Easy and secure sign-in

A Flux account gives access to confidential information about patients, treatments, appointments and business operations. Securing that account is therefore an important part of handling health data carefully. Information security is built around three principles: data should only be accessible to authorized people, it must remain accurate and complete, and it must be available when a care provider needs it. These principles are also known as confidentiality, integrity and availability.
An insufficiently secured account can affect all of these areas. An unauthorized person could view data, change information or disrupt access to an account. That is why we have further strengthened sign-in with support for passkeys, better protection against automated login attempts and more insight into the security status of user accounts.
Sign in with a passkey
Flux now supports passkeys. With a passkey, you sign in through the security of your own device, for example with face recognition, a fingerprint or the passcode of your phone or computer. You do not need to enter a traditional password. The secret key stays on your device and is not shared with Flux.
Passkeys are less vulnerable to phishing because they only work for the website or application they were created for. They cannot easily be guessed, intercepted or reused for another service. At the same time, they make daily sign-in faster because you use the same security you already use to unlock your device.
You can activate a passkey through Settings and then User. Under the security settings, you can now add a passkey alongside two-factor authentication. Depending on your device and password manager, a passkey can be synchronized between devices such as your laptop and phone.
Always enable 2FA
A password alone does not provide enough protection for an account with access to health data. Passwords can be stolen through phishing, malware, a data breach or because the same password is also used for other services. With multifactor authentication, usually called MFA/2FA, a second check is required in addition to the password. A stolen password therefore does not immediately give access to the account.
We therefore recommend enabling MFA/2FA or, where possible, adding a passkey for every user account. Do not use shared accounts either: every employee should have their own account. That keeps it clear who accessed information and makes it possible to adjust permissions when an employee changes role or leaves the organization.
Passkeys make secure sign-in easier and can replace a separate verification code in many situations. Always check which security method is active for the account. Not every device or browser supports passkeys in the same way, which means MFA/2FA remains an important additional security layer.
Better protection for the sign-in screen
The sign-in screen is now better protected with smarter CAPTCHA security and improved rate limiting. CAPTCHA helps distinguish real users from automated traffic. The check is mainly used when a login attempt shows signs that may indicate abuse, so regular users have to take as few extra steps as possible.
Rate limiting restricts how many login attempts can be made within a certain period. This helps protect against attacks where large numbers of passwords are tried automatically. After many failed or suspicious attempts, following login attempts can be temporarily delayed or blocked.
These measures work together with passwords, MFA/2FA and passkeys. By combining multiple security layers, an account remains protected when one measure is bypassed.
More insight into account security
In user management, the MFA/2FA status of user accounts is now clearer. Administrators can therefore check more quickly which accounts are additionally secured and which users still need to take action. This is especially important for accounts with administrator rights, because these often provide access to more data and settings.
We recommend that administrators check this status regularly and actively remind employees when MFA/2FA has not yet been enabled. Also check whether accounts of former employees have been closed and whether users still only have access to the parts they need for their work.
Good account security is not a one-time setting, but a recurring part of information security. Flux provides the technical options for this, but real protection only happens when organizations and users apply them consistently.
New (7)
- Support for signing in with passkeys
- Passkey autosuggestions on supported devices and browsers
- Monthly export for Zorgtopics
- Extra templates in the referral-letter picker
- Extra gender option for online appointments
- Insight into MFA/2FA status in administration
- Activities Meter questionnaire
Improvements (8)
- Smarter CAPTCHA security on the sign-in screen
- Better rate limiting for login attempts
- More reliable passkey configuration across different environments
- Easier bulk rate creation
- Better cleanup of old invoices from Twinfield synchronization
- Further improvements to BI, filter and interface building blocks
- PCM questionnaire expanded with ODDI score
- Continued development of revenue insights, dashboards and exports
Bugs (5)
- Fixed an issue where automatic logout after inactivity did not work correctly
- Fixed multiple error messages around patient data and exports
- Fixes for BI overviews and global date filters
- Fixes for integrations and synchronizations, including Twinfield and Nivel
- Fixed several regressions in frontend behavior and forms