Upcoming change to passwordless client portal login
Answered
I have a few concerns and am hoping that there can be some explanation or answers as to why the workflow is going to be as it displaying now.
#1. Why is there not an option for an existing client to simply continue to enter their password? Enter password OR click here to login without a password. If someone knows their password and wants to continue to enter it, I don't see why we should not allow them to continue doing so
#2. Many of us are trying to run our practices as electronically as possible. Why can't the contact information be an email address instead of a phone number if a client is having a login issue? The client is presumably already in their email account and I would much rather be able to receive an email, generate a new pin code and email back rather than receive a phone call, copy down which client is calling,etc. Phone calls typically generate far more work than a quick email..Seems like an extra step and extra work.
-
Hi Keith,
To your first question, the security of your data and that of your clients is our highest priority, and we are dedicated to making sure that all of the features we provide exceed information security standards and requirements.
Eliminating the use of passwords increases Client Portal security and lowers the risk of unauthorized access of client data. Unauthorized access can happen when perpetrators:
1) Use different hacking techniques, such as social engineering (i.e., phishing) methods, network sniffing tools, or other techniques.
2) Gain direct access to a client’s email account and use a password-reset link to ultimately gain access to other applications such as the Client Portal.
Passwordless Login provides additional security because your clients:-
Will be required to have access to their personal email account.
-
Will receive a unique one-time use link that is only accessible to the owner of that email account.
-
Can use the unique Sign In link that automatically expires after 24 hours.
-
When your client uses the link to login to the Portal, the link can no longer be used for another login attempt. If an expired or used link is unintentionally shared, other parties will not be able to log in.
-
Passwordless Login also makes the flow easier for both you and your clients:-
Clients will no longer need to memorize or save a password to log in to the Client Portal.
-
You won’t need to manually reset a client’s password if they forget it.
-
You won’t need to remind your clients not to reuse the same passwords across multiple platforms, or to periodically update their passwords.
We decided not to make this optional as we are concerned with protecting your clients' privacy in the best way that we can.
To your second question, I can understand while that would be helpful to your practice, but we don't currently have the option to change the setting to reset passwords via email. I would encourage you to add this idea to our Ideas and Suggestions board.
This board is one of our most important resources for understanding which features will have the most value for our community. Posting on our Ideas and Suggestions board means that members of our Product Team, as well as all members of our Community, have transparent access to review your suggestion. Other members can vote on your suggestion, and you can vote on their suggestions as well. You'll also receive notifications when our team makes an update to this post.
If you have any further questions, please reach out to us and we'll be happy to help. -
-
I'm trying to determine how this is actually safer for a client in DV situation where abuser is in their email program already. Seems like the intended person having a password would provide a layer of possible protection. This appears to be wide open to abuser with access to their email. It would be appreciated if you could help me understand how this is actually safer. I just switched over the SimplePractice not knowing this was going to happen.
-
I have the same concern as David earlier today. A current client is in a DV situation and the abuser can easily gain access to her phone. She has asked me to delete messages and to then have the old password reinstated. From what I have read, neither of these is being offered by Simple Practice as options. I suspect she may choose to delete the app rather than risk her messages being read, which would be a most unfortunate and risky outcome given our 2.5 years working together, especially with the enhanced isolation that DV clients are facing. I am curious what Simple Practice can suggest, as I suspect this is not a unique concern. Thank you for your help.
-
Is there any way to utilize fingerprints for login as a potential option? Many of my clients in the same boat are finding this method of login to be extremely inconvenient. I totally understand the security concern- but fingerprint would make it pretty secure I imagine? I know there are risks of unauthorized access- but maybe even if clients agree to sign something and waive their passwordless login that they acknowledge the potential security issue- I just feel like they should have an option.
-
Thank you all for contributing your thoughts to this new feature. I've answered your questions below:
Keith - The Passwordless Login will prompt clients to enter their email address when logging into the Client Portal, then an email will be automatically generated so they can click on it to login. Clients will only be instructed to call their clinician for a 6 digit pin if they're not receiving the automated email with the login link. If you'd like to suggest that we add your email address instead of phone number as the method of contact, you can do so here on our Ideas and Suggestions board.
David and Barnaby - I understand that certain clients are particularly vulnerable to security breaches coming from their associates, partners etc. However, in order to protect in order to protect clients from known and unknown sources of data breaches, we advise them to use an email address that no one else has a password to. They can always create a new email address with a secure password.
Sadie - We have enabled clinicians to use fingerprinting and facial detection to login to their SimplePractice mobile apps, if the smartphone in use possess these capabilities. However, this isn't a feature that can be implemented within the SimplePractice program because it has to do with the device being used. Since there currently isn't a client facing mobile app, the new Passwordless Login is the most secure way we've devised to protect client data. We're not planning on rolling this feature back, or making it possible for clients to opt out.
