Attestation: YES — the Retinex EHR product supports multi-factor authentication (MFA) and administrator-initiated MFA reset for any user.
1. Regulatory Reference
45 CFR §170.315(d)(13) — Multi-factor Authentication. The technology must support the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.
Retinex Health attests YES to this criterion. This page is the public-facing developer documentation published with the product on the ONC Certified Health IT Product List (CHPL).
2. Summary of Support
Retinex implements MFA using Time-based One-Time Passwords (TOTP) as specified in IETF RFC 6238, with secret provisioning per RFC 4226 (HOTP) and the otpauth:// URI format documented by the Google Authenticator project. TOTP is an industry-recognized standard and is interoperable with any RFC 6238-compliant authenticator app (Google Authenticator, Microsoft Authenticator, Authy, 1Password, Duo Mobile, etc.).
MFA is supported for every user account in the product, regardless of role. Administrators can reset a user’s MFA enrollment from the User Management admin panel without engaging the developer or support staff.
3. Authentication Factors
| Factor | Type | Element |
|---|---|---|
| 1 | Something the user knows | Account password (bcrypt-hashed, complexity rules enforced at registration and on reset) |
| 2 | Something the user has | TOTP code generated by an RFC 6238 authenticator app bound to a per-user secret |
Successful sign-in requires both factors. A valid password alone does not establish an authenticated session — the server marks the session mfaVerified = false until the TOTP code is verified, and all protected API routes reject requests that do not carry an MFA-verified session.
4. Standards and Algorithms
| Item | Standard / Value |
|---|---|
| TOTP algorithm | RFC 6238 |
| HOTP base | RFC 4226 |
| Hash function | HMAC-SHA1 (RFC 6238 default) |
| Code length | 6 digits |
| Time step | 30 seconds |
| Clock-drift tolerance | ±1 time step (±30 s) |
| Secret length | 160 bits (20 bytes), Base32-encoded per RFC 4648 |
| Provisioning URI | otpauth://totp/Retinex:<email>?secret=<base32>&issuer=Retinex |
| QR encoding | PNG data URI, scannable by any standard authenticator app |
| Password storage | bcrypt with per-user salt |
| Transport | TLS 1.2+ for all browser ↔ server and inter-service traffic |
5. End-User Enrollment Flow
- The user signs in with email and password.
- If the account has no enrolled MFA secret, the user is presented with the MFA setup screen.
- The server generates a fresh 160-bit Base32 secret, persists it to the user record, and returns an
otpauth://QR code. - The user scans the QR code with any RFC 6238 authenticator app.
- The user enters the 6-digit code shown by the app. The server verifies it against the stored secret (±30 s window).
- On successful verification, the server sets
mfaEnabled = trueon the user record and marks the sessionmfaVerified = true. - On every subsequent sign-in, the user is required to enter a fresh 6-digit code after the password step before any protected resource is accessible.
6. Administrator-Initiated MFA Reset
A user may lose access to their authenticator app (lost or replaced phone, app uninstalled, factory reset, etc.). Retinex provides an in-product admin workflow so that an authorized administrator can clear the user’s MFA enrollment and force re-enrollment on the next sign-in — for any user in the organization.
Who can perform the reset
Reset is restricted by RBAC to users holding the admin role (or any role granted the users:reset-mfa permission). The action is gated by the standard JWT guard and the admin-controller authorization check. Non-admin users do not see the Reset MFA control in the UI and receive 403 Forbidden if they call the underlying API directly.
Admin panel — step-by-step
- Sign in to Retinex as an administrator (password + MFA).
- Open User Management from the main navigation.
- Locate the user with the search bar (first name, last name, or email) or from the personnel list.
- Click the user row to open the Edit User screen.
- In the Security actions section, click Reset MFA.
- Confirm the action. The admin panel displays a success toast: “MFA reset — user will re-enroll on next login.”
- The user’s
mfaSecretis cleared andmfaEnabledis set tofalse. The existing authenticator entry for Retinex stops working immediately. - On next sign-in, the user is routed to the MFA setup screen and must enroll a new authenticator before they can access any protected resource.
Why self-service reset is intentionally not offered
Allowing a user to reset their own second factor using only the first factor (password) would collapse MFA back to single-factor authentication. Reset is therefore an out-of-band action performed by a trusted administrator after the user’s identity has been re-established through the organization’s normal help-desk procedures (phone call to a known number, in-person visit, or verified email exchange).
7. Audit Logging
Every MFA-related event is recorded by the audit microservice with actor user ID, target user ID (when different), source IP, user agent, timestamp, and outcome:
- MFA setup initiated / completed
- MFA verification success / failure (including invalid-code attempts)
- Administrator MFA reset (logged at WARN on the auth service and as a privileged-action audit record)
- Administrator password reset
- Account enable / disable (lock / unlock)
Audit records are immutable, append-only, and retrievable through the audit microservice for the organization’s compliance reviews.
