Home
Documentation
  1. HIPAA Compliance
  2. Access Controls for HIPAA Apps

Authentication Best Practices

What You'll Learn

This article covers authentication best practices for HIPAA apps on Knack. It explains how to use 2FA, SSO, and password policies to protect access to your app and the PHI inside it. It also covers builder-level authentication and API key security.

Two-Factor Authentication (2FA)

2FA adds a second layer of security on top of the password. Even if someone's password is compromised, they can't log in without the second factor.

Account-Level 2FA (Builder Access)

Knack supports TOTP-style 2FA for builder accounts. This requires you to scan a QR code with an authenticator app (like Google Authenticator or Authy) and enter a 6-digit code at each login.

  • Enable 2FA on every builder account that has access to your HIPAA app
  • If someone gains access to a builder's email and password, 2FA prevents them from logging in without the authenticator code

For setup instructions, see Managing Your Account Settings.

Live App 2FA (App User Access)

You can also enable 2FA for your live app users. This works the same way — users scan a QR code during initial setup and provide a 6-digit code at each login.

  • Knack recommends requiring 2FA for all app users on HIPAA plans
  • You can disable the requirement on a per-user basis if needed
  • 2FA applies to users logging in with email and password. Users authenticating through SSO follow the SSO provider's authentication flow instead.

For setup and management instructions, see Two-Factor Authentication (2FA): Setup, Management & Live App Experience.

Single Sign-On (SSO)

SSO lets users log in to your Knack app using credentials from an external identity provider (like Google Workspace, Microsoft Entra ID, or a custom SAML/OAuth provider). This centralizes authentication and gives you more control over who can access the app.

Benefits for HIPAA apps:

  • Users don't need a separate Knack password — they use their organization's credentials
  • You can enforce your organization's password policies, 2FA, and session rules at the identity provider level
  • When an employee leaves, disabling their identity provider account immediately revokes their Knack app access
  • Domain restrictions let you limit login to specific email domains

Knack supports:

📘

SSO doesn't replace app-level roles. SSO controls who can log in. User roles control what they can see and do after they're logged in. You still need to configure roles and permissions even if you use SSO.

Password Policies

If your app users log in with email and password (rather than SSO), strong password policies are essential.

HIPAA plan defaults (cannot be disabled):

  • Minimum 8 characters
  • No common passwords

Recommended additional settings:

  • Require at least 1 number
  • Require at least 1 special character
  • Require at least 1 uppercase letter
  • Require at least 1 lowercase letter
  • Set passwords to expire every 60 days
  • Prevent reuse of the last 3 passwords

A best practice is to recommend 12+ character passwords that use a mix of all character types. Shorter or simpler passwords are easier to guess through brute force attacks.

Knack also recommends that builder account passwords be changed at least annually and be unique to your Knack account.

For details on configuring these settings, see HIPAA Security Settings.

API Key Security

If you use the Knack API, your API key is the credential that grants access to your data. Treat it with the same care as a password.

  • Rotate your API key at least annually. If anyone who had access to it leaves your organization or if you suspect it may have been exposed, rotate it immediately.
  • Never expose your API key in client-side code. Client-side JavaScript is visible to anyone who opens the browser's developer tools. Use view-based API requests instead.
  • Use the correct endpoint. HIPAA apps must send all API calls to usgc-api.knack.com. Calls made to api.knack.com will not work once your account is on the HIPAA environment.

For more detail on API security, see HIPAA and the Knack API.

Checklist

Use this as a quick reference when setting up authentication for your HIPAA app:

  • Enable 2FA on all builder accounts
  • Enable 2FA for live app users
  • Turn on all optional password complexity settings
  • Enable password expiration (60 days)
  • Enable password reuse prevention (last 3)
  • Implement SSO if your organization has an identity provider
  • Restrict SSO to your organization's email domain
  • Rotate API keys at least annually
  • Verify API keys are not exposed in client-side code
  • Confirm API calls use usgc-api.knack.com

Next Steps

Updated about 7 hours ago