OptiMantra supports multi-factor authentication (MFA) for all users in accordance with §170.315(d)(13) of the ONC 2015 Edition Cures Update. Authentication is performed through two independent factors: something the user knows (password) and something the user has (a one-time passcode delivered via SMS or email).
MFA is available to all user roles including clinicians, administrative staff, and system administrators, and can be enforced at the practice level by administrators.
NIST SP 800-63B, Authenticator Assurance Level 2 (AAL2)
SMS (Short Message Service) and Email — time-limited, single-use codes
6-digit numeric OTP · Valid for 10 minutes · Invalidated after use
All authentication traffic encrypted via TLS 1.2 / 1.3
Licensed clinician (e.g., acupuncturist, naturopath, nurse practitioner)
Login attempt from a device or browser not previously recognized by the system
Username and password
6-digit OTP delivered via SMS to registered mobile number, or to registered email address
Access granted upon successful OTP entry; session established with full EHR access per user permissions
Account locked after 5 consecutive failed OTP attempts; user prompted to request a new code
All users of the practice (clinicians, front desk, billing staff)
Practice administrator has enabled mandatory MFA for every login, regardless of device recognition
Username and password
6-digit OTP delivered via SMS or email (user selects preferred channel in profile settings)
No login is permitted without completing MFA; audit log records each authentication event with timestamp and IP address
MFA enforcement toggled in Practice Settings → Security; applies immediately to all active users
Any OptiMantra user initiating a password reset
User selects "Forgot Password" on the login screen
Registered email address (identity claim)
6-digit OTP sent to the registered email address; must be entered before a new password can be set
User can set a new password only after verifying identity via email OTP; previous session tokens invalidated
OTP expires in 10 minutes; link-based reset token is single-use and invalidated after password change
Clinician accessing patient records or conducting a telehealth session from a remote location
Login detected from an IP address or geographic location outside the practice's normal access pattern
Username and password
6-digit OTP sent via SMS to the clinician's registered mobile number or via email
Secure access granted for telehealth or remote EHR session; all activity logged in the audit trail
Session timeout enforced per §170.315(d)(5); all data in transit encrypted via TLS 1.3
| Factor | Type | Method | Applicable Use Cases | Standard |
|---|---|---|---|---|
| Factor 1 | Something you know | Username + Password | All use cases | NIST 800-63B |
| Factor 2 (SMS) | Something you have | 6-digit OTP via SMS to registered mobile number | UC 1, UC 2, UC 4 | AAL2 |
| Factor 2 (Email) | Something you have | 6-digit OTP via email to registered address | UC 1, UC 2, UC 3, UC 4 | AAL2 |