Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 535: Passkeys and Password Managers: The Future of Secure Logins for Therapists.

 

Liath Dalton 

Indeed. You, if you have been part of the PCT community for any length of time really, have no doubt heard us sing the praises of password managers, but there is kind of an update in this realm, because more and more the hot way of managing login credentials are passkeys.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And so we wanted to talk about what passkeys are, exactly how they function, and what their relationship to password managers are, and help equip you to navigate both, either or or both in combination, which is ideal.

 

Liath Dalton 

So what’s the whole context here? And why have we been singing the praises of password managers and two factor authentication for so long?

 

Liath Dalton 

Well, really, because passwords by themselves are pretty broken, in that it’s something that you know and has to be recorded or put down somewhere, which makes it pretty inherently weak.

 

Liath Dalton 

So the way to manage that weakness, in terms of security safeguards, is to ensure that a password is unique and complex and that it’s not something that your brain has to be holding or that you are writing down on a piece of paper or storing in your notes file or something like that, right? Those are all prone-to-failure methods of managing strong and unique passwords.

 

Liath Dalton 

So password managers have really been the go to for solving for that, and then paired with two factor authentication, that’s a lot more robust. And two factor authentication is, is bringing in as the title implies that second factor. So a password is the first factor. That’s something you know. The second factor is usually something you are, like a biometric or something you have, like a device.

 

Liath Dalton 

And passkeys build on that, but basically get rid of they obviate the something you know piece, which makes it a little easier to manage honestly, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And Evan, can you tell us more about what passkeys are in in specific detail, beyond the it’s getting rid of the something you have to know?

 

Evan Dumas 

Yeah, sure. So I won’t scare you with big lingo, but here, here’s a little big lingo. It’s involves cryptographic key pairs, and these have been around a long time.

 

Evan Dumas 

So you would have the public key that you, you know, share around everyone, like uses, and then you have your private key. We don’t share that with anybody. You keep that on your end. And the pair of them sort of verifies that it’s you and it secures things.

 

Evan Dumas 

And this has been used in other like sets of encryption and security in other circumstances, like when connecting to servers and things, but you know, not by the common folk.

 

Evan Dumas 

So a real simple way to think of it is that words and passwords, really easy to duplicate. You write them down, you speak it, oh, it’s everywhere. Keys. Very hard to duplicate. Like you have one, which is, you know, your thumbprint, or your, your face, or something like that, the trusted key, and it’s not duplicatable. Someone else can’t, you know, 100 miles away, be like I’ve got their thumbprint, and then use that to log in. It doesn’t work that way.

 

Evan Dumas 

So it’s using a already, like set system of trust, like a biometric, on one of your devices that shows you are you as the sort of key, and the rest sort of say, like, Hey, I trust this thing, therefore we can let you in.

 

Liath Dalton 

Right. And like pairing the key of what you are, your biometric, with something else that you set up as being trusted and saying, Okay, we’ll go ahead and accept that key. 

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And that’s the device, right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So before we get into even greater detail about this, I have to give a super important caveat about using passkeys, because the passkeys are dependent on something you have, which is going to be a device, and so all of this being really secure and something that you want to adopt in your practice is predicated on your using hardened devices, meaning a device that has the technical safeguards in place that are required for Safe Harbor under HIPAA’s Breach Notification Rule. Because we don’t want to be enabling this on devices that have poor, poor security. But thankfully, that’s all very much in in reach, right?

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So that, in addition to passkeys being easier to manage than passwords. Why are they safer and simpler than passwords?

 

Evan Dumas 

Yeah, they can’t really be stolen. So you may have some pushback, saying, hey, my Windows computer asked me to have a passkey, and it’s just asking for some numbers, like maybe five numbers. Anybody could grab those five numbers, right? Well, yeah, sure, but the only way they could enter them is if they were to sit down at your chair and type those numbers in.

 

Evan Dumas 

So passwords, unfortunately, the way they work, you can log in as yourself somewhere else. You can log in from a distance, but it requires, you know, the actual physical location, and, you know, that’s it’s not shareable. So it’s really resistant to phishing, breaches, other stolen credentials. It’s all local on the device, which is nice. And there’s nothing. There’s no nothing, even shareable, that’s stealable.

 

Liath Dalton 

Right.

 

Liath Dalton 

So it is stronger than a password plus a second factor?

 

Evan Dumas 

So it’s, it’s just, it’s local.

