2FA login

[ARMmaster17]

Summary

This is the last big feature for HIPAA compliance (besides out-of-budget items like WAFs and DB-auditing). Updates to HIPAA regulations around 2019 state that applications with access to medical records need to be secured behind two-factor authentication. This is not strictly required for patient accounts, but admins and doctors are required to have this security feature in new software products after 2019 (IIRC there is also a short grace period for software from before this time).

In the past year, the NIST has made strong recommendations not to use 2FA SMS as this can easily be circumvented in a targeted "sim-swap" attack. Email auth is also generally frowned upon as targeted attacks against individuals typically go for email accounts first. The best NIST recommendation within our budget and time constraints is to use TOTP codes. If a website has ever made you scan a QR code, and then use codes from that app to log in, you were using a TOTP code.

Implementation

There are two ways to go about this. The first is considered a standard practice, but would be harder to implement. The second may be confusing for some users, but would still satisfy HIPAA regulations.

1. Require a TOTP code as part of the login process. May be difficult to implement because of how we are using spring-security, but is the most secure method.
2. Require a TOTP code whenever accessing a page that contains PHI/PII (such as the records page, when starting a call with a patient, or viewing a detailed list of appointments). Easier to implement, but far less secure and may be confusing for some users.

There are standard TOTP Java libraries, and it would not be smart at all to roll our own custom solution here. There are also front-end JS frameworks for generating a QR code from a registration token. Once a consensus is reached on which of the two paths we will take from above, then we can decide on implementation steps.

This issue will also need to be treated as an epic, and individual tasks will be dispersed from this one (i.e. one person is probably not going to be assigned to implement this in one big PR).

[ARMmaster17]

This library looks like it does what we need it to do https://github.com/j256/two-factor-auth Note that using this library directly like how the example shows is a HIPAA/NIST violation. Unfortunately because installing a service like Hashicorp Vault is out of scope for this project, we're going to have to store the base32 secret in the database. We should at least encrypt the string if possible once the MVP is proven to work.