Additional password complexity requirements now available:
By default, a provider password is required to have at least:
- 1 uppercase character
- 1 lowercase character
- 1 number
- a minimum length of 8 characters
For added password security, an organization can additionally require one (1) special character and/or a greater minimum length.
Minimum length options include:
- 8 characters
- 10 characters
- 12 characters
- 14 characters
- 16 characters
Account Security Settings
Provider Dashboard inactivity logout: The dashboard will automatically log out a provider after a default time of 15 minutes. This is done as a security measure to prevent the access of private data on a device left unattended and open.
The value for how many minutes before an automatic logout is configurable and can be set to:
- 5 minutes
- 15 minutes
- 30 minutes
- 60 minutes
- 6 hours
- 10 hours
Require Regular Password Changes
An organization may choose to have providers set new passwords after a set amount of time. This can help mitigate risk should user passwords ever be inadvertently and unknowingly exposed. The following intervals are available for password changes:
- 30 days
- 90 days
- 180 days
- 360 days
Multi-Factor Authentication (MFA)
In the interest of increased login security, we have created an option for organizations to require email-based multi-factor authentication (MFA). For an organization requiring MFA, providers creating their account will set it up upon registration. Should an organization require MFA after provider accounts are setup, they will be prompted to set it up on their next login.
The MFA login flow will consist of:
- Provider logs in with username/password
- Provider receives email with a code and link
- Provider clicks link to login with their code or can enter the code manually on the sign-on page
Watch our youtube guide on MFA in action! How to use Zephyrx MF
Provider accounts get locked out after 5 failed sign-in attempts:
The dashboard can lock an account after a number of failed login attempts. This is done to prevent unauthorized access via brute force entry. If a provider is locked out of their account due to exceeding the allowed number of failed attempts, they will get a prompt (and an email) that their account has been locked. From here, they can navigate to a page to to apply to unlock their account. ZEPHYRx will then process their request and determine whether or not to unlock the provider account.
When enabled, the max failed login attempts defaults to 5, but can be set to:
- 3 Failed Logins
- 5 Failed Logins
- 10 Failed Logins
Prevent reuse of recent password:
An organization may prevent password reuse to guard against cases of inadvertent and unknown password exposure. You have the option of selecting how many password changes are required before reuse is permitted, the options are:
- 3 Password changes
- 5 Password changes
- 8 Password changes
- 10 Password changes
Organization Signup Control/Allow List
IP Allow List:
One advanced security measure now offered is the ability to whitelist certain IP addresses for an organization.
This may be done to prevent access to the dashboard for a certain organization from any device not within a desired range of individually specified IPs (anything outside a hospital's network, for example). This attribute is disabled by default.
Email Allow List
Another advanced security measure now offered is the ability to whitelist certain emails for an organization. This may be done to restrict dashboard access for any provider whose email no longer has permission. This attribute is disabled by default.
Provider Confirmation Email updates:
- Providers will be notified when they are added to any new organization
- Providers will receive a confirmation email upon successful password change
- Mobile Application(IOS, Android, Amazon) and Spirometer Firmware version now visible to provider during real-time coaching and on the Session record
- Demographics have been updated to Display the "Legal behalf" information(if applicable)
- When Adding a new patient we will now display patient full first name and last initial(s).
- Ability to brand the header for an Organization's PDF Series reports.
We are excited to announce the newest version of our Mobile app 1.8.3!
New Feature Description:
- Support added for device IDs 099224 and higher
- Added Low Spirometer Battery dialogue if battery level <20%
- Bug fix for the rare case of spirometers not appearing on connect screen
- Bug fix for the rare case of series not appearing during a real-time coaching call
Security Update: A paired spirometer is now required in order to see your Previous Results. This pairing requirement increases the security required to access your test data.