Now that our team has set up your DrFirst subscription, you will need to complete your EPCS identity proofing. This document will walk your through the steps for completing this. You can also use our EPCS identity proofing checklist.

Provider invite and identity proofing

You will receive an invite from DrFirst (

As the provider, you must follow the instructions in this email in order to complete the EPCS registration process. This includes the IDP process (identity proofing) and activating token devices. If you are unable to find the email, check your junk/spam folder.

Caution: Do not begin without at least one EPCS token. Even if you complete the IDP portion (steps 2 and 3) of the EPCS onboarding process, you cannot complete the last step without your token present.

  1. In the email, select the "Enroll now" link.
  2. This link will take you to the following page where your NPI number and Invite ID will be pre-populated in the "I have an Invite " box in the lower right hand corner of the page. Confirm that these fields are correct, and select the orange "Proceed" button.
  3. Next, accept the "Terms of Use and Conditions."
  4. Once the "Terms of Use" have been accepted, the next screen will present a temporary password. This allows you to resume the IDP session if you exit for any reason, and should be recorded before proceeding.
    Note: This temporary password can only be used if IDP has been passed and you have yet to bind a token. If the IDP session needs to be exited and completed later, this password can be used to access the session within 24 hours. To use this password, select the original invite link and enter the password.

User registration

There are prerequisites of the EPCS Gold IDP process:

  1. Token: At least one hard or soft token is necessary to proceed, among other items. Once you are ready, select "Continue."
  1. Complete the demographic data and verify that the pre-populated fields are correct. Here are some tips and notes on the fields within this form:
    1. Required:
      1. Home Address fields: Please enter the address related to your financial records. This is typically a home address. Do not input any special characters within the address field.
      2. Date of Birth.
      3. Social Security Number.
      4. Mobile Phone Number: If you enter a mobile number that Experian can validate, you may receive a text message with a confirmation code instead of a physical letter.
    2. Optional:
      1. Credit Card Number: While this is not required, this can increase your chances of passing IDP if you fail the first time. Please enter a personal credit card that is either a VISA or MasterCard. You will NOT be charged; Experian requires only the first 8 digits.
  2. If Experian cannot validate your information, you may be required to answer 3-4 security questions pertaining to your financial history.
  3. Based on the information you provided, Experian will determine whether or not you have successfully passed IDP. 
     Note: If you fail three times, this will lock your account. You cannot attempt IDP again for a full 24 hours.
  4. On the next screen, you will scan the QR code on their mobile device.
  5. From you mobile device, after accepting the terms of use, you will select an identifying document to submit to Experian.
  6. You will be prompted to photograph your identifying document (front and back).
  7. Next, you will be asked to take an image of yourself (selfie).
  8. The application will then prompt you to exit from your mobile screen to go back to the identity proofing screen where you scanned the QR code. Here you will select the "Check Status" button.

Registering tokens

  1. Once IDP has been completed, you will receive a confirmation on the next screen that your identity has been successfully confirmed and be prompted to add a token. Select the orange "Add Token" button to begin.
    Note: It is HIGHLY RECOMMENDED that you add at least TWO tokens, in case one is lost or inaccessible. If you cannot attach two tokens at this step, another token can be added from the EPCS Dashboard at a later time. You can have up to five tokens for your account.
  2. Select the manufacturer from the "Token Manufacturer" drop-down menu.
    1. Select SYMANTEC if: 
      1. You are using a soft token (VIP Access App on mobile phone/tablet/computer).
      2. You are using a keychain hard token that has the Symantec name and logo on the face of the token.
    2. Select ONESPAN if:
      1. You are using a keychain hard token that has the OneSpan name and logo on the face of the token.
  3. Complete the rest of the fields with the following listed information to be entered per token:
    1. Token Issuer: DrFirst.
    2. Token Type: OTP HARD TOKEN (key fob) or OTP SOFT TOKEN (VIP Access).
    3. Token Nickname: Nickname for the token to help identify it (ex. "iPhone token", "key fob", etc.).
    4. Serial Number or Credential ID:
      1. If using Symantec HARD token (key fob): enter the Serial Number (S/N) on the back of the token without any spaces.
      2. If using OneSpan HARD token (key fob): enter the Serial Number (S/N), which is the long string of numbers on the back of the token without any dashes.
      3. If using the Symantec VIP Access app SOFT token: enter the Credential ID that  appears at the top of the screen without any spaces.
    5. One Time Passcode (OTP): The number generated on the hard token or the "Security Code" from the VIP Access app.
       Note: Your screen may look slightly different depending on which token was selected.
       Caution: You must have at least one registered, active token with your profile at all times. If you lose access to all registered, active tokens, you will need to complete your registration from the beginning.
    6. The area wherein you add new token(s), post registration completion, is EPCS Gold which requires a registered, active token to access.
    7. Regarding VIP Access app (soft token):
      1. Deleting, then re-installing the app on the same device generates a new Credential ID, turning it into a new soft token which must be added before use. Ensure a backup (hard or soft) is registered prior to doing so.
      2. Getting a new device will eventually have VIP Access downloaded and used as a new soft token? Please make sure you have at least one registered token before you lose access to original registered, active token.

