Skip to main content

Upcoming change to passwordless client portal login

Answered

Comments

25 comments

  • Claire

    Hi Keith,

    To your first question, the security of your data and that of your clients is our highest priority, and we are dedicated to making sure that all of the features we provide exceed information security standards and requirements.

    Eliminating the use of passwords increases Client Portal security and lowers the risk of unauthorized access of client data. Unauthorized access can happen when perpetrators:

    1) Use different hacking techniques, such as social engineering (i.e., phishing) methods, network sniffing tools, or other techniques.
    2) Gain direct access to a client’s email account and use a password-reset link to ultimately gain access to other applications such as the Client Portal.

    Passwordless Login provides additional security because your clients:

    • Will be required to have access to their personal email account.

    • Will receive a unique one-time use link that is only accessible to the owner of that email account.

    • Can use the unique Sign In link that automatically expires after 24 hours.

      • When your client uses the link to login to the Portal, the link can no longer be used for another login attempt. If an expired or used link is unintentionally shared, other parties will not be able to log in.


    Passwordless Login also makes the flow easier for both you and your clients:

    • Clients will no longer need to memorize or save a password to log in to the Client Portal.

    • You won’t need to manually reset a client’s password if they forget it.

    • You won’t need to remind your clients not to reuse the same passwords across multiple platforms, or to periodically update their passwords.


    We decided not to make this optional as we are concerned with protecting your clients' privacy in the best way that we can. 

    To your second question, I can understand while that would be helpful to your practice, but we don't currently have the option to change the setting to reset passwords via email. I would encourage you to add this idea to our Ideas and Suggestions board.

    This board is one of our most important resources for understanding which features will have the most value for our community. Posting on our Ideas and Suggestions board means that members of our Product Team, as well as all members of our Community, have transparent access to review your suggestion. Other members can vote on your suggestion, and you can vote on their suggestions as well. You'll also receive notifications when our team makes an update to this post.

    If you have any further questions, please reach out to us and we'll be happy to help.

    Comment actions Permalink
  • Samuel P. Bryant

    How will our clients know about the change? Will it be evident when they go to log in that they no longer need their password and that this will be the way to log in from now on? 

     

    Comment actions Permalink
  • Keith Ratzburg

    From what I saw Samuel you will need to notify them. On the page with the details showing the upcoming changes it had a draft template

    Comment actions Permalink
  • Keith Ratzburg

    Comment actions Permalink
  • Keith Ratzburg

    I was referring to this phone number. Why can't this be changed to be an email address? I would much rather keep our communication with clients on email when possible rather than a phone call.

    Comment actions Permalink
  • Alissa Blackman

    Will this have any impact on how clients access their telehealth appointments? 

    Comment actions Permalink
  • Claire

    Samuel- 

    This will become apparent to your clients once it has been released. They will be notified of the passwordless login change when they try to sign in. 

    Comment actions Permalink
  • Claire

    Keith- 

    To follow up with your question, the pin access is only if your client can't login using the Passwordless Login feature for whatever reason. We can't email them a pin because they're already unable to access their email. The pin is a last resort option. 

    Comment actions Permalink
  • Claire

    Alissa-

    This will have no effect on Telehealth appointments. 

     

    Claire

    Comment actions Permalink
  • Keith Ratzburg

    I am not asking you to email the client a pin. I am saying email me with the problem so I can diagnose and then contact the client. Easier on us then receiving a cold call

    Comment actions Permalink
  • David N. Boyer

    I'm trying to determine how this is actually safer for a client in DV situation where abuser is in their email program already.   Seems like the intended person having a password would provide a layer of possible protection.  This appears to be wide open to abuser with access to their email.  It would be appreciated if you could help me understand how this is actually safer.  I just switched over the SimplePractice not knowing this was going to happen. 

    Comment actions Permalink
  • Michele Harris

    No emails are being sent to allow us to use the passwordless sign-in feature

    Comment actions Permalink
  • Michele Harris

    It isn't working for me nor for one of my clients. No email is being sent!

