đź“Ł We have moved! All of the most up-to-date information on WebPT Products can be found in its new home on WebPT Discover.

Multi-factor Authentication in the WebPT EMR

This feature is currently in Limited Release to a select group of Members and will be gradually rolled out over the following weeks.

WebPT is rolling out multi-factor authentication (MFA) for organizations to opt-in at no additional cost. With MFA, organizations can require a second form of authentication, such as a one-time code sent to a user’s mobile device. This provides an additional layer of security for rehab therapy clinics – making it harder for unauthorized individuals to gain access to sensitive information. These changes are part of WebPT’s latest round of security updates made by our development team to protect your organization’s—and your patients’—privacy. 

What exactly is MFA?

Authentication is the process of determining that somebody—or something—is who or what they say they are. The most common form of authentication is entering a username and password when logging in to a service such as a website or application. These credentials let the service know that you are authorized to log in. Multi-factor authentication adds another layer to this, and requires additional evidence for the service to determine if you are an authorized user. In addition to a username and password, users must also enter a code that was sent to their email or cell phone (also known as a token), or sometimes even a biometric factor, such as a fingerprint. 

Why should I enable MFA? 

MFA increases security. If one piece of information such as a password becomes compromised, an unauthorized user would still be unable to gain access to your patient information, billing information, and other protected health information. 

As bad actors are increasingly capable of more sophisticated attacks, it’s important to use every tool available to stay protected. 

How to opt-in

Multi-factor authentication is an optional feature. To use multi-factor authentication, there is action required from both Company Admins and Users in the clinic. 

Company Admin

MFA is a setting found in Company Settings

  1. On the WebPT EMR Dashboard, click the Clinic Dropdown, then Company Settings.
  2. Scroll down to the Multi-factor Authentication section and select On.
  3. Click Save Settings.

Once you click Save Settings, all users will be prompted with a new login experience. 

How to opt-out

To turn Multi-factor authentication off for your clinic, simply follow the steps above and select Off


With MFA turned on, users in your clinic will need to provide an additional piece of information other than their username and password to log in to the WebPT EMR. These additional pieces of information are called authenticators, and can be one of two options:

  • A third party authenticator, such as Google Authenticator, or something similar. 
  • A One Time Password (OTP) sent by WebPT to the user’s mobile device. 

The first time a user logs in after MFA is enabled, they’ll need to select which authenticator they prefer to use. After entering their username and password, they’ll be met by a new screen with a QR code. 

A. To choose a 3rd party authenticator, scan the QR code with the chosen authenticator app and enter the one-time code. 

    1. If a user is unable to scan the QR code, click Trouble Scanning? Users will be prompted to manually enter a code in their preferred authenticator app. 

B. To choose a One Time Password sent to the user’s phone, click Try another method, then select SMS.

User Managers

If a user has a new phone number or no longer has access to the device with their authenticator or phone number associated, user managers can simply reset the user’s MFA device. 

  1. On the WebPT EMR Dashboard, click the Clinic Dropdown, then User Manager.
  2. Search for the desired User Profile. 
  3. Click Reset MFA.
  4. Click Save User.
After MFA has been reset for a user, they’ll be prompted with the same process for choosing an authenticator as is outlined in this article. 
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.