§170.315(d)(13) · Multi-Factor Authentication

Multi-Factor Authentication (MFA)

Public-facing description of Retinex Health's MFA implementation.

Version 1.5 Updated 2026-06-10 Publicly accessible · No charge
Attestation: YES — the Retinex EHR product supports multi-factor authentication (MFA) and administrator-initiated MFA reset for any user.

1. Regulatory Reference

45 CFR §170.315(d)(13) — Multi-factor Authentication. The technology must support the authentication, through multiple elements, of the user’s identity with the use of industry-recognized standards.

Retinex Health attests YES to this criterion. This page is the public-facing developer documentation published with the product on the ONC Certified Health IT Product List (CHPL).

2. Summary of Support

Retinex implements MFA using Time-based One-Time Passwords (TOTP) as specified in IETF RFC 6238, with secret provisioning per RFC 4226 (HOTP) and the otpauth:// URI format documented by the Google Authenticator project. TOTP is an industry-recognized standard and is interoperable with any RFC 6238-compliant authenticator app (Google Authenticator, Microsoft Authenticator, Authy, 1Password, Duo Mobile, etc.).

MFA is supported for every user account in the product, regardless of role. Administrators can reset a user’s MFA enrollment from the User Management admin panel without engaging the developer or support staff.

3. Authentication Factors

FactorTypeElement
1Something the user knowsAccount password (bcrypt-hashed, complexity rules enforced at registration and on reset)
2Something the user hasTOTP code generated by an RFC 6238 authenticator app bound to a per-user secret

Successful sign-in requires both factors. A valid password alone does not establish an authenticated session — the server marks the session mfaVerified = false until the TOTP code is verified, and all protected API routes reject requests that do not carry an MFA-verified session.

4. Standards and Algorithms

ItemStandard / Value
TOTP algorithmRFC 6238
HOTP baseRFC 4226
Hash functionHMAC-SHA1 (RFC 6238 default)
Code length6 digits
Time step30 seconds
Clock-drift tolerance±1 time step (±30 s)
Secret length160 bits (20 bytes), Base32-encoded per RFC 4648
Provisioning URIotpauth://totp/Retinex:<email>?secret=<base32>&issuer=Retinex
QR encodingPNG data URI, scannable by any standard authenticator app
Password storagebcrypt with per-user salt
TransportTLS 1.2+ for all browser ↔ server and inter-service traffic

5. End-User Enrollment Flow

  1. The user signs in with email and password.
  2. If the account has no enrolled MFA secret, the user is presented with the MFA setup screen.
  3. The server generates a fresh 160-bit Base32 secret, persists it to the user record, and returns an otpauth:// QR code.
  4. The user scans the QR code with any RFC 6238 authenticator app.
  5. The user enters the 6-digit code shown by the app. The server verifies it against the stored secret (±30 s window).
  6. On successful verification, the server sets mfaEnabled = true on the user record and marks the session mfaVerified = true.
  7. On every subsequent sign-in, the user is required to enter a fresh 6-digit code after the password step before any protected resource is accessible.

6. Administrator-Initiated MFA Reset

A user may lose access to their authenticator app (lost or replaced phone, app uninstalled, factory reset, etc.). Retinex provides an in-product admin workflow so that an authorized administrator can clear the user’s MFA enrollment and force re-enrollment on the next sign-in — for any user in the organization.

Who can perform the reset

Reset is restricted by RBAC to users holding the admin role (or any role granted the users:reset-mfa permission). The action is gated by the standard JWT guard and the admin-controller authorization check. Non-admin users do not see the Reset MFA control in the UI and receive 403 Forbidden if they call the underlying API directly.

Admin panel — step-by-step

  1. Sign in to Retinex as an administrator (password + MFA).
  2. Open User Management from the main navigation.
  3. Locate the user with the search bar (first name, last name, or email) or from the personnel list.
  4. Click the user row to open the Edit User screen.
  5. In the Security actions section, click Reset MFA.
  6. Confirm the action. The admin panel displays a success toast: “MFA reset — user will re-enroll on next login.”
  7. The user’s mfaSecret is cleared and mfaEnabled is set to false. The existing authenticator entry for Retinex stops working immediately.
  8. On next sign-in, the user is routed to the MFA setup screen and must enroll a new authenticator before they can access any protected resource.

Why self-service reset is intentionally not offered

Allowing a user to reset their own second factor using only the first factor (password) would collapse MFA back to single-factor authentication. Reset is therefore an out-of-band action performed by a trusted administrator after the user’s identity has been re-established through the organization’s normal help-desk procedures (phone call to a known number, in-person visit, or verified email exchange).

7. Audit Logging

Every MFA-related event is recorded by the audit microservice with actor user ID, target user ID (when different), source IP, user agent, timestamp, and outcome:

  • MFA setup initiated / completed
  • MFA verification success / failure (including invalid-code attempts)
  • Administrator MFA reset (logged at WARN on the auth service and as a privileged-action audit record)
  • Administrator password reset
  • Account enable / disable (lock / unlock)

Audit records are immutable, append-only, and retrievable through the audit microservice for the organization’s compliance reviews.

8. Coverage

User populationMFA supportedAdmin reset supported
System administratorsYesYes
Clinicians (MD, DO, NP, PA)YesYes
Nursing staffYesYes
Lab techniciansYesYes
Front-desk / schedulingYesYes
BillingYesYes
Read-only / auditor rolesYesYes
Break-glass / emergency-access sessionsYes (MFA required before break-glass elevation)Yes

There are no user populations within Retinex that are exempt from MFA. Any human user with a Retinex account uses the flows described above.

