Your account holds sensitive client information, so we give you several ways to keep it protected. You will find all of these options in one place, under Settings then Security. This article walks through each setting so you can decide which ones to switch on for your practice.
👉 Your Practice Vault, which encrypts your client records with a personal passphrase, is managed from this same page but works differently from the account-level settings below. We cover it separately in How the Practice Vault works.
Check that your email is verified
At the top of the Account Security section you will see whether your email address is verified. A verified email is what lets you reset your password and receive security alerts, so it is worth confirming this shows a green tick. If it does not, follow the on-screen prompt to send yourself a verification email.
Get an alert when a new device signs in
Turn on New Device Login Alerts to receive an email whenever someone signs in to your account from a device or browser we have not seen before. If you ever receive one of these emails for a sign-in you do not recognise, treat it as a signal to reset your password straight away. You can find more help in Changing your email address and/or password.
Add a verification step at sign-in
Login Verification adds a second layer of protection. With it switched on, you receive a verification code by email each time you sign in, and you enter that code to finish logging in. This means that even if someone learns your password, they cannot reach your account without also getting into your inbox.
⚠️ Because the code is sent to your email, make sure you can always reach your inbox. If you lose access to your email account, you may be unable to sign in.
Set an automatic sign-out timer
Auto sign-out signs you out of It's Complicated after a period of inactivity, which is useful if you share a computer or work from a clinic. Use the dropdown to choose how long to wait before you are signed out. The information icon beside the setting explains how the timer behaves.
Sign in with a passkey
A passkey lets you sign in with Face ID, Touch ID or your device's screen lock instead of typing a password. Passkeys are phishing-resistant and work across your devices. To set one up, select Add Passkey and follow your device's prompts. You can add more than one, for example a passkey on your laptop and another on your phone.
Link your Google account
If you use Google, select Link Google to connect your Google account for faster sign-in and added security. Once linked, you can use the Sign in with Google option instead of entering your email and password.
Review devices signed in to your account
The Active Sessions section lists every device currently signed in to your account, along with the browser, the approximate time, and the location. Your current device is marked Current. Review this list from time to time, and if you see a session you do not recognise, revoke its access.
If you spot a session you do not recognise, revoke it immediately and then reset your password. Revoking signs the unknown device out, and resetting your password stops it from getting back in.