Account Service Admin Guide

Guide for HealthForms.io administrators on how users get access and what the Account Service manages.

What the Account Service Controls

The Account Service manages:

• User login (email/password and Google sign-in)
• Multi-factor authentication (MFA)
• Email confirmation (verifying email addresses)
• Account security (password reset, Turnstile bot protection)
• Invitations (the process users follow to create their accounts)
• Terms of Use acceptance (tracking user consent)

Permissions within applications (who can review which forms, which staff can manage which members) are managed inside the Manager application, not the Account Service.

How Users Get Access

HealthForms.io does not allow open self-registration. All user accounts start with an invitation.

Inviting Portal Users

Portal users are invited to submit forms for their families. The invitation process is managed within the Manager application. When a user accepts a Portal invitation:

1. They receive an email with an invitation link or code
2. They go to /auth/invitations and create their account (name, email, password or Google)
3. They are redirected to the Portal app to complete the form submission process

Inviting Manager Users

Manager users (staff who review and manage forms) are also invited from within the Manager application. When a Manager user accepts:

1. They receive an email with an invitation link
2. They create their account
3. MFA setup is required — they cannot access the Manager app without setting up Authenticator App or SMS authentication
4. After MFA setup, they see the confirmation page and can launch the Manager app

MFA Requirements

• Manager users: MFA is required. They cannot complete the onboarding process without setting up at least one MFA method.
• Portal users: MFA is optional but recommended.

Both Authenticator App and SMS Text Message are supported. Users can set up both and choose a default.

See MFA Setup Guide to share with users who need help.

Supporting Users

User Can't Log In

Password Reset

Users reset their own passwords via the login page using the Forgot Password? link. No admin action is needed for standard password resets.

MFA Reset

If a user has lost their phone and has no recovery codes, their MFA can be reset from within the Manager application by an organization administrator.

Email Confirmation

When a user creates an account, a 6-digit code is sent to their email for verification. The code expires (countdown shown on screen) and can be resent. If they entered the wrong email, they can use the [Change] link on the confirmation page.

Terms of Use

When HealthForms.io updates its Terms of Use or Privacy Policy, users may see a prompt on login asking them to accept the new terms. Administrators can't bypass this — it's presented to users automatically when they log in. Users can either Accept Terms to continue or, if terms are required, they must accept or log out.

What Admins Cannot Do from Account Service

The following actions are managed in the Manager application, not in Account Service:

• Changing a user's role or permission within an organization
• Viewing audit logs of what data was accessed
• Configuring MFA as required for all users at an organization level
• Deactivating or removing a user from an organization

Resources

User-Facing Guides to Share

• How to Accept an Invitation — For new users
• How to Log In — Login instructions
• MFA Setup Guide — Two-factor authentication
• Account Management — Profile and security settings
• Password Reset — For forgotten passwords

Support Contact

• Support Portal: https://support.healthforms.io
• Include: Affected user's email, what they're trying to do, any error messages
• Response time: Usually 2-4 hours during business hours

See the Glossary of Terms for definitions of terms used in HealthForms.io.