 

Evan Dumas 

Yeah, yeah, yeah, exactly. Because, in that case, password and second factor, you know, is still pretty strong. It relies you on having multiple devices, but someone could then just steal both devices. Say they know your password, and they can get into your phone, which, okay, that’s that’s a tricky thing there, because that could just be passkey, but the phone gets a text where they intercept the text, and they’re like, sweet, I got the text, I got the computer. I got these two pieces I can log in anywhere in the world, which it’s the anywhere in the world piece that passkeys prevents.

 

Liath Dalton 

indeed.

 

Liath Dalton 

Now let’s talk a little bit about password managers versus passkeys, because it is true that while passkeys are preferable to passwords, that not every service is yet set up to use passkeys, right? So you might be thinking, Oh, no, is this going to make things more complicated if I start adopting passkeys because I’ve already adopted a password manager, and now do I have to do a new thing?

 

Liath Dalton 

Well, the great news is that if you are using a dedicated password manager, like 1Password, which is the one we recommend as really being the gold standard for a dedicated password manager that it can store both passwords and passkeys. So it’s cross platform. If you are a group practice, then it can be team accessible and not locked in a particular operating system or dependent upon that.

 

Liath Dalton 

And so it is kind of the best of both worlds for where, where we are now is to start adopting passkeys,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

where there is a service that is available to use them. But manage them with a dedicated password manager, so that you have everything contained in one robust and secure environment, and you are really effectively managing password security for all of the services that still require use of passwords and haven’t yet added passkey as an option, right?

 

Evan Dumas 

Mhm, yeah, yeah. They work hand in hand.

 

Liath Dalton 

Right. Hand in hand. It basically gives you, that combination of a password manager plus passkeys, gives you the strongest and simplest login ecosystem you can have.

 

Evan Dumas 

Yeah, the way I have it working right now is I’ve got a MacBook Pro, one of the M ones, the Apple silicon, and they have this lovely little button in the corner that is a little thumbprint scanner. And I’ve got one password on my computer. And yeah, I use passwords all over the place, of course, and they’re all saved in 1Password. And so I go to a site that maybe doesn’t have a passkey, but to unlock 1Password, normally, you’d have to type the long little phrase. And I like, you know, have a memorable quote from a movie so you can always remember it, but my computer is like, Hey, do you trust 1Password? We could set up a passkey for it so you just use your thumbprint to unlock it, not typing the password. I’m like, I would love that. So now, any website I go to, I’ve never, I haven’t typed a password in a very long time on that computer, I just, like, tap the little button with my finger or thumb and unlocks everything, and even auto logs in. It’s, it’s phenomenal, right?

 

Liath Dalton 

How big of a difference is it from the old school way of even, even though, prior to your adopting the passkeys, Evan, you were using 1Password for managing passwords, which was leveling up from doing it –

 

Evan Dumas 

That Google document that was hidden behind two factor Yeah, totally.

 

Liath Dalton 

Uh huh, yeah. Right. But just how much more pleasant of an online experience do you have, especially considering how many different platforms and services you’re navigating and logging into on a daily basis?

 

Evan Dumas 

Yeah, well, it’s, unfortunately, it’s a bit of the technical term of the hedonic treadmill, where you adapt to good things and you don’t think they’re good anymore, but when you get exposed to situations where they don’t have them, you go, this is awful, wait, what? So I’ve, kind of the new fangled shininess has worn off, and it’s lovely, yes, but that loveliness is only in contrast to clunky times when I have to type in passwords.

 

Liath Dalton 

Are you remember, reminded of that when you are providing technical support, for example, to your in laws and parents?

 

Evan Dumas 

Oh, no, I actually just have other computers I work on that doesn’t have that button. Like Apple doesn’t sell you a thumbprint button. So my Mac Mini doesn’t have it, my Windows computer doesn’t have it. So I only get to experience this beauty of thumbprint as password sometimes in my life. So no, I get pretty regular exposure to it.

 

Liath Dalton 

Ah, gotcha. Gotcha. Okay, so where can folks use passkeys today?

 

Evan Dumas 

Oh, my gosh, you’re already doing it. When you open your phone with your face or thumbprint, instead of typing in a code you can, also just big services, Google, Microsoft, Apple, Amazon, Adobe, Facebook, Instagram, like the Meta apps, things like that. More and more people are going to be rolling it out because it is great, but it’s going to be the big people first, because they know how to integrate. They’ve got the people to do it. And we’ll see more and more and more, but it’s, it’ll be slow.

 

Liath Dalton 

So this is where we should say that the sort of most frequently utilized practice management EHR systems have not yet rolled out

 

Evan Dumas 

Oh, no.

 

Liath Dalton 

passkeys, right?

