u/MrHaller

How I enabled passkeys on IBKR early

I just managed to get passkeys enabled on IBKR, so I figured I’d share what I learned.

IBKR is rolling this out slowly, so you might not see a “Passkey” option in your account yet. I had to request early access.

What you need to do: create a ticket and call support. They explained it’s a security/rollout measure. Support then creates an internal request, and it took a couple of days. After it was enabled, logging in showed a task to set up a passkey, which you had to complete before you could trade (it was like those required questionnaires).

Why it’s nice:

  • You can register passkeys on multiple devices, so you’re not stuck if one breaks/losses.
  • You can use hardware security keys (e.g., YubiKey), which are generally more secure and robust than smart devices (e.g. phones, laptops).
  • Passkeys can only be used on domains they are registered on, so it's close to impossible for an attacker to steal your passkey online.

However, in IBKR, passkeys don’t replace passwords—you still use your username/password, with the passkey acting as the second factor.

IBKR docs (beware, it may not be enabled by default for you): https://ibkrguides.com/securelogin/sls/authentication-using-passkey.htm

reddit.com
u/MrHaller — 6 days ago
▲ 1 r/gdpr

Healthcare SaaS requires doctors to import their entire patient database before patients sign up

TL;DR: A healthcare SaaS requires doctors to import their entire patient database before patient onboarding, claims to be a processor under Art. 28 GDPR, and relies on healthcare provision plus legitimate interest as the legal basis. Does this raise issues around joint controllership, Article 9, data minimisation, or Article 32 security?

I'm based in the Czech Republic (EU) and I'm looking for opinions on a GDPR issue involving a healthcare SaaS platform.

Here's the situation

My child's doctor uses a platform called Medevio for patient communication and appointment scheduling. It is not the primary medical record system, but it contains health-related information (messages, diagnoses, etc.).

Neither my wife nor I had ever registered with the platform.

We suddenly received SMS messages asking us to book a preventive examination. After following the onboarding link and verifying my wife's phone number via SMS, the system already knew our son's identity (displaying his name and a partially masked date of birth). It then requested his national identification number to complete the matching process.

We later contacted both the doctor and the platform.

The platform confirmed that:

  • Doctors are instructed by official documentation to upload their entire patient database into the platform, with little or no control over which patients are imported.
  • Our son's data was imported when the doctor synchronised patients.
  • Patients do not need to register before their data is imported.
  • If a patient deletes their account, the patient record remains in Medevio and is still visible to the doctor, but is no longer visible to the patient.
  • The platform considers itself only a processor acting under Article 28 GDPR.
  • Its website states that doctors should obtain patient consent before importing patients, but support also stated that the legal basis is the doctor's provision of healthcare services together with the doctor's legitimate interest in modernising patient communication.
  • An SMS code is used only during the initial registration/binding of a patient account. Afterwards, the account is protected only by username and password (no MFA despite access to health-related information).

Context

Ideally, I would like Medevio to improve its consent management and security practices without creating unnecessary burden for doctors. I'm considering reporting the matter to my country's Data Protection Authority, but before doing so, I'd appreciate some opinions from people familiar with GDPR.

My questions

  1. Is it realistic for the SaaS provider to be considered only a processor, given that it designed the patient import process, onboarding flow, authentication flow, and communication workflow? Or is there a credible argument that it is at least a joint controller for some processing operations?
  2. Is legitimate interest generally considered sufficient when an external SaaS imports health-related patient records before the patient has ever interacted with the service?
  3. From a data minimisation perspective, is importing an entire patient database before any patient decides to use the platform generally viewed as compatible with GDPR?
  4. Would the absence of MFA for ongoing access to accounts containing health-related information raise concerns under Article 32 GDPR, even though phone verification is performed only once during onboarding?
  5. If you were in my position, would you pursue this with the Data Protection Authority?

Link to page (Czech only): https://www.medevio.cz/

u/MrHaller — 7 days ago