Multi-Factor Authentication

Security as non-negotiable. Access as seamless.

Mandatory MFA and Okta SSO protect every login. Enterprise identity integration (SAML, OAuth, Active Directory) is rolling out per organization as identity-provider support expands. Session management with cryptographic precision.

See Sirona in Action

How Sirona is Different

Non-negotiable authentication for every user

No exceptions, no fallbacks. Every user authenticates with a second factor — authenticator app, SMS/phone, or hardware security key. The weakest link in your practice is fixed at the perimeter.

Authentication & authorization infrastructure

Zero-trust architecture with cryptographic session management, fine-grained role-based access control, and real-time audit logging.

Okta MFA

Authenticator app, SMS, and hardware security key support. Flexible, enforced, no opt-outs.

Explore

Okta SSO

Single sign-on with automatic session management and cryptographic token generation.

Explore

Enterprise IdP Integration

SAML, OAuth 2.0, and Active Directory support, rolling out per organization for large health systems.

Explore

Session Management

8-12 hour timeouts with 60-second warnings before auto-logout. Django Authtools backend with AWS Secrets Manager rotation.

Explore

Role-Based Access Control

Fine-grained RBAC per user role — radiologist, admin, QA. Principle of least privilege enforced.

Explore

Audit Logging

All authentication events logged to Datadog. WHO, WHAT, WHEN, WHY. Real-time threat detection.

Explore

Built for how radiologists actually work

MFA Implementation

Authenticator app, SMS, hardware keys — all required

An authenticator app as the primary method, with SMS and hardware security key (FIDO2) fallbacks. No password-only access. No local usernames stored. Time-synchronized TOTP or push-based verification.

Authenticator app (TOTP, push-based) mandatory for all users

SMS backup for emergency access without hardware

FIDO2 hardware security key support for enhanced security

No local password files — all auth via the identity service

Biometric unlock on authenticator apps (iOS/Android)

SSO & Session Management

Single login powers your entire workflow

One Okta login. Automatic session creation with cryptographically secure tokens. Smart timeouts with user-friendly pre-logout warnings. Backend powered by Django Authtools extending Cognito.

Single sign-on via Okta (no password entry per-application)

Sessions maintained 8-12 hours with smart timeout

60-second logout warning before automatic session termination

JWT tokens with short TTL rotated via AWS Secrets Manager

Django Authtools backend managing session state and revocation

Cross-site session validation with SameSite cookie enforcement

Compliance & Audit

HIPAA, security, and audit — full transparency

Every authentication event is logged. HIPAA BAA in place, backed by an active security-and-compliance program and a regulated, design-controlled SDLC. Credential rotation every 90 days. AES-256 encryption at rest, TLS 1.2+ in transit.

Active SOC 2 program with full MFA coverage

HIPAA compliance with cryptographic controls

Regulated, design-controlled SDLC across authentication infrastructure

All auth events streamed to Datadog in real time

AWS Secrets Manager credential rotation every 90 days

AES-256 at rest, TLS 1.2+ in transit

Enterprise Identity

Fit into your existing identity infrastructure

Okta SSO secures every login today, with enterprise IdP integration (SAML, OAuth 2.0, Active Directory) rolling out per organization as we expand identity-provider support — no credential migration, with group-based access syncing from your source of truth.

SAML 2.0 and OAuth 2.0 enterprise connectors

Active Directory federation — zero credential migration

User provisioning and de-provisioning as IdP rollout lands

Group-based role assignment from IdP

SCIM identity lifecycle support on the rollout roadmap

0

password files stored locally (all via Okta)

10-attempt

lockout threshold per account

Audited

under Sirona's active security-and-compliance program

90-day

credential rotation via AWS Secrets Manager

FAQs

Is MFA truly mandatory, or can users opt out?

MFA is mandatory for all users without exception. There are no fallbacks to password-only authentication. Every user must authenticate via Okta Verify (authenticator app), SMS, or hardware security key. This non-negotiable approach eliminates the weakest link in the security chain.

How does Okta integrate with our existing Active Directory?

We connect Okta to enterprise IdPs (SAML/OAuth, including Active Directory) on a per-organization basis as we expand identity-provider support. Your identity source of truth remains with you — Sirona reads from it — with zero credential migration and synchronization of user status and group membership.

What happens to my passwords under Sirona MFA?

Sirona stores zero passwords locally. All authentication flows through Okta. Users set up Okta Verify (or another MFA method) once and never manage passwords within Sirona. Your IT team can enforce password policies (expiration, complexity, history) at the identity provider level.

What session timeouts should we configure?

Default session lifetime is 8-12 hours, configurable per organization. Sessions include 60-second pre-logout warnings so users can save work. All tokens are cryptographically signed JWTs with short time-to-live (TTL), rotated via AWS Secrets Manager. Logout events are logged to Datadog immediately.

How is Sirona's MFA infrastructure audited for compliance?

All authentication events are logged to Datadog (WHO accessed WHAT, WHEN, WHY). We maintain HIPAA BAA compliance, run an active SOC 2 program, and operate a regulated, design-controlled SDLC. Credential rotation happens every 90 days automatically via AWS Secrets Manager.

Can users use hardware security keys instead of authenticator apps?

Yes. Sirona supports FIDO2 hardware security keys (YubiKey, etc.) as a primary MFA method. For health systems with high-security requirements, hardware key enforcement can replace authenticator apps entirely. We also support SMS as an emergency backup when neither app nor hardware key is available.