Login Security and Account Recovery

How PracticeRunner handles passkeys, physical security keys, recovery codes, and 2026 HIPAA-oriented login policy decisions.

PracticeRunner supports phishing-resistant sign-in with WebAuthn, including both passkeys and external FIDO2 security keys such as YubiKey.

This article covers staff and practice account sign-in first. Client portal passkeys are handled separately from staff accounts.

What sign-in methods are supported?

PracticeRunner can support:

• Passkeys for device-based or synced WebAuthn sign-in
• Physical security keys for external FIDO2 authenticators
• Google sign-in where the deployment allows it
• Microsoft sign-in where the deployment allows it

Available sign-in methods are managed at the system level. Organization security settings define which enabled methods satisfy that practice's sign-in policy.

Provider, admin, and staff accounts are not open signup accounts. A practice user starts from a PracticeRunner onboarding email or invitation, then adds an allowed sign-in method to that already-authorized account. Google and Microsoft sign-in are authentication methods for those authorized users, not a way for an unaffiliated person to create provider/admin access.

How do client portal passkeys work?

Client portal passkeys are separate from staff passkeys.

Clients first access the portal with the usual secure email link. After they have a full portal session, they can open Account security in the portal and add a passkey for future sign-ins.

A client passkey can use a familiar device unlock method, such as Face ID, Touch ID, Windows Hello, a phone screen lock, a fingerprint, or a physical security key. On the portal sign-in page, clients can choose Continue with passkey as a separate option from email-link sign-in.

Email links remain available for first-time access and as a fallback. This is important for clients who are on a new device, are not comfortable with passkeys, or need help from the practice.

PracticeRunner only allows passkey enrollment after a full portal sign-in. Clients cannot add passkeys from secure message-only links, invoice payment links, or other limited-purpose portal sessions.

The existing portal rules still decide what a client can access, including whether portal access is enabled, whether the client is active, representative access, limited access grants, child client restrictions, and portal terms acceptance.

Why does PracticeRunner emphasize passkeys and security keys?

As of March 18, 2026, HHS has proposed updates to the HIPAA Security Rule that would require stronger security controls, including multi-factor authentication, but HHS states that the current Security Rule remains in effect while the rulemaking process continues.

PracticeRunner therefore treats phishing-resistant authentication as a strong security control for HIPAA-oriented deployments, especially for privileged users and organizations handling sensitive clinical data.

References:

• HHS HIPAA Security Rule NPRM: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/
• HHS Security Rule NPRM Fact Sheet: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/
• NIST SP 800-63B Authenticator Guidance: https://pages.nist.gov/800-63-4/sp800-63b/authenticators/

What is the difference between a passkey and a security key?

• A passkey is usually stored by your device platform or passkey manager, such as Apple Passwords, Windows Hello, or another compatible passkey provider.
• A security key is a separate physical authenticator, such as a YubiKey, that you insert or tap during sign-in.

Both use WebAuthn, but a physical security key is generally the stronger option for privileged accounts because it is easier to keep separate from the device being used to sign in.

Can my organization require passkeys or security keys?

Yes. Organization owners can configure sign-in requirements in Settings > Security:

• Require passkey or security key for all users
• Require physical security keys for owners
• Require physical security keys for all users

The passkey or security key requirement accepts WebAuthn authenticators such as Face ID, Touch ID, Windows Hello, synced passkeys, and physical FIDO2 security keys.

The physical security key requirements are stricter. They require an external key such as YubiKey. Synced or device passkeys do not satisfy a physical-key requirement.

If the all-users physical-key setting is enabled, the passkey or security key requirement and the owner requirement are also enabled automatically. The owner-only physical-key setting applies to owners only; other users follow the all-users passkey or security key setting if it is enabled.

Organizations often use the owner-only policy first, then extend it to all users if needed.

What happens to Google or Microsoft sign-in?

When there is no organization-level passkey or security-key requirement, users can sign in with any method that is enabled for the PracticeRunner environment.

When an organization requires a passkey or security key, Google and Microsoft sign-in do not satisfy the practice policy by themselves. If a user starts with one of those methods, PracticeRunner asks them to finish sign-in with a passkey or security key before entering the app.

When an organization requires a physical security key, PracticeRunner asks the user to sign in with an enrolled external security key before entering the app.

Microsoft sign-in uses basic OpenID Connect login scopes for provider/admin authentication. It does not add Microsoft calendar, mail, or directory access.

How does account recovery work?

PracticeRunner uses different recovery paths depending on account policy.

Accounts that require physical security keys

• Recovery codes are available only for these accounts.
• At least one physical key is required.
• Two physical keys are strongly recommended.
• Recovery codes are one-time use.

Recovery flow:

1. Start recovery from the email-based account recovery path.
2. Open the recovery link sent to your email.
3. Enter a saved recovery code on the recovery page.
4. Re-enroll your authenticators.

The public login page does not expose recovery-code entry directly.

Accounts that do not require physical security keys

These accounts use the normal setup or reset flow and do not usually receive recovery codes.

What gets audited?

PracticeRunner records both successful and failed login attempts.

For supported authentication flows, audit records can include:

• event type
• user and role
• authentication method
• IP address
• user agent
• relying party ID
• WebAuthn evidence when available

Recovery link issuance, recovery-code use, and authenticator enrollment or removal are also audited.

What should users do if they replace a key or device?

• Remove the old authenticator from Settings > Profile so it can no longer be used for PracticeRunner.
• If you want the credential removed from the hardware key or passkey manager too, delete it there separately.
• If your account is under a physical-key policy, enroll the replacement key before removing the old one whenever possible.

Are all staff required to sign legal documents?

No. Organization-level legal agreements such as the BAA and Terms of Service are signed by the organization owner or another authorized signer. Workforce members usually do not need to sign those organization contracts individually.

If an organization wants workforce-level compliance evidence, the better control is staff training and policy acknowledgement rather than asking every staff user to sign the BAA.