    Comment actions Permalink
  • Barnaby Denison

    I have the same concern as David earlier today. A current client is in a DV situation and the abuser can easily gain access to her phone. She has asked me to delete messages and to then have the old password reinstated. From what I have read, neither of these is being offered by Simple Practice as options. I suspect she may choose to delete the app rather than risk her messages being read, which would be a most unfortunate and risky outcome given our 2.5 years working together, especially with the enhanced isolation that DV clients are facing. I am curious what Simple Practice can suggest, as I suspect this is not a unique concern. Thank you for your help.

    Comment actions Permalink
  • Sadie Miller-Daley

    Is there any way to utilize fingerprints for login as a potential option? Many of my clients in the same boat are finding this method of login to be extremely inconvenient. I totally understand the security concern- but fingerprint would make it pretty secure I imagine? I know there are risks of unauthorized access- but maybe even if clients agree to sign something and waive their passwordless login that they acknowledge the potential security issue- I just feel like they should have an option.

    Comment actions Permalink
  • Ruth

    Thank you all for contributing your thoughts to this new feature. I've answered your questions below:

    Keith - The Passwordless Login will prompt clients to enter their email address when logging into the Client Portal, then an email will be automatically generated so they can click on it to login. Clients will only be instructed to call their clinician for a 6 digit pin if they're not receiving the automated email with the login link. If you'd like to suggest that we add your email address instead of phone number as the method of contact,  you can do so here on our Ideas and Suggestions board.

    David and Barnaby - I understand that certain clients are particularly vulnerable to security breaches coming from their associates, partners etc. However, in order to protect in order to protect clients from known and unknown sources of data breaches, we advise them to use an email address that no one else has a password to. They can always create a new email address with a secure password. 

    Sadie - We have enabled clinicians to use fingerprinting and facial detection to login to their SimplePractice mobile apps, if the smartphone in use possess these capabilities. However, this isn't a feature that can be implemented within the SimplePractice program because it has to do with the device being used. Since there currently isn't a client facing mobile app, the new Passwordless Login is the most secure way we've devised to protect client data. We're not planning on rolling this feature back, or making it possible for clients to opt out. 

    If you're curious, here is more information on our new Passwordless Login Feature

    Michael - I've created a help request on your behalf so a team member can reach out to you directly regarding your clients not receiving emails. 

    Comment actions Permalink
  • Amanda Clark

    My clients are reporting that the email link expires before the 24 hours are up. They receive a message that says the link is expired and it will not allow them to request a new link. This led to them being locked out of the portal.

    Comment actions Permalink
  • Kari Mika-Lude

    Clients are HATING this.  It's confusing and inconvenient, and, as several others have already mentioned, not as secure as you are assuming.  People in DV situations often have people monitoring their email accounts.  Others may share an email account with their spouse voluntarily, but it still creates that breach of privacy.  I have strong objections to this not being an optional feature.

    Comment actions Permalink
  • Rick Morris

    I had no idea what had changed but my clients are now complaining also stating using the secure instant messaging is now so difficult due to the new log in process and is driving my client away from their portal access. I actually dont know what changed but clients say "too many steps now to get into my portal"

     

    Comment actions Permalink
  • Julie A. Lesko

    I just had a patient, who is completely tech savvy, tell me today that the passwordless login is clumsy and makes it take longer to enter the portal. I also had a patient who is not tech savvy, let me try to guide her through the login process for the first 15 minutes of her appointment, and after that, she gave up and we had a telephone session for the rest of her 30 minute session. Phone sessions are less than adequate for clinical assessment and treatment.

    One of the top features of SP is the message center, which has made patient - provider communication reliable and efficient. Patients don't have to call one or both of my offices, leave a message and wonder when I will be getting back to them; or email me at one of my emails and wonder when and if I will get their email and respond.

    I have been working hard to transfer all of my patients over to SP and the message system has been a big reason why.  However, this new passwordless login decreases patient-provider communication by making it more complicated and time consuming to reach me. 

