Authentication
Atticus Health runs a self-hosted identity provider — passwordless login for patients and mandatory two-factor authentication for providers and staff. All identity data stays within our infrastructure.
Self-Hosted Identity
Rather than relying on a third-party authentication service, Atticus Health self-hosts its identity infrastructure:
- Data sovereignty — All identity data stays within our infrastructure
- No external dependency — Login doesn't depend on a third-party service's availability
- Full customization — We control every aspect of the authentication experience
Patient Authentication — Passwordless
Patients authenticate without passwords entirely. There are no passwords to manage, reset, or breach.
| Method | How It Works |
|---|---|
| Email verification | One-time code or magic link sent to the patient's email |
| SMS verification | One-time code sent via text message |
This eliminates the most common attack vector in healthcare — stolen or weak passwords — while keeping the experience simple for patients.
Provider & Staff Authentication
Providers and staff use a stronger login process appropriate for clinical data access:
| Method | Details |
|---|---|
| Email + 2FA | Two-factor authentication required for all clinical users |
| Enterprise SSO (Single Sign-On) | SAML (Security Assertion Markup Language) and OIDC (OpenID Connect) support for clients using their own identity providers |
| QR code login | QR-based login for kiosks and shared clinical workstations |
Access Levels
Atticus Health's access model defines the following levels:
| Level | Who | Access Scope |
|---|---|---|
| Platform Admin | Atticus Health operations team | Cross-tenant platform management |
| Tenant Admin | Client IT administrators | Single tenant configuration and user management |
| Provider | Physicians, NPs, PAs | Full clinical access within their tenant and assigned patients |
| Staff | Front desk, care coordinators, billing | Operational access within their tenant |
| Patient | Patients via the mobile app | Own records across connected organizations, connected family member records |
| Server-to-Server | Internal services, integration partners | API-scoped access for automated workflows |
Session Security
- Short-lived tokens — access tokens expire quickly; if one is compromised, the window of exposure is small
- Per-organization sessions — every session is bound to a specific organization; cross-organization access is prevented by design
- Automatic rotation — refresh tokens are single-use and rotated on each request
- Instant revocation — sessions can be invalidated immediately across all devices
Security Controls
- Bot protection — CAPTCHA-based protection against automated credential attacks
- Family access controls — Patients can grant access to family members for dependent healthcare management
- Full audit trail — Every login, logout, two-factor challenge, and role change is logged