Two-factor verification codes are used in Spruce as an added layer of security when creating a new account, logging in, resetting passwords, or changing authentication settings. There are two options for receiving verification codes, through SMS text message or through email. Administrators in a Spruce organization can control whether verification codes can be sent to teammates in the following ways:
- Only via SMS
- Only via email
- Teammate can decide SMS or Email
What kind of two-factor authentication does my organization need?
Whether your team may want to use SMS or Email authentication depends on a few factors, including where your teammates are located, as well as what security concerns you may have. Whether using email or SMS for authentication, you will want to ensure that your organization uses best practices for securing devices and email accounts.
- International considerations: For remote workers or virtual assistants (VAs) working internationally, email verification means teammates do not need to obtain a US phone number in order to use Spruce. You can read more about using Spruce with a virtual assistant here.
- Security considerations: While SMS is generally a safe option for two-factor verification, it can come with concerns such as SIM-swapping. Please note that we recommend ensuring that teammates invited to your Spruce organization have two-factor authentication enabled with their email provider.
- Ease-of-use considerations: Teammates may have different preferences for email or SMS verification depending on their workflow. For example, some practices may prefer not to have teammates receive verification codes on a personal device.
Creating a New Spruce Organization
Note that, when creating a new Spruce organization, you will always need a US-based phone number that can receive SMS verification codes. Depending on the invite configuration, teammates and patients can create accounts without a phone number. Please reach out to us at support@sprucehealth.com if you have any questions about this.
Managing Your Organization’s Two-Factor Authentication Settings
Only administrators are able to make changes to your organization’s two-factor authentication settings. These changes must be made on the web, either through a web browser or the Spruce desktop app. Teammates will be able to view the organization’s settings, but cannot make changes.
Note: Updating your organization’s two-factor authentication (2FA) settings does not change the 2FA method for existing teammates. These settings only affect the options available when inviting new teammates and the 2FA methods teammates can choose from. To update their own 2FA method, teammates must go to Settings > Account > Two-Factor Authentication in their personal account. |
To make changes to your organization’s two-factor authentication settings, navigate to Settings > Organization Preferences > Two-Factor Authentication. You will see three options – SMS Only, Email Only, and Email or SMS:
SMS Only
- Teammates will only be able to secure their account with a code sent via SMS text to their phone. They will not have the option in their Spruce account settings to allow verification codes via email.
Email Only
- Teammates will only be able to secure their account with a code sent to their account email. They will not have the option in their Spruce account to allow verification codes via SMS text message.
SMS or Email
- If “SMS or Email” is selected, each provider can modify in their Account settings whether they would like to receive verification codes via Email or SMS text message.
Important Notes for Administrators
Changes to the organization-wide two-factor authentication setting above will not affect any two-factor authentication method that is already in use by a teammate. When changing this setting, a popup will appear to inform you of any teammates who are not compliant with the new setting. You can also review your teammates' settings in Settings > Teammates.
If any teammate changes their two-factor authentication settings, all administrators will receive an email notification informing them of this change. Additionally, if any administrator makes changes to the organization-level two-factor authentication settings, all administrators will receive an email informing them of this change.
Account Verification When Inviting New Teammates
Any time a teammate is invited to join an organization on Spruce, their account will be verified upon acceptance of the email invitation. This verification will happen according to the organization’s preferences:
SMS Only
If the organization’s two-factor authentication preferences are set to SMS Only:
- After accepting their email invite to join your organization on Spruce, the teammate will be prompted to enter their phone number for verification. This number must match the phone number entered when creating their invite.
- A verification code will be sent to that phone number and the user will be prompted to enter it to finish their account setup.
Email Only OR Email or SMS
If the organization’s two-factor authentication preferences are set to Email Only OR if they are set to Email or SMS:
- On the “Invite Teammate” page, there will be a recommended option to require phone number verification.
- If require phone number verification is selected, the teammate will be prompted to enter their phone number for verification after accepting the email invitation. This number must match the phone number entered when creating their invite. Invited teammates will be required to set up their account using the email their invite was sent to. If needed, teammates can change their account email address or phone number once their account setup is complete.
- If require phone number verification is unselected, the teammate can choose to verify via phone number or email after accepting the email invitation. The email or phone number used must match what was entered when creating their invite. Invited teammates will need to set up their account using the email their invite was sent to. If needed, teammates can change their account email address or phone number once their account setup is complete.
Managing Your Account’s Two-Factor Authentication Preferences
Authentication is required when you are creating a new account, logging in, resetting your password, or changing authentication settings. You will be prompted to enter your password when making changes to these settings. These settings may be limited by your organization’s preferences. To change your account’s two-factor authentication settings:
- Go to Settings > Account
- Under Two-Factor Authentication, click Edit
- Select Email or SMS. If your organization’s Two-Factor Authentication settings are set to “Email Only” or “SMS Only”, you will not be able to change this value.
- Note: even if your organization’s Two-Factor Authentication settings are set to “Email or SMS”, if you signed up with email only you will not be able to switch to SMS. In order to switch to SMS, you will need to add a phone number to your account in Settings > Account > Mobile Phone Number
Didn’t Receive a Code?
If you are having trouble receiving a verification code, you can select “Didn’t receive your verification code?”:
- If your two-factor authentication preference is Email, you will be able to either re-send the verification code or contact support .
- If your two-factor authentication preference is SMS, you can either re-send the verification code, or opt to receive the code via a phone call. If you opt to receive the code via phone call, you will receive an automated call to the same number which will read the verification code to you.
Patient Account Verification
Authentication is required for patients in Spruce when creating a new account, logging in, resetting their password, or changing authentication settings. Patients are required to verify their account via email or SMS, depending on the type of invitation they receive.
Patient Verification upon Account Creation
When patients are creating an account after being invited to a Spruce organization, they are required to complete two-factor verification. Patients can decide whether to secure their account with a phone number or email address. If a patient is invited using a specific phone number, the patient’s mobile phone number entered for their account must match that number on the invitation. Similarly, if invited with email, their email entered must match what was on the invitation. If invited via email AND phone number, both email and phone number must match what was on the invitation.
If a patient joins a practice by clicking a Spruce link (as opposed to accepting an invitation), they can choose which email and phone number to create and secure their account with.
More patient-facing information on how to set up a patient account and set two-factor authentication preferences can be found here.