Multi-factor Authentication (MFA)

Introduction

Multi-factor Authentication (MFA) is a secure authentication method that requires users to provide two or more verification factors to gain access to Canvas.  

MFA works by requiring additional verification information (factors) each time a user attempts to log in. One of the most common MFA factors that users encounter are one-time passwords (OTP)- known within Canvas as verification codes. OTPs are codes that you receive via email, SMS, or an authentication app such as Google Auth or 1password. With OTPs a new code is generated periodically or each time an authentication request is submitted.

Key Objectives

• You will learn how to set up your authentication methods
• You will learn of the capabilities provided to Administrators and Users
• You will learn how to log in using your established authentication methods

Tips & Tricks

• Administrators have the ability to determine if they want to make MFA required or enable users to determine if they would want to have an MFA for their profile. This provides the flexibility of making this feature fully required across all users or letting users create their own security measures. 
• MFA_REQUIRED - setting this will force a new user (who has not set up MFA yet) to immediately set up MFA when logging into the site, and not allow them to access any other page. It is best to enable MFA settings during "off hours" as there could be log-in implications when MFA is required or certain methods are selected.
• Administrators have the ability to determine the number of days a user's device is remembered before being asked to re-authenticate via a verification code. This can be set through Configurations and the default has been set to 30 days. For requiring MFA each time a user signs in, the days can be set to 0.  
• Verification codes expire after 10 minutes for email and SMS authentication methods in order to provide a better sense of security for our customers, and we encourage Administrative support if users try to resend themselves a code more than 5 times in one session (as there could be larger issues at hand).
• Verification emails will be titled "Canvas Medical MFA Token" and will come from no-reply@canvasmedical.com (we encourage users and administrators to ensure this sender is not automatically blocked or placed in spam based on your email settings)
• If a user is experiencing issues with their authentication method, we encourage Administrators to reconfigure a specific users authentication method through OTP_EMAIL, OTP_TOTP (authenticator app), and OTP_TWILIO (SMS) functionalities within Settings.

Step By Step 

How to set up authentication methods

Canvas allows organizations, through configurable administrative settings, to decide the methods enabled for their users. All available methods can be enabled or disabled at any time, with recommended best practices, and they include:

• Email - based on the email per a user's staff profile
• Alternative Email - an email that is different than the staff profile
• SMS (Text) - based on the mobile phone number per a user's staff profile
• Alternative SMS (Text) - a mobile phone number that is different than the staff profile
• Authenticator App - a third-party application outside of Canvas, usually on a mobile device that creates a new token at a specified time. Examples include Google Auth, 1Password, or Microsoft Authenticator.

How to log into your Canvas instance using your established authentication methods

• When MFA is enabled, users will have the ability to implement this 2nd level of security after they are logged-in and select Multi-Factor Authentication from the hamburger button on the top left.
• Once a user clicks on this feature, they can enable any of the established authentication method that they would prefer. Only the enabled methods by an Administrator within the setting configurations will be visible for users in this workflow.
• If users have the ability to utilize alternative emails or mobile phone numbers, outside those within their profile, they will be able to create those setting within each established authentication method. If users do not have that ability, we will display which email and SMS will be utilized given Administrative settings. 
• Once an authentication method has been implemented by a user, they will be asked to log into Canvas with their username and email, and then prompted to enter a new verification code sent to that authentication method.
• This prompt will take place anytime a user logs into Canvas.
• An authentication method can be removed by a user (if not required) from the hamburger button on the top left and selecting Multi-Factor Authentication, from there the trash icon will allow for the removal of a specific method.
• When MFA is required, based on Administrative settings, all users will be required to setup their authentication method when attempting to log into Canvas after the required functionality is enabled. 

“Remember this device” Troubleshooting:

The “Remember this device” functionality relies upon your web browser’s saved cookies. Cookies are files created by websites you visit. With cookies, sites can keep you signed in, remember your site preferences, and give you locally relevant content. This means that cookies from Canvas’ Multi-factor Authentication (MFA) feature only remembers your specific web browser, not your computer, so if you are switching over to a different web browser or device, the “Remember this device” functionality will not carry over.

There are two types of cookies:

1. First-party cookies are created by the site you visit. The site is shown in the address bar.
2. Third-party cookies are created by other sites. These sites own some of the content, like ads or images, that you see on the webpage you visit.

As noted, Canvas uses cookies to track when you have selected the remember this device option. If you find that choosing to "Remember this device" when logging in using MFA is not working and you continue to have to authenticate at each log in, there could be a few reasons why: 

1. 1. Private Browsers
      • If you are using incognito mode on Chrome, this will not remember any of your browsing history which in turn will not store cookies. Additionally, separate browsing profiles within Chrome will not remember settings from other profiles. Ensure that you are not using incognito mode and that you are not switching Chrome profile when selecting “Remember this device.”
   2. Chrome Privacy Settings
      • Some users may have personalized privacy setting preferences within their Chrome browser that do not allow for the creation of cookies to track the “Remember this device” functionality. A few things that can be done:
        • Update your settings: chrome://settings/cookies. If the link does not work, navigate:
          1. Click on the three dots at the top right corner and click Settings.
          2. Select Privacy and security and click Cookies and other site data.
          3. Click See all cookies and site data.
        • We recommend the following settings:
        • Add Canvas to sites that can always use cookies if you would like to keep your current security settings but would want “Remember this device” functionality to work when accessing Canvas. 
          • Within Chrome’s cookie settings, click “Add” on “Sites that can always use cookies” as a customized behavior. Within the pop-up include the following:

• You may need to restart your browser for changes to take effect.

3. Browser Extensions (& Anti-Virus blockers)

• • Some extensions added to Chrome can interfere with the “Remember this device” functionality by clearing cookies. Since each individual may have any number of extensions, we recommend temporarily disabling all extensions and seeing if that helps. Commonly known extensions that interfere with multi-factor authentication:
    1. Bit-Defender or any other blocker extensions on your browser that would prevent a cookie from being saved
    2. VisualPing
  • Security settings that do not allow for cookies to be saved could also impact “Remember this device” functionality
  • Note: If you are using something that blocks or doesn’t remember cookies, we recommend disabling it because cookies are what remembers your device for MFA login.

     4. You may have an issue where an old version of the cookie that remembers your device is still in your browser. If this cookie is in your browser you will need to clear it in order to properly have your device remembered at login. 

• • Clear your cache and cookies on the browser you use, this will get rid of the bad cookie that is preventing your device from being remembered. Make sure you clear out the Cache and cookies for all time to ensure you clear the right one.
  • Once you have cleared your cache and cookies, attempt to log back into Canvas (with the Chrome cookie setting from solution #2 above) and select “Remember this device.”
  • To ensure you have removed the “bad cookie,” log out and log back in a second time and you should not be prompted for authentication.

  5. Change in IP Address 

• If you are using a different IP Address from the one in which you selected “Remember this Device,” the functionality will not work.

We recommend accessing Canvas on the latest Chrome version. If you are using a different browser, please consult your web browser's support pages for allowing first-party cookies.

Roles

• Provider
• Clinical staff
• Administrative staff
• Billing staff
• Management
• Document Manager
• Population Health
• Care Coordination