Skip to main content

Authentication FAQ

What do I do if I lost my password or forgot my password?

Click the Forgot your password? link on the PHC login screen to receive an email with a passcode that will let you reset your password. You can also use the Sign into PHC without a Password procedure.

What methods are available for authentication?

  • User credentials (Traditional username and password)
  • Single Sign-on (SSO)
  • Passwordless (One-time Passcode (OTP))
  • API key (JSON Web Token (JWT))

What is user credential authentication?

A user credential is a username and password pair that allows access into the platform. Sometimes organizations configure a Single Sign-On provider (SSO) that unifies a username and password credential to allow access to many systems.

Complete user credential authentication at the following locations:

Web Console: https://apps.us.lifeomic.com/login

LifeOmic CLI - lo auth

LifeOmic Notebook Service - The authentication token and refresh token are automatically made available when a Notebook is launched. Those are available in the environment under:

-   `PHC_REFRESH_TOKEN`
- `PHC_ACCESS_TOKEN`

When presented with a valid username and password, the authentication API responds with a JSON Web Token (JWT) for the user. Use the HTTP Authorization header and set the value format as: Authorization=Bearer <token>.

How do I configure Auth Client and SSO?

Customers with stringent security concerns can set up SSO authentication. Most SSO providers, such as Okta, let you specify two-factor authentication (2FA) or multi-factor authentication (MFA).

For more information and a configuration procedure, see Auth Clients and Single Sign-on.

Are external Identity Providers (IdP) supported?

PHC supports Single Sign-On (SSO). SSO providers must support either SAML2 or OpenID.

For example, PHC is validated with Okta and Shibboleth IdP.

Is Passwordless login a secure authentication method?

Yes. When a user selects the Passwordless option at the login screen, PHC generates a secure, unique token and emails the requestor a link for password-free authentication. In general, passwordless authentication with a One-Time Password (OTP) token is regarded as more secure than traditional password schemes. It prevents the common security breaches that result from stolen or guessed passwords.

The PHC passwordless method requires that you log in with the same device and browser used to initiate the request. The generated link also expires after five minutes. Both of these measures further mitigate security risks.

For more information and a configuration procedure, see Sign into PHC without a Password.

Can I prevent my users from using the Passwordless authentication option?

Once SSO is configured, the PHC admin can invite users to PHC with an invitation that requires the user to log in with SSO authentication. A PHC invitation encapsulates both the user-email and required authentication method. If you invite a user with the requirement that they use SSO, they must use SSO for their initial login. If on a subsequent login, the user attempts to use passwordless authentication, the user would not be able to authenticate as the original invited user and would not have the permissions granted to that user by the PHC admin.

What is API key authentication?

Instead of having to do the normal authentication process of entering in user credentials (username and password), you can create an API key unique to a user. For more information and a configuration procedure, see API keys.

What access control does an API key have?

An API key created by a user acts on behalf of that user and provides the same level of access within the account. Secure your API key like you secure your username and password.

How often do API keys expire?

A new API key requires you to set an expiration time, configurable in days. The minimum expiry is 1 day and the maximum is 365 days.

A best practice is to set a cadence of API key rotation throughout the year.

Where can I use an API key?

API keys may be used in scripted environments like Linux based machines with Bash to interface with the PHC API. Use the HTTP Authorization header and set the value format as: Authorization=Bearer <api key>.

The LifeOmic CLI may be used to further enhance those scripts where the API is abstracted away. The CLI supports Linux, MacOS, and Windows environments.

The PHC SDK for Python also supports API keys for automation and interacting with the PHC API through a Python interface.