When sending a patient a link to a registered chat, it's important to ensure that the person clicking the link is the intended recipient, especially when personal confidential information is involved.

It's possible for the registered chat link to be intercepted and used by someone other than the intended recipient. We want to verify the user at the start of the chat, and end the chat if they can't prove that they are the patient.

Two things are required in order to implement user verification in your registered chat flow:

1. Include patientSmsNumber, patientEmailAddress, and/or security questions and answers in your register chat call.
2. Use the "Verify user" step as the first step in the chatbot associated with the widget topic.

Two-Factor Authentication Methods

MedChat supports three two-factor authentication methods for verifying the patient of a registered chat:

• Security Questions
• Email
• SMS

📘

What is two-factor authentication?

Two-factor authentication is a method of verifying a person is who they say they are, based on multiple factors. The first factor is often a password or a unique link. The second factor is something that only the intended individual can provide and could come from one of the following categories:

• Something you know (like a PIN or answers to security questions)
• Something you have (like a smartphone or an email account)
• Something you are (like a fingerprint)

It's assumed that the source system has data about the patient that falls into one of the above categories that is suitable for verifying the identity of the patient.

The methods available to use to verify a given patient are determined at the time the chat is registered by the calling system, depending on what data is sent in the register chat request body.

Verify User Chatbot Step

The Verify User chatbot step should be the first step in the chatbot, and it has one of two possible outcomes:

1. The user passes verification and the chatbot continues with the rest of the flow.
2. The user fails verification and the chatbot ends.

🚧

The Verify User step should be the first step in the chatbot.

The Verify User step first attempts to retrieve the registered chat.

If a registered chat isn't found, the chatbot continues with the flow without trying to verify the user. This is useful in cases where a chatbot may be used on widget topics that handle chats initiated from registered chats as well as chats not initiated from registered chats.

If a registered chat is found, the Verify User step determines which verification methods are available (security questions, email, and/or SMS). If multiple verification methods are available, the user is presented with a prompt to select which verification method they'd like to use.

For any of the verification methods, if the user fails verification and other available verification methods remain, he/she is given the opportunity to verify via the remaining verification method(s).

Security Questions Verification

With security questions verification, the source system provides one or two security questions and and answers at the time the chat is registered. Care should be taken in selecting appropriate security questions and answers. Avoid questions with answers that may be ambiguous to the patient. Questions and answers will be stored in the MedChat database.

The Verify User step prompts the user to answer the security question(s). If multiple questions are provided, the user must answer both correctly to pass verification. Evaluation of answers is a simple case-sensitive string comparison, with any leading and trailing whitespace trimmed.

The user is given up to three chances to answer the security questions correctly.

Email Verification

With email verification, the source system provides the patient's email address at the time the chat is registered. The Verify User step sends a security code via email to the patient and prompts the user to enter the code.

The user is given up to three chances to enter the correct code.

SMS Verification

With SMS verification, the source system provides the patient's SMS-capable phone number at the time the chat is registered. The Verify User step sends a security code via SMS text to the patient and prompts the user to enter the code.

The user is given up to three chances to enter the correct code.