Creating a passphrase

Next, a signing passphrase, security question, and security answer must be created for the account. This signing passphrase is a password that will be used to prescribe controlled substances. The security question and answer will be necessary if you ever have to reset your passphrase.

  1. The signing passphrase must be at least eight characters long, be mixed case, and contain at least one number (avoid special characters).
  2. A security question and security answer (case sensitive) will need to be entered as well. Since it is case sensitive, the security answer has to be remembered exactly as it was entered. This will be used in the event the passphrase is forgotten.
    Caution: We strongly recommend that the passphrase and security question/answer are written down to be stored in a secure location. DrFirst cannot reset a passphrase. The passphrase can only be reset by correctly answering your security question. In the event that the passphrase is forgotted and cannot be reset, your account will be DISABLED, and you will be required to complete IDP again from the beginning.
  3. After entering the "Signing Passphrase", "Security Question", and the "Security Answer", select "Continue" to move forward.
  4. If you pass identity proofing you will be notified via email that your identity has been successfully verified and receive a verification code. It is safe to leave this screen at this time if you have not yet received the number.
    1. Assuming you entered a mobile phone number and Experian could verify it, you may receive a text message with a verification code. You can enter the verification code on the screen to complete identity proofing.
    2. If you do not receive a text message, Experian will mail a letter with the IDP transaction number which takes 5-7 business days to arrive. You can close out of this screen and proceed to enter your verification once you have received the letter.
      Note: The verification code within the text message is only valid for seven days, and the transaction number within the letter is only valid for 30 days.
  5. The confirmation email that Experian has verified your identity contains a link to select, which will allow you to enter your verification code.
    Note: You should keep this email, as you will require the link in the email to continue the process. Without this email, you may need to restart the process.
  6. When you select the link, you will be prompted to enter your verification code.

Experian Transaction Number

Once your Identity Proofing and registration steps have been completed, the next screen will display information in regards to the "Experian Transaction Number." This step must be completed in order to finalize your EPCS credentialing. You will receive either a letter by USPS mail or an SMS text message with the Experian Transaction Number. The workflow for each is as follows.

Caution:If you must navigate away from this screen, it is safe to do so at this time. Experian sends and email congratulating you on completing the identity proofing. Within this email is a link to enter the transaction number later. Please do not delete this email.

  1. SMS Text Message: If you entered a mobile number that was successfully validated by Experian, the Experian Transaction Number will arrive immediately via SMS text message. Enter the "Experian Transaction Number" and select "Verify Code."
  2. USPS Mail: If a mobile phone number was not entered or if Experian is unable to validate the mobile number, Experian will send a letter via USPS mail containing the number that typically arrives in 5-6 business days.
    1. Once the letter arrives, you will access the IDP confirmation email and select the link in step two to enter the "Experian Transaction Number."
    2. Enter the "Experian Transaction Number", passphrase and pin from your selected token. Then, select the "Submit" button to complete.


If you are already an active EPCS prescriber and are on-boarding for EPCS at another organization, your account can be re-authenticated by leveraging your existing credentials. This prevents you from having to complete the IDP process for each organization you are in.

Once you have been invited for the new organization, follow the steps below:

  1. Upon opening the email from DrFirst, select "Enroll Now."
  2. This link will take you to a page where your NPI Number and Invite ID will be pre-populated in the "I have an invite" box in the lower right hand corner of the page. Confirm that these fields are correct, and select the orange "Proceed" button.
  3. Then accept the "Terms of Use and Conditions."
  4. You will then be prompted to re-authenticate yourself by leveraging your existing credentials. Choose the "Use my existing authentication credentials" to prevent having to complete the identity proofing from the beginning again.
  5. Then you will enter your existing passphrase, choose a token, enter the one-time pin (OTP), and select the "Submit" button.

At this point, enrollment at the new organization is complete. However, you will need to work with an administrator at your facility or practice to have your EPCS account activated before you can begin e-prescribing controlled substances for this additional organization. This can be done by using the instructions in the EPCS logical access control.

Once this has been completed, enrollment at the new organization is complete.

Back to top of page