Multi-Factor Authentication (MFA)

Owl offers the ability to enable Multi-Factor Authentication (MFA) for your clinic as an added layer of security. Multi-Factor Authentication means that users need to validate their email and password upon login by using an additional, external source of confirmation, such as an email address or mobile phone number.

The option to enable MFA in an Owl account is only available to the Owner user type, and can be found in Settings > Practice Details under the Security heading:

Once MFA is enabled, all users will be given a login challenge when:

  • first logging in after the setting is enabled
  • using a new device or browser to login
  • 14 days have passed since the last challenge
  • a password reset is requested

The MFA challenge is 6-digit code sent to the user to confirm their identity. If the user has a phone number saved (Settings > User Access), Owl will send an SMS message containing the code. If no phone number is saved, or if the user opts to click “email me instead”, Owl will send an email containing the code to the email address on file for that user profile. If you did not receive the code, you can click “Resend Code” to have a new message sent.

Each unique code expires after 15 minutes, or after 3 unsuccessful attempts to enter it. If 15 minutes have passed, or your attempts have been exceeded, you can click “Request a new code” to try again.

When MFA is enabled for the clinic, to help encourage users to add their phone number, a new popup will appear on login for those who do not yet have a phone number associated to their user access profile.

The user simply needs to enter a phone number, confirm it, and then click Save to have it added to their user profile for future MFA challenges.

Clinics can also add phone numbers to user profiles now. This is a new field on all user access profiles that can be updated any time. If you would like to have valid phone numbers on file for all staff prior to enabling the MFA feature, you can do so by adding a mobile phone number to all user profiles and then enabling the MFA setting. Please note that only +1 phone numbers are supported at this time.

You can go to Settings > User Access then select a user profile and click Edit to add a phone number:

Simply enter the phone number in the field provided and click the Save User button to update the profile.

The MFA setting can only be enabled ON or OFF. When it is ON all user profiles are subject to MFA challenges upon login. When the setting is OFF none of the user profiles logging into the clinical instance will be prompted with MFA challenges. Practice owners can decide if MFA is a necessary security protocol to enable at the practice.