to enter in the latest verification code: Enter Verification Code window Open the authenticator app you used, and find the key associated with your server. Enter the verification code displayed in the app, and select OK. If the code was correct, the Administrator will log in as usual. Parent topic: Using TOTP Multi-Factor Authentication

Multi-Factor Authentication User Guide

Using TOTP Multi-Factor Authentication

Configure TOTP Integration Settings TOTP User Enrollment Logging In With TOTP Resetting TOTP User Credentials Preventing Brute-Force Attacks Configure TOTP Integration Settings TOTP User Enrollment Logging In With TOTP Resetting TOTP User Credentials Preventing Brute-Force Attacks

Mirth® Connect by NextGen Healthcare User Guide

Password Requirements

The following properties can be set in mirth.properties to enforce requirements on user passwords: Property Default Value Description password.minlength 0 Minimum password length, 0 for no minimum. password.minupper 0 Minimum uppercase characters, 0 for no minimum. password.minlower 0 Minimum lowercase characters, 0 for no minimum. password.minnumeric 0 Minimum numeric characters, 0 for no minimum. password.minspecial 0 Minimum special characters, 0 for no minimum. password.retrylimit 0 Maximum number of times a user may retry a failed login, 0 for no maximum. If specified, the lockout period must be specified as well. password.lockoutperiod 0 Amount of time (in hours) to lockout user when the retry limit has been exceeded, 0 for no lockout. password.expiration 0 After this amount of time (in days), passwords will expire. password.graceperiod 0 If user's password is expired, the amount of time (in days) to give the user to change password after the next login. password.reuseperiod 0 Th

Multi-Factor Authentication User Guide

Using the TOTP API Integration

After invoking the /users/_login endpoint, you will receive a payload like this: <com.mirth.connect.plugins.mfa.model.MfaLoginStatus> ... <primaryStatus>SUCCESS</primaryStatus></com.mirth.connect.plugins.mfa.model.MfaLoginStatus> Take note of primaryStatus, which lets you know whether primary authentication (username and password) succeeded. You should only proceed if the primary status is SUCCESS or SUCCESS_GRACE_PERIOD. Generate a new verification code by using the secret key you previously stored. Call the /users/_login endpoint again. On this second leg of authentication, only the username is required, not the password. Concatenate the username, primary status, and verification code with colons (":"). Then send the string as a custom header, X-Mirth-Login-Data. If the login call was successful, the server returns a JSESSIONID cookie for you to use on subsequent requests. Once you no longer need the session, call the /users/_logout endpoint to clear the session data on the server. P

Mirth® Connect by NextGen Healthcare User Guide

mirth.properties File

This is the main configuration file that tells Mirth® Connect where to store application data, what web server ports to listen on, and which database to connect to. You can also set other security and encryption options. The following properties are supported: Property Default Value Description Directories dir.appdata appdata The location of the Application Data Directory. dir.tempdata ${dir.appdata}/temp The location of the temporary files directory, by default set inside of the Application Data Directory. Ports http.port 8080 The HTTP port to make the web server available from. This is used to access the launch page and download signed client resources from. If this property is omitted or commented out, the web server only starts up on the HTTPS port. https.port 8443 The HTTPS port to make the web server available from. This is used to access the secure opening of a page, web dashboard, and all REST API traffic (which includes the Administrator and CLI) . Password Requirements passwo

Preventing Brute-Force Attacks

Recommendations

Configure TOTP Integration Settings

Logging In With TOTP

Using TOTP Multi-Factor Authentication

Password Requirements

Using the TOTP API Integration

mirth.properties File

Configure TOTP Integration Settings

Logging In With TOTP

Using TOTP Multi-Factor Authentication

Password Requirements

Using the TOTP API Integration

mirth.properties File