9. Limitations / Out of Scope

  • Patient-facing portal accounts are administered separately from clinician accounts and are out of scope for §170.315(d)(13), which addresses the certified Health IT product’s user authentication.
  • SMS/email-delivered one-time codes are not used as a second factor, consistent with NIST SP 800-63B guidance discouraging SMS as a restricted authenticator.
  • Hardware-token (FIDO2 / WebAuthn) enrollment is on the roadmap but is not required for §170.315(d)(13) attestation; TOTP satisfies the criterion.

10. MFA Use Cases

The scenarios below describe how MFA is actually exercised by users and administrators across the product. They are the developer-supplied use cases referenced by Retinex’s “YES” attestation to §170.315(d)(13). The two-factor model and standards are described in §3 Authentication Factors and §4 Standards and Algorithms; out-of-scope items are listed in §9 Limitations.

UC-1

First-time MFA enrollment

Actor
Any new or not-yet-enrolled user (clinician, nurse, admin, billing, etc.).
Precondition
The account exists with a password but has no MFA secret (mfaEnabled = false).

Workflow

On first sign-in the user is routed to the MFA setup screen and completes enrollment as described in §5 End-User Enrollment Flow (scan the otpauth:// QR code, confirm a 6-digit code).

Outcome The account is bound to a second factor; all subsequent sign-ins require it (UC-2).

UC-2

Returning user sign-in with MFA

Actor
An enrolled user.
Precondition
mfaEnabled = true for the account.

Workflow

After the password step the session is held at mfaVerified = false until the user enters a current TOTP code on the MFA verification screen (per §5).

Outcome Access is granted only after both factors are presented in the same sign-in.

UC-3

Invalid or expired code at verification

Actor
An enrolled user entering an incorrect, mistyped, or stale code.
Precondition
The user is at the MFA setup or verification step.

Workflow — exception path

  1. The user submits a 6-digit code that does not match the stored secret within the ±30 s window.
  2. The server rejects the code; the session remains mfaVerified = false and protected routes continue to return 401 Unauthorized (“MFA verification required”).
  3. The user is prompted to re-enter a current code.

Outcome No protected resource is accessible until a valid code is supplied. Each failed attempt is audit-logged (UC-6).

UC-4

Lost authenticator / administrator MFA reset

Actor
A user who can no longer produce valid TOTP codes (lost/replaced phone, app uninstalled, device factory-reset), plus an administrator holding the admin role or users:reset-mfa permission.
Precondition
The user is locked out of their second factor; the administrator has an MFA-verified session.

Workflow — unique to this case

  1. The user re-establishes identity with the help desk through out-of-band procedures (callback to a known number, in-person check, verified email).
  2. The administrator performs the reset described in §6 Administrator-Initiated MFA Reset, which clears the user’s second factor for any user without engaging the developer.
  3. On next sign-in the user re-enrolls a fresh authenticator (UC-1) before any protected resource is accessible.

Outcome The user regains access only after identity re-verification and re-enrollment. Self-service reset is intentionally not offered (rationale and RBAC/authorization details in §6).

UC-5

MFA required before emergency (break-glass) access

Actor
An external or temporary user (locum, consultant, auditor) requesting emergency access.
Precondition
The user is attempting to create an emergency-access (“break-glass”) session.

Workflow — unique to this case

  1. The emergency-access service checks mfaEnabled for the requesting account before any patient session is created.
  2. If MFA is not enabled, the request is denied with 403 Forbidden (“MFA setup is required before emergency access”) and an EMERGENCY_SESSION_DENIED audit entry (reason “MFA not enabled”) is written.
  3. If MFA is enabled and the session is MFA-verified (UC-2), the break-glass session proceeds under the emergency-access workflow.

Outcome Elevated, time-boxed emergency access can never be granted to an account that has not bound a second factor — MFA is a hard prerequisite for break-glass elevation.

UC-6

Audit of MFA events

Actor
Compliance / security reviewer.
Precondition
MFA-related activity has occurred.

Outcome Every MFA event in the use cases above — including the break-glass denial (UC-5), which is specific to this set — is captured immutably by the audit microservice. The full event taxonomy and retention properties are documented in §7 Audit Logging.

11. Change Log

DateVersionChange
2026-06-101.5UI: presented the Use Cases as structured cards (UC tag, Actor/Precondition meta, labeled workflow, highlighted outcome) for readability.
2026-06-101.4Consolidated the Use Cases (merged the two reset cases, trimmed UC-1/UC-2/audit to reference §5, §6, and §7) to remove content duplicated from earlier sections; UC-1 – UC-6.
2026-06-101.3Replaced the generic Use Case section with the concrete UC-1 – UC-7 scenarios from the MFA use-cases document.
2026-06-101.2Trimmed Use Case section (10.2, 10.4, 10.5, 10.6) to cross-reference §4, §5, §7, and §8 instead of repeating their content.
2026-06-101.1Added MFA Use Case Documentation section for ONC HTI-1 / §170.315(d) self-attestation.
2026-05-251.0Initial public attestation document for CHPL listing.

Support

For questions about Retinex Health’s MFA implementation or technical support requests, contact support@retinex.ai.