    Comment actions Permalink
  • Ayelette

    Hi everyone,

    With our Passwordless Login feature, we recommend letting your clients know they can bookmark your Client Portal sign in page for easy access any time.

    In addition, here are some security features to note about the Client Portal links:

    • The links expire 24 hours after they are generated.
    • Each time a new link is requested, prior links will be deactivated.
    • Each link is one-time use. This means that the first time a client clicks the link, they'll be brought directly into your Client Portal. If they click the same link again, they'll see a message that the link has expired.

    In the case where a link has expired, they can click Request new Sign in link, as shown below.

    They'll be taken to your sign in page with their email address already filled in, so they can simply click Continue to receive a new email with a new link.

    Because the links are one-time use, I recommend suggesting to your clients to delete the Client Portal emails they receive after using them. This can minimize confusion when new emails come in about which email and which link is the latest one.

    To learn more about the Passwordless Login feature, feel free to check out this Help Center guide: How does Passwordless Login work?

     

    I’m also happy to provide more information about the security of the Passwordless Login feature for the Client Portal. The security of your data and that of your clients is our highest priority, and we are dedicated to making sure that all of the features we provide exceed information security standards and requirements.

    Eliminating the use of passwords increases Client Portal security and lowers the risk of unauthorized access of client data. Unauthorized access can happen when perpetrators:

    1. Use different hacking techniques, such as social engineering (i.e., phishing) methods, network sniffing tools, or other techniques.
    2. Gain direct access to a client’s email account and use a password-reset link to ultimately gain access to other applications such as the Client Portal.

    Passwordless Login provides additional security because your clients:

    • Will be required to have access to their personal email account.

    • Will receive a unique one-time use link that is only accessible to the owner of that email account.

    • Can use the unique Sign In link that automatically expires after 24 hours.

      • When your client uses the link to log in to the Portal, the link can no longer be used for another login attempt. If an expired or used link is unintentionally shared, other parties will not be able to log in.

    Passwordless Login also makes the flow easier for both you and your clients:

    • Clients will no longer need to memorize or save a password to log in to the Client Portal.

    • You won’t need to manually reset a client’s password if they forget it.

    • You won’t need to remind your clients not to reuse the same passwords across multiple platforms, or to periodically update their passwords.

    Additionally, I would like to share that we have recently successfully completed a HITRUST certification audit performed by a third-party. The scope of the audit includes the entire SimplePractice web platform. The HITRUST framework is the gold standard of security certifications in the healthcare industry, and it incorporates the entirety of controls required by HIPAA, PCI, NIST CSF, ISO 27001 and ISO 27002.

    Comment actions Permalink
  • Michele Saffier

    my clients report that they request a new password via the request a new sign in link and never hear back and I have no idea they have emailed ... What is the isse?

    Comment actions Permalink
  • Ayelette

    Hi Michele,

    In order for a client to receive a Client Portal login link, they will need to enter the email address that you have on file for them, and they'll want to ensure that they've entered that email address correctly.

    If you'd like any assistance reviewing a particular client's experience with their Client Portal, please feel free to email us directly from your account using the blue question mark > Get Help link on the lower right of your account.

    Comment actions Permalink
  • Leigh Ann Scarpitti

    Many clients complaining

    Everytime a client wants to login they will have to generate a new pin code. Is this correct?

    Comment actions Permalink
  • Ruth

    Hi Leigh, everytime a client wants to login they'll want to generate a new email link, not pin code. The login link will be emailed to them as soon as they enter their email address in the email form field on your Client Portal webpage. Click here to learn more: https://support.simplepractice.com/hc/en-us/articles/360050073311 ! You can also forward this guide to your clients for more information: https://support.simplepractice.com/hc/en-us/articles/360043816891-Getting-started-guides-for-clients-How-to-log-in-to-the-Client-Portal-

    Comment actions Permalink

Please sign in to leave a comment.