8. Coverage
| User population | MFA supported | Admin reset supported |
|---|---|---|
| System administrators | Yes | Yes |
| Clinicians (MD, DO, NP, PA) | Yes | Yes |
| Nursing staff | Yes | Yes |
| Lab technicians | Yes | Yes |
| Front-desk / scheduling | Yes | Yes |
| Billing | Yes | Yes |
| Read-only / auditor roles | Yes | Yes |
| Break-glass / emergency-access sessions | Yes (MFA required before break-glass elevation) | Yes |
There are no user populations within Retinex that are exempt from MFA. Any human user with a Retinex account uses the flows described above.
9. Limitations / Out of Scope
- Patient-facing portal accounts are administered separately from clinician accounts and are out of scope for §170.315(d)(13), which addresses the certified Health IT product’s user authentication.
- SMS/email-delivered one-time codes are not used as a second factor, consistent with NIST SP 800-63B guidance discouraging SMS as a restricted authenticator.
- Hardware-token (FIDO2 / WebAuthn) enrollment is on the roadmap but is not required for §170.315(d)(13) attestation; TOTP satisfies the criterion.
10. MFA Use Cases
The scenarios below describe how MFA is actually exercised by users and administrators across the product. They are the developer-supplied use cases referenced by Retinex’s “YES” attestation to §170.315(d)(13). The two-factor model and standards are described in §3 Authentication Factors and §4 Standards and Algorithms; out-of-scope items are listed in §9 Limitations.
First-time MFA enrollment
Workflow
On first sign-in the user is routed to the MFA setup screen and completes enrollment as described in §5 End-User Enrollment Flow (scan the otpauth:// QR code, confirm a 6-digit code).
Outcome The account is bound to a second factor; all subsequent sign-ins require it (UC-2).
Returning user sign-in with MFA
Workflow
After the password step the session is held at mfaVerified = false until the user enters a current TOTP code on the MFA verification screen (per §5).
Outcome Access is granted only after both factors are presented in the same sign-in.
Invalid or expired code at verification
Workflow — exception path
- The user submits a 6-digit code that does not match the stored secret within the ±30 s window.
- The server rejects the code; the session remains
mfaVerified = falseand protected routes continue to return401 Unauthorized(“MFA verification required”). - The user is prompted to re-enter a current code.
Outcome No protected resource is accessible until a valid code is supplied. Each failed attempt is audit-logged (UC-6).
Lost authenticator / administrator MFA reset
Workflow — unique to this case
- The user re-establishes identity with the help desk through out-of-band procedures (callback to a known number, in-person check, verified email).
- The administrator performs the reset described in §6 Administrator-Initiated MFA Reset, which clears the user’s second factor for any user without engaging the developer.
- On next sign-in the user re-enrolls a fresh authenticator (UC-1) before any protected resource is accessible.
Outcome The user regains access only after identity re-verification and re-enrollment. Self-service reset is intentionally not offered (rationale and RBAC/authorization details in §6).
MFA required before emergency (break-glass) access
Workflow — unique to this case
- The emergency-access service checks
mfaEnabledfor the requesting account before any patient session is created. - If MFA is not enabled, the request is denied with
403 Forbidden(“MFA setup is required before emergency access”) and anEMERGENCY_SESSION_DENIEDaudit entry (reason “MFA not enabled”) is written. - If MFA is enabled and the session is MFA-verified (UC-2), the break-glass session proceeds under the emergency-access workflow.
Outcome Elevated, time-boxed emergency access can never be granted to an account that has not bound a second factor — MFA is a hard prerequisite for break-glass elevation.
Audit of MFA events
Outcome Every MFA event in the use cases above — including the break-glass denial (UC-5), which is specific to this set — is captured immutably by the audit microservice. The full event taxonomy and retention properties are documented in §7 Audit Logging.
11. Change Log
| Date | Version | Change |
|---|---|---|
| 2026-06-10 | 1.5 | UI: presented the Use Cases as structured cards (UC tag, Actor/Precondition meta, labeled workflow, highlighted outcome) for readability. |
| 2026-06-10 | 1.4 | Consolidated the Use Cases (merged the two reset cases, trimmed UC-1/UC-2/audit to reference §5, §6, and §7) to remove content duplicated from earlier sections; UC-1 – UC-6. |
| 2026-06-10 | 1.3 | Replaced the generic Use Case section with the concrete UC-1 – UC-7 scenarios from the MFA use-cases document. |
| 2026-06-10 | 1.2 | Trimmed Use Case section (10.2, 10.4, 10.5, 10.6) to cross-reference §4, §5, §7, and §8 instead of repeating their content. |
| 2026-06-10 | 1.1 | Added MFA Use Case Documentation section for ONC HTI-1 / §170.315(d) self-attestation. |
| 2026-05-25 | 1.0 | Initial public attestation document for CHPL listing. |
Support
For questions about Retinex Health’s MFA implementation or technical support requests, contact support@retinex.ai.