Skip to main content

Passwordless link

Answered

Comments

11 comments

  • Ruth

    Hi Penny,

    You actually won't need to send them a link at all. The Passwordless Login only requires that your client enter the email address you have for them on file when signing into the Client Portal. Once entered, the system will automatically generate an email with the link to login. As you mentioned, this link is only valid for one-time use in 24 hours; however, your clients can generate a new link at anytime. 

    Eliminating the use of passwords increases Client Portal security and lowers the risk of unauthorized access of client data. Unauthorized access can happen when perpetrators:

    • Use different hacking techniques, such as social engineering (i.e., phishing) methods, network sniffing tools, or other techniques.
    • Gain direct access to a client’s email account and use a password-reset link to ultimately gain access to other applications such as the Client Portal.

    Passwordless Login provides additional security because your clients:

    • Will be required to have access to their personal email account.
    • Will receive a unique one-time use link that is only accessible to the owner of that email account.
    • Can use the unique Sign In link that automatically expires after 24 hours.
    • When your client uses the link to login to the Portal, the link can no longer be used for another login attempt. If an expired or used link is unintentionally shared, other parties will not be able to log in.

    Passwordless Login also makes the flow easier for both you and your clients:

    • Clients will no longer need to memorize or save a password to log in to the Client Portal.
    • You won’t need to manually reset a client’s password if they forget it.
    • You won’t need to remind your clients not to reuse the same passwords across multiple platforms, or to periodically update their passwords.

    If you're curious, here is a helpful resource you can refer to on the Passwordless Login.

    Feel free to let comment below with additional questions. 

    Comment actions Permalink
  • Erik A. Bohlin

    So, here is a scenario.  I am a client.  Could my wife get my phone or laptop?  Put in my email address and then get the link and get into my Portal?  

    I will say when you see the word "passwordless" it is psychologically not coming across as secure and safe.  It is coming across as "lets lower security to make things more convenient."  

    I am not sold that this is secure as I don't understand this and I am pretty tech-savvy.  If this is secure, wording like, "secure link"  "secure link - key" or something that is link oriented rather than passwordless.  

    It is like we will give people a "passwordless link to get into your files, just one time within a 24 hour period."  A password, while it may be hacked is still the standard for banks, medical records, etc.  Put this in the context of a bank using this system.  How safe would someone feel if their bank offered them a passwordless system to get into the account?  

    Sent with all respect, just trying to understand the level of security.  

    Comment actions Permalink
  • Michelle Smith

    Hi there!

    I am reaching out to you guys today because one of my patients that I most recently sent forms to is stuck in a loop with the "passwordless" email. The patient will get an email with the link and then when they click the link it takes them to the page that says the link has expired and that a new email with a new link has been sent. They then go to that new email and click on that new link which takes them to the same page saying that a new email has been sent with a new link. The patient tried 20 more times and got 20 more emails with 20more links to the same page. 

    Has this been happening to other people / is this fixable? 

    Comment actions Permalink
  • Roderick E. Branscome

    For almost a year (whenever SP made severe changes to the way clients book appointments) many clients have complained about various functions of the portal.

    I miss the old days when clients would tell me how much they appreciated the convenience & ease of use of the portal. Those days are gone.

    Comment actions Permalink
  • Associates in Family Psychology

    I have to agree with several others here that this does NOT seem more secure as client's family members often have access to these devices.

    It's also very inefficient for using with secure messaging. Still waiting on the client app.

    If SP gets a client app created, what kind of security will that have?

    My Chart only requires username and password. As well as Athena Health. Chase bank only requires username and password but add's the device's ip as an approved device and will text you a code to access if it's unrecognized.

    Last but not least, major changes should not be implemented during a crisis. smh.

    Comment actions Permalink
  • Brian Barkett

    Hi, our clients are also having issues with having their passwordless link expire. I need clarification on the timing that our clients receive the email with the password less link.  Our appointment reminders are set to go out 36 hours in advance, as we found that this helped reduce cancellations less than 24 hours in advance and gave us a chance to schedule someone else in that time slot. Also, our clients are to receive an appointment email/text 10 minutes prior to their appointment time. Which of those notifications is the one that has the Passwordless Link?  I have read through all of the guidance and don't see a clear answer.  Do I need to change the notification setting, so that it goes out less than 24 hours?  I feel that will increase our late cancellation activity and ultimately result in many unbillable hours or excessive late charges to our clients. It also doesn't feel good starting off a session in frustration, which is what is happening.   

