SMS login link password creation prompt

Your Organization:

Provincial Health Data Center

Organization Type:

Government

What Other Organizations Would Benefit From This Feature:

All entities that require password reset or first-time login password set functionality.

Describe the Feature:

As a CHW user I want to set my password myself for the first time on login via the SMS-ed magic link. And then from then on, the user will sign in with their username and password.
When that password has been defined, the SMS login link is automatically disabled.
This could also satisfy the case where a password reset was requested, the sys admin can send out a new SMS where the user can click the link and be prompted to enter a new password.

What “Pain Point” Does The Proposed Feature Address:

Currently, as mentioned in the recent CHT round-up, a sys admin will have to re-generate a login link for each user after it has expired OR set a password for each user.
The former could take a considerable amount of time to do periodically.
It would also reduce the costs that’s incurred by reducing the amount of SMS’ that are sent.

Proposed Solution:

This feature could possibly piggy-back off the new create_user_for_contacts feature which SMS’ a magic link to a registered user as a login method. Instead of the sys admin defining a password for each user when the link expires, or re-generating and sending out the link periodically, they could select a different option on the portal user to allow a user to set their password on magic link login.
This could free up the sys admin’s time and provide peace of mind that someone else does not know your password.
The existing update password dialog, found in user settings (see attached), could possibly be reused to facilitate the required data capture.

Links To Supporting Information / Uploads:

image784×442 24.4 KB

Thanks for the submission @robinmurphy !

I wonder if having the admin set the password to something the CHW knows after 24 hours? While this does not allow the CHW to set the password themselves, it does let them login with the token login link in the valid 24 hr period, then they can use the password at a later date if needed. The token login stats and password should be able to be updated programmatically in bulk via the CHT API or directly in CouchDB.

Otherwise, pinging my colleague @michael who might have some ideas and questions!

Thanks for the ping @mrjones … a couple of questions for you @robinmurphy.

1. Are you wanting/expecting users to frequently log out / do they all have the can_log_out_on_android permission? Or is the main problem just missing the 24h expiration?
2. Do your users have good internet connectivity / are they online regularly? (You can receive the magic link over SMS, but you can’t log in to the CHT without a data connection)
3. I’m curious what happens if a user logs in using magic links and then tries to change their password. Is the “Update Password” screen even accessible to them (there wouldn’t be a “current password” so they wouldn’t be able to change it anyway, but i’m curious what they see)?
4. Also curious how you are setting/handling usernames. When you use magic links, the user doesn’t need to know their username and they’d have to go to either the About page or User Settings page to figure it out. Can you tell us a bit more about your username assignment process?

@michael - I can answer parts #3 and #4!

I’m curious what happens if a user logs in using magic links and then tries to change their password. Is the “Update Password” screen even accessible to them (there wouldn’t be a “current password” so they wouldn’t be able to change it anyway, but i’m curious what they see)?

When have token login enabled, and you go to hamburger menu → “User Settings” you don’t see an “Update Password” option:

As an admin, I can disable the token login, but then I am forced to set a password:

image663×515 43.5 KB

Notewothy, changing a user from token to password login, immediately disables that users current session and they must login again using the new password. This means my suggestion above is invalid! (The same is true the other way too: Switching a user from password → token login expires their session as well).

Finally, when I logged back in as the offline user with my newly set password, the “Update password” option was there.

Also curious how you are setting/handling usernames. When you use magic links, the user doesn’t need to know their username and they’d have to go to either the About page or User Settings page to figure it out.

A user only needs to have the link. They do not need to know their username and literally can not know their password. They can, after clicking the token login link, find out their username as you described.

Apologies for the confusion, I hope the following clears the feature request up a bit:

1. We do expect our CHWs to log out quite frequently, perhaps on session expiration or device screen lock, it is part of our security concerns. Devices also gets stolen or swapped out - with the latter we’d like to help ensure the work is done on the correct profile/logged in user. All of the users do have the can_log_out_on_android permission. Our main concern is that, for security purposes, the app needs to be protected by username/password and the link eliminates risk of sysadmin communicating the password to users manually.
2. Our users are instructed to go into a hub that has an internet connection to sync frequently. Each device is also fitted with a sim card (APN).
3. As @mrjones has mentioned the option to “Update Password” is not available when using the login link. However, with that option available it would make it possible to set/reset the users password via login link. Save for the “Current Password” field of course. The flow will remain the same, the user will be logged out and need to log in with that new password - the login link will just also need to be disabled (same as switching from sms-login to password in the admin portal).
4. @mrjones also mentioned, how a CHW might go about retrieving your username - by navigating to the same “User Settings” screen via the hamburger menu and clicking on the “Edit user profile” option. The “username” seems to be generated through an amalgamation of the “name”, “surname” and a duplicate count. The user will then take note of the “Username” field, and together with the previous point(3.) have all the required info to log in with credentials.

So in summary:

1. User receives link.
2. User clicks link.
3. User clicks on hamburger.
4. User clicks on profile – takes note of username.
5. User clicks on ‘update password’.
6. Dialog displays (minus the current password field) .
7. User resets or sets password for first time.
8. Users gets logged out, link becomes disabled.
9. User logs in with credentials (username & password).

This would also align the CHT with password reset standards that are widely practiced.

Thanks @robinmurphy for the explanations! I do have another follow-up question (below), but also just wanted to be clear that we do not currently have any plans / capacity to develop this. If this is something your team would be interested in contributing, we’d be happy to collaborate.

Your point #2 mentions that users are instructed to go to a hub to sync. Is that because they don’t have internet available on their SIM (I’m not sure what APN means)? Logging in to the CHT requires an internet connection and most of the health workers using the CHT either do not have internet connection available and/or generally keep data switched off. So if the SIM doesn’t have data, then they’d need to go into the hub whenever they need to log in. If the SIM does provide access to the internet, they’ll need to make sure data is turned on and they have enough bundles, otherwise they will be completely locked out of the CHT until they get some data bundles or go into the hub.

Yes - seconding the thanks for all the details offered on your use case - thank you!

It sounds like you’ve considered different security scenarios in regards to having CHWs log out regularly, but we otherwise strongly recommend PINs required to unlock the phone as well as full disk encryption to protect sensitive CHT data in case a device is lost.

Also - in the scenario of a device being swapped between CHWs, are you aware of CHW Offline Replace feature? This feature allows a Supervisor take a phone from a departing CHW, enter a PIN on a special form in the CHT and give it to a new incoming CHW - all with out any connectivity.

After the form is submitted, a new CHW can immediately begin using the phone to service patients in that same area, again with no connectivity needed. At a later date, when the new CHW has connectivity, they can sync the data created while offline, receive a token login link and proceed to use the phone with their newly created account, an entirely automated self serve process after the initial supervisor PIN is entered.

You can read the docs and see this forum post with a demo video to find out more!