If you're curious, here is more information on our new Passwordless Login Feature.
Michael - I've created a help request on your behalf so a team member can reach out to you directly regarding your clients not receiving emails.
-
Clients are HATING this. It's confusing and inconvenient, and, as several others have already mentioned, not as secure as you are assuming. People in DV situations often have people monitoring their email accounts. Others may share an email account with their spouse voluntarily, but it still creates that breach of privacy. I have strong objections to this not being an optional feature.
-
I had no idea what had changed but my clients are now complaining also stating using the secure instant messaging is now so difficult due to the new log in process and is driving my client away from their portal access. I actually dont know what changed but clients say "too many steps now to get into my portal"
-
I just had a patient, who is completely tech savvy, tell me today that the passwordless login is clumsy and makes it take longer to enter the portal. I also had a patient who is not tech savvy, let me try to guide her through the login process for the first 15 minutes of her appointment, and after that, she gave up and we had a telephone session for the rest of her 30 minute session. Phone sessions are less than adequate for clinical assessment and treatment.
One of the top features of SP is the message center, which has made patient - provider communication reliable and efficient. Patients don't have to call one or both of my offices, leave a message and wonder when I will be getting back to them; or email me at one of my emails and wonder when and if I will get their email and respond.
I have been working hard to transfer all of my patients over to SP and the message system has been a big reason why. However, this new passwordless login decreases patient-provider communication by making it more complicated and time consuming to reach me.
-
Hi everyone,
With our Passwordless Login feature, we recommend letting your clients know they can bookmark your Client Portal sign in page for easy access any time.
In addition, here are some security features to note about the Client Portal links:
- The links expire 24 hours after they are generated.
- Each time a new link is requested, prior links will be deactivated.
- Each link is one-time use. This means that the first time a client clicks the link, they'll be brought directly into your Client Portal. If they click the same link again, they'll see a message that the link has expired.
In the case where a link has expired, they can click Request new Sign in link, as shown below.
They'll be taken to your sign in page with their email address already filled in, so they can simply click Continue to receive a new email with a new link.
Because the links are one-time use, I recommend suggesting to your clients to delete the Client Portal emails they receive after using them. This can minimize confusion when new emails come in about which email and which link is the latest one.
To learn more about the Passwordless Login feature, feel free to check out this Help Center guide: How does Passwordless Login work?
I’m also happy to provide more information about the security of the Passwordless Login feature for the Client Portal. The security of your data and that of your clients is our highest priority, and we are dedicated to making sure that all of the features we provide exceed information security standards and requirements.
Eliminating the use of passwords increases Client Portal security and lowers the risk of unauthorized access of client data. Unauthorized access can happen when perpetrators:
- Use different hacking techniques, such as social engineering (i.e., phishing) methods, network sniffing tools, or other techniques.
- Gain direct access to a client’s email account and use a password-reset link to ultimately gain access to other applications such as the Client Portal.
Passwordless Login provides additional security because your clients:
-
Will be required to have access to their personal email account.
-
Will receive a unique one-time use link that is only accessible to the owner of that email account.
-
Can use the unique Sign In link that automatically expires after 24 hours.
-
When your client uses the link to log in to the Portal, the link can no longer be used for another login attempt. If an expired or used link is unintentionally shared, other parties will not be able to log in.
-
Passwordless Login also makes the flow easier for both you and your clients:
-
Clients will no longer need to memorize or save a password to log in to the Client Portal.
-
You won’t need to manually reset a client’s password if they forget it.
-
You won’t need to remind your clients not to reuse the same passwords across multiple platforms, or to periodically update their passwords.
Additionally, I would like to share that we have recently successfully completed a HITRUST certification audit performed by a third-party. The scope of the audit includes the entire SimplePractice web platform. The HITRUST framework is the gold standard of security certifications in the healthcare industry, and it incorporates the entirety of controls required by HIPAA, PCI, NIST CSF, ISO 27001 and ISO 27002.
-
Hi Michele,
In order for a client to receive a Client Portal login link, they will need to enter the email address that you have on file for them, and they'll want to ensure that they've entered that email address correctly.
If you'd like any assistance reviewing a particular client's experience with their Client Portal, please feel free to email us directly from your account using the blue question mark > Get Help link on the lower right of your account.
-
Hi Leigh, everytime a client wants to login they'll want to generate a new email link, not pin code. The login link will be emailed to them as soon as they enter their email address in the email form field on your Client Portal webpage. Click here to learn more: https://support.simplepractice.com/hc/en-us/articles/360050073311 ! You can also forward this guide to your clients for more information: https://support.simplepractice.com/hc/en-us/articles/360043816891-Getting-started-guides-for-clients-How-to-log-in-to-the-Client-Portal- !
Please sign in to leave a comment.
Comments
25 comments