StacksVerified U.S. regulatory reference

21 CFR §1311.115

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)To sign a controlled substance prescription, the electronic prescription application must require the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors:
    1. (1)Something only the practitioner knows, such as a password or response to a challenge question.
    2. (2)Something the practitioner is, biometric data such as a fingerprint or iris scan.
    3. (3)Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
  2. (b)If one factor is a hard token, it must be separate from the computer to which it is gaining access and must meet at least the criteria of FIPS 140-2 Security Level 1, as incorporated by reference in § 1311.08, for cryptographic modules or one-time-password devices.
  3. (c)If one factor is a biometric, the biometric subsystem must comply with the requirements of § 1311.116.