Two-factor authentication is the single best thing you can do to protect your account. Setup takes two minutes.
How it works
After you sign in with your password, we ask for a six-digit code from an authenticator app on your phone. The code changes every 30 seconds. Without your phone, your password is not enough to get in.
Setting it up
You need an authenticator app. Any of these work:
- 1Password (built-in)
- Apple Passwords (iOS 18+)
- Google Authenticator
- Authy
- Microsoft Authenticator
Open Settings → Security and hit "Add 2FA". Scan the QR code with your authenticator app. Type the six-digit code your app shows to confirm. Done.
Backup codes
When you set up 2FA, we show you ten backup codes. Save these somewhere safe — they are the only way to get into your account if you lose your phone. A password manager is the best place. A piece of paper in a drawer is the second best.
Each backup code is single-use. After you use one, scratch it off your list.
Lost your phone
Three options:
- You have backup codes. Sign in, type one of the backup codes when prompted. Once in, generate fresh codes and re-enroll a new authenticator.
- You have your phone but had to factory-reset. Use a backup code, then re-enroll.
- You lost everything. Contact the clinic (if you are a client) or your operator (if you are a clinic or vendor). They will guide you through identity verification — typically a video call. Once verified, they reset 2FA on your account.
The whole point of 2FA is that nobody can bypass it just by asking nicely. Verification is necessarily a small bit of friction. We try to make it not painful.
Hardware keys
For high-security accounts (clinic owners, vendors handling sensitive data), you can use a hardware key (YubiKey, Titan) instead of an authenticator app. Same setting; pick "Hardware key" instead of "Authenticator app". Hardware keys are phishing-resistant and recommended.