 

Evan Dumas 

No.

 

Liath Dalton 

They have two factor authentication in place –

 

Evan Dumas 

Some do.

 

Liath Dalton 

Right. I’m saying the most, the most popular ones,

 

Liath Dalton 

Oh, yeah, yes.

 

Liath Dalton 

Or the ones we recommend that most PCT clients are utilizing do have two factor. Though, it is true that there are still some practice management EHR systems that don’t have two factor, which is a whole other conversation and sort of soapbox rant.

 

Liath Dalton 

But it’s not something that you can use across all services. Which is precisely why we said use the ideal pairing is to adopt them where you can and be using it in conjunction with a dedicated password manager where you can also then be storing those, those passkeys.

 

Liath Dalton 

So it’s going to be a minute before password or practice management systems have passkey functionality. But as we talk about so frequently, while a practice management EHR system is often like the primary system in your practice’s tech stack, your next system of primary importance is going to be your Google Workspace environment generally, or your Microsoft environment. And those services do support it.

 

Evan Dumas 

Oh, definitely.

 

Liath Dalton 

So there is a lot of high sensitivity info in those systems, and you’re normally accessing them so frequently that go ahead and enable that passkey and start getting to experience the goodness of that experience.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

All right, so what are some of the specific considerations folks need to undertake if they are going to start adopting passkeys, if they haven’t done so already.

 

Evan Dumas 

Oh, yeah, easy peasy. So first, you know the basic everybody, get your device into Safe Harbor. You know, use your use our BYOD center, make sure that it’s possible to get your device into Safe Harbor. Because, like your Remarkable tablet, or your your Kindle Fire, ain’t going to be able to do this sort of thing.

 

Evan Dumas 

And then sort of know what you’re going to do when you potentially lose a device. So you know, if you have a password manager, do you have your your backup emergency one sheet there? Or are your your, your systems like, linked to Google accounts, so you can recover it? Like, just have a plan, just think about what, what that looks like.

 

Evan Dumas 

And then just know, okay, if you do need to share things, share passwords, how are you doing that in that situation, so you all have one access to something. What’s that going to look like? Because a passkey would actually make that rather tricky, because then, you know, not everyone’s going to be able to do that. So know the limitations of this and where where it is.

 

Evan Dumas 

And you know, then write all this stuff down. Like write down how you’re going to share, how you’re going to deal with contingency planning, if you lose it, if it’s hardened because HIPAA says documentation or it’s not done. But those three things Safe Harbor, contingency planning, and knowing where you can and cannot use it. It’s pretty much it.

 

Liath Dalton 

Exactly. So, one, one consideration for where you don’t want to use it would be, and again, this has to be contextualized with we don’t want password sharing, the password and credential sharing for systems that contain PHI is something that’s prohibited under HIPAA, but we know the reality is that there are systems that don’t contain PHI that are still very crucial to practice operations, and that you want to have multiple folks being able to access in the event of need. Like that ability for other people to access as part of your overall contingency plan that needs to be set up in such a way where it is not passkey dependent, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s one of the things you want to take into account. So really, our closing takeaways are that passkeys are powerful and wonderful and make things a lot more efficient and seamless, not just secure, but that the strongest combo is going to be passkeys plus a dedicated password manager.

 

Evan Dumas 

Yep.

 

Liath Dalton 

And that, let’s say you currently are not using a password manager, and you’re thinking, well, which, which should I go for, first passkeys or a password manager? The verdict would be, well, go for the password manager, because that’s going to be something that provides security across your services.

 

Evan Dumas 

Yeah, it will cover more bases.

 

Liath Dalton 

Right, it covers, covers more bases. And then from there, because password managers can also store passkeys, then you can adopt that too. It doesn’t preclude the other but if you’re looking at sort of order of operations and where to start, I would say, start with the password manager.

 

Liath Dalton 

If you’re already using a dedicated password manager, then start bringing in the passkeys component. And if you have questions about how to manage this for your practice, whether you’re solo or group or want support with making sure your devices are hardened, we are here for you.

 

Liath Dalton 

So check out the resources in the show notes. And we hope this has been helpful, because we’ve been thinking, ah, as these are becoming more and more common, and there have been more and more news stories as well about how passwords suck, and we’re moving away from passwords, we know folks have had questions about it and some sort of trepidation, like Evan said, about the security of it. Just like back in the day, there were questions and understandable concerns about wanting to know how using biometrics worked, and if that was was secure enough for needs for managing login credentials for systems that had client info or financial info.

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So hope this has been helpful. Thanks so much for joining us, and we’ll chat with you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.