Two Factor Authentication
What is Two Factor Authentication?
Two-factor authentication (also known as 2FA) provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. A good example from everyday life is the withdrawing of money from a cash machine. Only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, i.e. something that the user knows) allow the transaction to be carried out.
How is This Relevant to REDCap?
There is a growing perception that a simple username and password based login is not adequate protection for identifiable healthcare information. Although we discourage the entry of identifiers into REDCap we recognise that for some projects this is necessary. Part of our mandate for REDCap here at the University of Alberta is to "help our researchers do the right thing". REDCap's implementation of 2FA is straightforward to manage and easy to use. For projects that store participant identifiers REDCap's 2FA support significantly improves project security and demonstrates to our research partners that we take the security of their data seriously.
How Will This Affect Me?
University of Alberta and Alberta Health Services
Most users of REDCap here at the University of Alberta and the AHS network will not see any change as 2FA is introduced. However, users who access REDCap from outside of our "trusted" networks will be prompted to configure 2FA options in their profile. These same users will be prompted to authenticate using 2FA when they attempt to access their user profile or a project that requires the additional authentication.
If you don't wish to configure 2FA at this time you can close the window or check "Never display this message again".
Users of our Validated "MICYRN" Installation
As we roll out 2FA to our "MICYRN" installation any user who is not on the University of Alberta or AHS network may be subject to 2FA. However, 2FA will not be rolled out across all projects simultaneously. We also anticipate that networks belonging to collaborating MICYRN institutions, such as CHEO, CHRIM and Ste. Justine will ultimately be considered "trusted networks".
Which Projects Will Be Included?
All new projects will be enabled for 2FA. If you're a principal investigator or project manager, your project does not store identifiers and you believe 2FA will impose an unreasonable burden on your project, you can contact us at redcap@ualberta.ca to discuss your options.
We will be reviewing past projects in order to determine which projects should use 2FA. Projects that contain direct identifiers (as defined on this page) will be configured for 2FA. If you believe your project falls into this category and you would like 2FA enabled immediately please email us at redcap@ualberta.ca.
What Does It Involve?
Two factor authentication adds an additional authentication step which, on our install of REDCap, will be applied when a user attempts to gain access to a project that contains identifiable data. It will also be applied when a user attempts to access their profile information. Depending on the projects to which the user has access this might be at login or it might not be until the user selects the project from their "My Projects" page. At this time the user will be asked to confirm their identity via an additional step as follows:
If the user has not authenticated using 2FA before they will asked to authenticate using an email code (see below). after successfully authenticating they will be prompted to configure their profile preferences for 2FA.
If the user has already configured their 2FA preferences in their user profile they will be prompted to complete their authentication using one of their preferred methods.
Authentication Methods
To make this as easy as we can for the users we have configured a number of options. The user can choose which authentication method best suits their needs.
Email
Using this method the user is emailed an authentication code. They must enter this code into REDCap in order to proceed. This is the default method. It will be used for initial setup and for all users who have not configured an alternative.
SMS
If the user has configured / selected a cell phone number in their REDCap profile then an SMS message will be sent to their cell phone. Simply replying to this message will allow them to proceed. Alternatively the user can enter a code contained in the SMS message into the REDCap prompt.
Voice
If the user has configured / selected a phone number in their REDCap profile then they will receive a phone call during which they will be given a code that must be entered into REDCap.
Google Authenticator
Google Authenticator is an application that generates time based authentication codes. It is available for both Android and IOS and can therefore be installed on most current mobile devices including iPhone, iPad, and Android based phones and tablets such as the Samsung Galaxy range of devices. Once configured (there is a simple configuration process that pairs the device with the user profile) Google Authenticator generates time based authentication codes, even when not connected to a network. It can therefore be used in locations where there is no cellular service.
When prompted by REDCap the user simply copies the code displayed on their device into the authentication form on REDCap.
Any Questions?
Feel free to email us at redcap@ualberta.ca