21 CFR § 1311.115 - Additional requirements for two-factor authentication.

---
identifier: "/us/cfr/t21/s1311.115"
source: "ecfr"
legal_status: "authoritative_unofficial"
title: "21 CFR § 1311.115 - Additional requirements for two-factor authentication."
title_number: 21
title_name: "Food and Drugs"
section_number: "1311.115"
section_name: "Additional requirements for two-factor authentication."
chapter_name: "DRUG ENFORCEMENT ADMINISTRATION, DEPARTMENT OF JUSTICE"
part_number: "1311"
part_name: "REQUIREMENTS FOR ELECTRONIC ORDERS AND PRESCRIPTIONS"
positive_law: false
currency: "2026-04-05"
last_updated: "2026-04-05"
format_version: "1.1.0"
generator: "[email protected]"
authority: "21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless otherwise noted."
regulatory_source: "70 FR 16915, Apr. 1, 2005, unless otherwise noted."
cfr_part: "1311"
---


# 1311.115 Additional requirements for two-factor authentication.

(a) To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:

(1) Something only the practitioner knows, such as a password or response to a challenge question.

(2) Something the practitioner is, biometric data such as a fingerprint or iris scan.

(3) Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.

(b) If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.

(c) If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.