1. Overview of MFA Implementation

Our application enforces Multi-Factor Authentication (MFA) for both internal and external accounts.

Internal Users (Providers, Staff)

• Authenticated via Azure Active Directory (AAD) under the woundtech.net domain.
• MFA is managed via corporate AAD Conditional Access Policies.
• After entering their password, users must verify identity via one of the following:
  • SMS verification code to registered mobile device
  • Microsoft Authenticator app push notification or code
  • Voice call verification code

External Users (Patients, External Partners)

• Authenticated via Amazon Cognito.
• MFA requires a password plus a one-time code from:
  • An authenticator app (TOTP)
  • An SMS message

MFA is triggered at:

• Every login from an unrecognized device or browser
• Password reset events
• Sensitive operations, such as:
  • Exporting PHI
  • Changing security settings

2. MFA Factors Used

Internal (AAD):

• Knowledge – Password (username + password combination)
• Possession – Mobile phone receiving:
  • SMS code
  • Microsoft Authenticator push notification/code
  • Voice call verification

External (Cognito):

• Knowledge – Password
• Possession –
  • TOTP code from an authenticator app
  • SMS one-time password (OTP)

3. Standards / Protocols Used

Azure Active Directory:

• Supports OAuth 2.0, OpenID Connect, SAML 2.0
• MFA uses TOTP (RFC 6238) for app-based codes
• SMS/voice MFA uses numeric OTPs
• Security:
  • MFA codes expire after a short validity period
  • All secrets/tokens encrypted at rest using AES-256
  • All transmissions secured with TLS 1.2+

Amazon Cognito:

• Supports OAuth 2.0, OpenID Connect
• MFA via TOTP (RFC 6238) or SMS OTP
• Security:
  • Codes expire quickly to mitigate replay attacks
  • All secrets/tokens encrypted at rest using AES-256
  • All transmissions secured with TLS 1.2+

4. User Workflow Description

Internal (AAD) Login Workflow:

1. User enters @woundtech.net email + password on Microsoft login page
2. Password verified by Azure AD
3. MFA triggered:
   • SMS/voice → code sent to registered mobile
   • Authenticator app → push notification or TOTP code
4. User enters/approves MFA challenge
5. On success, Azure AD issues a token and user is redirected to the application

External (Cognito) Login Workflow:

1. 1. User enters username/email and password on Cognito login page

2. Credentials verified by Cognito

1. MFA challenge triggered (TOTP app or SMS)
2. User enters MFA code
3. On success, Cognito issues an ID token to the application

5. Security & Privacy Considerations

• Encryption: All MFA-related secrets/tokens encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Short Lifespan: Codes expire quickly to reduce replay risk
• No Storage of Codes: MFA codes are never stored after validation
• Minimal Logging: Only status (success/failure) logged — actual codes are never recorded

Relied Upon Software Disclosure

Relied Upon Software / Services

Azure Active Directory (AAD)

• • Vendor: Microsoft Corporation
  • Function in Certified Capability:
  • Provides identity management and MFA enforcement for internal users (providers, staff). Validates user credentials and triggers MFA challenges via SMS, Microsoft Authenticator, or voice call.

• • Licensing Requirements:
  • Requires an active Microsoft 365 or Azure AD Premium subscription. Licensing is managed by Woundtech as the health IT implementer.

Amazon Cognito

• • Vendor: Amazon Web Services (AWS)
  • Function in Certified Capability:
  • Provides identity management and MFA enforcement for external users (patients, external partners). Validates user credentials and triggers MFA challenges via TOTP or SMS OTP.

• • Licensing Requirements:
  • Requires an AWS account with Amazon Cognito service enabled.