    Comment actions Permalink
  • Renee Divine

    I have a client experiencing the same circular password expired link issue. Has anyone responded to any of these inquiries??

     

    Comment actions Permalink
  • Rhaizza Velasquez-Garcia

    I have a client with the same problem... Please, we need somebody to look into this issue. 

    Comment actions Permalink
  • Suzanne Smith

    I agree that this is a decrease in security rather than an increase. HIPPA compliance should allow patients to feel that they have control of their mental health history. Having access to an inbox hardly seems secure. I know that SP has argued in the past, regarding the passwordless link to secure messaging, that people have passwords for their email accounts and if they don't keep their email secure then it is not SP's problem, but the reality of how people work is that most people don't have to logon to email on their computers if they use a program like Outlook or MacMail. It seems an undue burden to ask that people logout of their computers whenever they leave the room for any extended period of time or that they don't let others use their computers if they don't want to be open to revealing very personal health information. Although it would be nice to believe that patients have trusting family relationships, as mental health practitioners, we know this is not always the case. If you want to improve security, I would recommend setting up a two-factor verification system that uses a password plus a code sent to a cell phone—what is becoming standard practice for increased security. We signed up for SP because it was HIPPA-compliant and seemed to value privacy and security, but it seems that they are moving away from privacy and security in order to increase convenience. That said, the reason I read this thread in the first place is because I also have a client stuck in the password-link-expired loop. So much for convenience.

    Comment actions Permalink
  • Alanna Brewton

    This is so incredibly confusing and frustrating. Do we send a new link after 24 hours? That's incredibly difficult and far from "simple". 

    Comment actions Permalink
  • Ruth

    Hi Everyone,

    Thank you for the feedback on this feature. I'll relay your comments to our Product Team. For the time being, I'd recommend adding your thoughts to our Ideas and Suggestions Board here: http://simplepractice.uservoice.com/

    Brian: As far as the Appointment Reminder emails go, they don't contain links to login to the Client Portal. If the appointment you scheduled with the client is a Telehealth appointment, then the unique link to join the video call will be in the email. This link only expires after the end time of the appointment. 

    Security of the Passwordless Login: To those of you who've voiced concern about someone who has access to your clients' email login, we understand that some people may not have secure email addresses that could lead to security breaches. However, many people auto-save their passwords on their browsers, including the passwords they may've had for their Client Portal. We're not opposed to considering alternative login methods, but at this time the best solution maybe for clients to use, or create a secure email account for their Client Portal access. 

    Expired Links and Troubleshooting Client Portal Login: I've included further instructions on this below, but if you have specific questions regarding a particular client, please submit a help request so we can investigate your case further. Click here to submit a help request: SimplePractice Help Request Form.

    Here's the way the Passwordless Login works: 

    • The Passwordless Login is a unique one-time use link that is only accessible through the client's email on file. 
    • It automatically expires in 24 hours, or after being clicked on once. 
      • If an expired, or used, link is unintentionally shared, other parties will not be able to log in. 
    • Clients will be logged out and prompted to generate a new link after 15 minutes of inactivity on the Client Portal, even after having logged in. 

    Expired Link:

    • If the client accidentally clicks an expired or used Sign In link, they will not be able to log into their Client Portal and will automatically be sent a new link to use via email. 

    • If the link expires again, the client will need to request a new Sign In link manually.

    Here's how to troubleshoot sign in issues with Passwordless Login: 

    • If a client has trouble logging into the Client Portal, they can click Try these tips

    • They will see 3 different tips they can try to troubleshoot the login problem. If they're still unable to log in to the Client Portal after trying these 3 tips, they can click Sign In via Pin code

    • Then they'll be directed to call your practice to receive a 6-digit Pin code from you. The phone number that populates here comes from your Practice Details page in your settings. 

    • When you receive the call from the client, navigate to their client Overview page > Edit > Client Portal tab. Click Generate Pin Code

    • Share the automatically generated 6-digit pin code with the client. Like the unique sign in links, the pin code can only be used once and automatically expires in 24 hours. The client will need to request a new pin code from you if their pin code expires. 

    • The client can enter the 6-digit pin code and click Continue & Sign In to log into their Client Portal. 

    This guide contains much of the information I've included in the email: Passwordless LoginYou can also refer to our instructions on How to individually update and troubleshoot the Client Portal for a client.

    For your clients, I'd recommend forwarding this resource to help them login: Getting started guides for clients: How to log in to the Client Portal.

    Comment actions Permalink

Post is closed for comments.