In order to transmit controlled substances, you must use a One Time Passcode (OTP) device to obtain a One Time Passcode. There are two device options:
- Hardware Token – push the button on the device for the OTP. You will request a hardware token during Exostar registration.
- Authy App – manually enter the OTP or use Push Notification to approve request on your phone.
While you are required to have only one passcode device, we strongly recommend that you have both passcode devices available for usage. You can manage your devices by accessing your account. Once accessed you have the option to add, remove or resync a device. This can be done independently of your EHR and NewCrop.
Your account is located on the Admin Tab of the NewCrop Screens under the link “Manage Your EPCS Account”:
- Log into your EHR and access the NewCrop screens.
- Once in NewCrop, go to the Admin Tab:
- Click on the Manage Your EPCS Account:
OR click this link on the Exostar Registration Page:
AUTHENTICATION INTO YOUR ACCOUNT
You will first need to authenticate into your account to access functions. Click Authenticate and use the OTP method that you’ve chosen to authenticate. If the Authenticate buttons are grayed out, skip to the next step.
Hardware Token: To authenticate using the Hardware Token go to Manage Token and click Authenticate:
Enter the OTP from the Hardware Token and click Authenticate:
Authy App: To authenticate using the Authy app go to Manage Mobile Credential and click Authenticate. THE APP MUST BE INSTALLED ON A PHONE, NOT A TABLET OR DESKTOP.
Click the Red X to indicate that you’re ready to enter the OTP or approve via the Push Notification:
Enter the OTP from the App:
OR approve the Push Notification:
Text Message or Voice Call: To authenticate using either the text or voice call option go to Manage Phones and click Authenticate:
To receive a text message click Send:
(Change the dropdowns as appropriate for voice call or to use another number.)
Enter the OTP and click Submit:
MANAGING YOUR OTP DEVICES
Once you have authenticated into your account, you have access to all your OTP and authentication devices. You can add, remove or resync as necessary.
To add a Hardware Token to your account, click Add Token:
Enter the serial number from the back of the Hardware Token, click the button on the front and enter the first passcode you see. Wait 30 seconds and click again to enter the second passcode you see. Click Submit:
A Hardware Token can be deactivated (if lost or broken) by clicking Deactivate Token. You will be asked to confirm this action. Once confirmed, the Hardware Token cannot be used again. Only one Hardware Token can be active on an account at one time.
A Hardware Token can get out of sync if the button is inadvertently pushed too many times. To Resync a Hardware Token, click Resync:
Click the button on the Hardware Token, enter the first code for Password 1 and enter the OTP. Repeat for Password 2. Click Resync:
To add the Authy App to your account click Add Credential:
IF THE PHONE NUMBER HAS A PUERTO RICAN AREA CODE, PLEASE CHOOSE THE US AS THE COUNTRY CODE ON THE COMPUTER SCREEN AND ON THE PHONE. THE PHONE NUMBER SHOULD BE ENTERED IN THIS FORMAT: 7871112222. If the country code and phone number format are entered in this way there should be no issues when binding the Authy app. For questions or if there are issues, contact your EHR or NewCrop Customer Support for assistance.
Enter your phone number and click Register Phone:
Download and install the Authy app. Click the Red X to indicate that you’re ready to enter the OTP or approve via the Push Notification:
Enter the OTP from the app and click Submit:
OR approve the Push Notification:
There is an Authy app for Apple Watch. At this time, it is limited to “OTP” mode only, so Push/OneTouch approval is not supported. However, the watch can work independently of the phone to which it is paired. The user just opens the Authy app on the watch, taps the token they want, and the code is displayed on the screen. The Authy watch app should automatically install when the Authy app is installed on the paired phone.
The Authy app can be deactivated by clicking Deactivate. You will be asked to confirm this action. Once confirmed, the Authy app can be activated again, using the steps above.
Text Message or Voice Call - FOR AUTHENTICATION INTO ACCOUNT
It is STRONGLY RECOMMENDED that you register a phone so in the event you lose your OTP device(s), you will be able to authenticate to your account. You must authenticate to your account to deactivate a lost device and bind a spare or replacement device without having to go through the full identity proofing process again.
TEXT MESSAGING OR VOICE CALLS ARE NOT VALID OTP METHODS FOR TRANSMISSION OF CONTROLLED SUBSTANCES.
To register a phone for either text message or voice call, click Add Phone:
Use the drop down to select the desired OTP delivery method. Choose your Country. Add your phone number and retype to confirm. Click Send Code:
You will receive a text message or voice call with the Validation Code. Enter the Validation Code and click Submit:
More than one phone can be added. It is STRONGLY RECOMMENDED that you add a voice call to a land line in the event a cell phone is lost or broken so you have a way to authenticate to your account. Repeat steps above to register multiple phones to your account.
You can change the Delivery Method for a phone number by clicking Change:
Confirm you want to make a change:
Delivery Method is now changed from Text Message to Voice Call:
To set a different number as the default phone click Set as Default:
Confirm the change:
To Delete a phone from your account, click Delete:
Use the drop down to indicate the reason for the deletion and type in comments. Click Delete Phone:
A Revoke should only be done if you are unable to authenticate to your account because you have no active OTP devices and no phones registered.
REVOKING YOUR ACCOUNT IS A PERMANENT ACTION AND CANNOT BE UNDONE. IF YOUR ACCOUNT IS REVOKED, YOU MUST GO THROUGH THE IDENTITY PROOFING PROCESS AGAIN.
If a provider has a new phone or new phone number but has tied the Authy app to their cloud-based store (iTunes or Google Play Store), often a copy of the Authy app (including the NewCrop account) can be downloaded and used without any issues or removing and adding a new instance in the Exostar account.
The two best ways to avoid revoking an account:
- Always make sure the Hardware Token has been bound to the account. Many providers choose to use the Authy app but adding the hardware token not only allows a backup method to transmit Rxs, it is also a backup method to access the Exostar account. ALWAYS ADD THE HARDWARE TOKEN EVEN IF THE PROVIDER CHOOSES NOT USE IT FOR TRANSMISSION OF CONTROLLED RXS.
- Always add an Authentication phone number that is different than the provider’s cell phone number. A provider can add a land line or a different cell phone as well as their own, but the best practice is to have a different phone number for the Authentication phone number. A provider should not tie all authentication methods to one device only.
ONCE A PROVIDER HAS REVOKED THEIR ACCOUNT, THEY MUST PAY FOR ANTOHER LICENSE AND START FROM THE BEGINNING IN THE EVENT THE PROVIDER NEEDS TO TRANSMIT CONTROLLED RXS VIA NEWCROP.
RETURNING TO NEWCROP
Once all tasks are completed and to return to NewCrop, click Cancel:
Questions? Contact your EHR for assistance.