Skip to main content
Denialbase requires 2FA for every account that accesses PHI. As an admin, you can enforce it at the organization level so no user can sign in without it.

Enabling organization-wide 2FA

1

Settings → Security → 2FA policy

You need the admin role.
2

Choose a policy

  • Recommended: Require 2FA for all PHI-accessing users.
  • Stricter: Require passkeys only (phishing-resistant).
  • Loosest (not recommended): Optional 2FA.
3

Set a grace period

Existing users get 7 days to enroll before being locked out.
4

Communicate

A default communication is drafted for you — edit and send from the same screen.

Supported methods

Passkeys (WebAuthn)

Recommended. Phishing-resistant. Works with Touch ID, Face ID, Windows Hello, and hardware keys (YubiKey, Titan).

TOTP

Compatible with Authy, Google Authenticator, 1Password, Bitwarden, and any RFC 6238 app.

Backup codes

10 one-time codes generated at enrollment. Store these somewhere safe — they let you sign in if you lose your primary factor.

SSO IdP 2FA

If your organization uses SSO with 2FA enforced at the IdP, that satisfies Denialbase’s 2FA requirement.

Resetting 2FA for a user

If a user loses their 2FA device:
1

Verify identity

Confirm the request out-of-band (phone, in-person). Don’t rely on email alone.
2

Admin → Settings → Team → [user] → Reset 2FA

The user is flagged to re-enroll on next sign-in. A verification email goes to their address.
3

Audit-logged

The reset is recorded in the security audit log with your user ID as the actor.

What happens under the hood

  • Passkeys use the WebAuthn standard — cryptographic keys stored on your device or hardware authenticator.
  • TOTP secrets are encrypted in the database and only decrypted at verification time.
  • Rate limiting on 2FA endpoints (5 / min for setup, 10 / min for passkey operations) prevents brute force.
  • Every 2FA event — enroll, use, reset, disable — is in the security audit log.

Bypass controls (admin break-glass)

In rare cases (ransomware on a user’s device, forgotten backup codes) an admin may need to temporarily bypass 2FA to help a user recover.
  • Settings → Security → Break-glass bypass — grants a single 15-minute window for a specific user.
  • Every use is audit-logged with elevated severity and notifies the Security Officer.

Policy ideas

  • Require passkeys for admin roles and providers (stronger than TOTP).
  • Block SMS as a factor — we don’t support SMS at all; don’t let users think it’s an option.
  • Require re-auth for sensitive actions (user deletion, bulk PHI export, 2FA reset).
See the underlying security rationale at Authentication & access control.