Account Protection & Multi-Factor Authentication (MFA)

Healthie is healthcare‑critical and business‑critical software. Providers, admins, and patients rely on Healthie every day to deliver care, manage sensitive health data, and run their practices. Protecting access to your account is essential.

Multi‑Factor Authentication (MFA) adds an extra layer of security on top of your password to help prevent unauthorized access, even if a password is compromised.

What is Multi‑Factor Authentication (MFA)?

MFA requires you to verify your identity using something you know (your password) plus something you have or are (like a code sent to your phone, an authenticator app, or a passkey).

This approach significantly reduces the risk of account takeover and is a widely recommended best practice for healthcare software.

MFA Options Available in Healthie

When MFA is enabled for your account, you’ll be prompted to choose one or more of the following authentication methods during setup:

Email Verification

• A one‑time code is sent to your email address
• Useful as a fallback option

Your code expires after 5 minutes. You can use the Resend Code option to generate a new code to your email address if expired. 

SMS (Text Message)

• A one‑time code is sent to your phone number
• Ensure your phone number is accurate and up to date

If your phone number is outside the United States, use the country dropdown to select your country, then enter your full phone number.

Authenticator App

• Uses an app (such as Google Authenticator, Authy, or 1Password) to generate time‑based codes
• Does not rely on email or SMS delivery

Open your authenticator app and scan the QR code displayed in the pop-up. This will add a new account to your authenticator named Healthie with your login email address displayed.

Enter the 6-digit authentication code once generated. 

Passkeys

• A password‑less sign‑in method tied to your device
• Uses biometrics (Face ID, Touch ID) or device PINs
• More secure and easier than remembering passwords

What are passkeys?

Passkeys replace traditional passwords with cryptographic keys stored securely on your device. They can’t be reused, guessed, or phished, making them one of the most secure authentication options available today.

Users can select “Don’t ask me again” to dismiss the passkey prompt. 

Enabling MFA in Healthie 

At this time, MFA for providers can be enabled by request. Currently MFA is not available for client accounts. 

How to Enable MFA

1. Email hello@gethealthie.com requesting that MFA be enabled for your organization or account.
2. Once MFA is turned on, providers will be prompted to set up MFA the next time they sign in with their Healthie credentials.

This process is designed to be seamless and does not require any action from end users until their next login.

What Providers Experience During Sign‑In

Once MFA is enabled:

• Providers log in with their email and password as usual
• They are prompted to set up MFA if they haven’t already
• They choose their preferred authentication method(s)
• A backup recovery code is generated

Trusted Devices

• Providers can choose to remember a trusted device for 14 days
• During this period, MFA won’t be required again on that device

Backup Codes: Best Practices

During MFA setup, each user receives a backup recovery code.

We strongly recommend:

• Storing the backup code in a secure password manager
• Saving it somewhere accessible but protected
• Never sharing it via email or chat

Backup codes are critical if you lose access to your primary authentication method.

See Admin Actions & Troubleshooting below to learn how to reset MFA (and reset backup code) if a team member cannot recall their code. 

Email Verification & Security Notifications

When signing up for Healthie for the first time, users are required to verify their email address before accessing the platform.

A verification email is sent with a link that, once clicked, completes account activation and allows the user to sign in using their credentials. This activation link is valid for 7 days. 

When MFA is enabled or updated on a user account:

• The user receives an email notification confirming the change
• This helps alert users to security updates on their account

Advanced Security Rules & Notifications

Our authentication system includes multiple layers of security monitoring and enforcement, which may include: bot detection, recognizing unknown devices, multiple failed password attempts, breached password detection, impossible travel detection, suspicious IP analysis, stale account management, and email credibility checks. 

These controls may prompt additional verification, restrict access, or flag activity for review.

Admin Actions & Troubleshooting

Reset MFA for a Provider

Admins can reset MFA for a provider if they need to re‑establish access.

Use this when a provider:

• Gets a new phone number
• Loses access to their authenticator app
• Needs a new backup code

How to reset MFA:

• Navigate to the provider’s profile
• Select Reset MFA (located near the “Resend Invitation Link” option)
• The provider will be prompted to re‑set MFA at their next login

Incorrect Email Address for a New Provider

If an admin enters the wrong email address when adding a provider:

1. Update the email address in Healthie
2. Select Resend Invitation Link

The provider will then be able to complete account setup successfully.

FAQs

Can my office staff use shared logins to respond to client messages?

No, shared logins are not supported. Instead, office staff can securely respond to client messages on behalf of a healthcare provider using Healthie’s Organization Chat. Messages are sent with full transparency, so clients can see who is responding, while maintaining appropriate access controls and auditability.