Viewing as
FASTLOGIN · FOR HEALTHCARE PROVIDERS

Verified once. Recognised across the network.

Submit your MDCN or NMCN licence and pass a Didit liveness check once. Then sign in to Doorcta, OneHealth, and any partner clinical app with the same credential, the same MFA, and the same audit trail.

Request accessRead the docs
FastLogin is the verified-clinician identity for the Fastclinic ecosystem — one MDCN-checked profile, one MFA enrolment, one audit trail across hospitals.
01 / 06

1 · Hospital invites you

Your hospital's IT admin adds you to their FastLogin tenant by name and email. You receive an invite that takes you to the registration flow, with the hospital pre-attached as your organisation. You don't pick a tenant; the invite picks it for you. The audit trail records who invited you and when.

St. Martin's Specialist Hospital · Roster
Bulk-enrol staff
NameRoleMDCNLast sign-inStatus
Dr. Adaeze N.DoctorMDCN/R/1234509:14 · LagosActive
Dr. Tunde O.DoctorMDCN/R/22318YesterdayActive
Nurse Funmi A.NurseNMCN/N/5501208:50 · LagosActive
Mary EzeFront desk08:10 · LagosActive
Dr. Sade B.LocumMDCN/R/98412Last weekSuspended
Verified MDCN licences refresh weekly · After-hours access flagged for review
142 active
fastlogin.fastclinic.xyz/org/st-martins/roster
02 / 06

2 · Verify your medical licence

You enter your MDCN or NMCN licence number and upload the licence document. Didit OCRs the document and cross-checks the number; the licence-board side validation runs in the background. You snap a single-frame selfie for liveness — iBeta Level 1 PAD certified, 99.9% accuracy at under 0.1% false-accept. Three retry attempts before a terminal decline, then support.

9:41MTN5G
Verify your medical licence
Didit · LiveProvider KYC

Submit your MDCN licence and a quick selfie. Verified by Didit (iBeta Level 1 PAD).

Upload licence (PDF or image)
licence-mdcn.pdf · 2.1 MB
Liveness selfiePassed
Single-frame · 99.9% accuracy
Submit for verification
03 / 06

3 · Enrol MFA — both factors

You add a passkey for everyday sign-in — fastest is Touch ID or Face ID, on whatever device you spend your clinical day on. Then you scan a TOTP QR code with Google Authenticator or 1Password as a portable fallback. We generate backup codes; you store them somewhere only you can reach. Both factors are required policy; clinical scopes will not issue otherwise.

Set up authenticator app

Scan this QR code with Google Authenticator, Authy, 1Password, or similar. The code is your portable fallback if you lose your passkey.

Verify and continue
Next · Save your backup codes
Step 2 of 2
fastlogin.fastclinic.xyz/auth/register/mfa
04 / 06

4 · Step up before clinical access

Opening a patient's record in OneHealth or starting a Doorcta consultation requires an AAL2-fresh session. If your last MFA event was over an hour ago, FastLogin re-prompts you for a passkey before issuing the scoped clinical token. You consent to the scopes the product asks for — read records, write notes, place orders — explicitly, on a screen, every time the scope set changes.

Authorize access

Doorcta is requesting access to your account.

  • openid
    Sign you in to the app
    on
  • profile
    See your name and basic info
    on
  • email
    Access your email address
    on
  • phone
    Access your phone number
    on
  • offline_access
    Stay signed in
    on
Allow access
Deny
Doorcta
fastlogin.fastclinic.xyz/auth/consent
05 / 06

5 · Use the same identity at every hospital

If you cover shifts at a second hospital, the second hospital's IT admin invites your existing FastLogin identity to their tenant. You don't re-do KYC. You don't re-enrol MFA. You inherit the second hospital's entitlements while keeping your own clinical record clean across both. Locum doctors and visiting specialists carry their identity with them; the hospitals carry the entitlements. The audit chain shows which tenant you signed in to for each session, so a regulator asking about a specific consult or prescription can see exactly which hospital you were practising under at the time. One identity, multiple employment contexts, fully traceable.

Entitlement matrix · who can use what
UserDoorctaOneHealthFastCredits
Dr. Adaeze N.Doctor · activeProvider · activeSpend · active
Dr. Tunde O.Doctor · activeProvider · activeSpend · active
Nurse Funmi A.Read-only · activeRead-only · active
Mary EzeFront desk · activeReconcile · active
Dr. Sade B.Doctor · suspendedProvider · suspended
organisation-inherited
personal entitlement
suspended (revocable)
5 users · 3 products
fastlogin.fastclinic.xyz/org/st-martins/entitlements
06 / 06

6 · See your sessions and audit

Every device you've signed in from is listed under active sessions; ending one revokes the token within seconds. Every clinical access event — patient record opened, prescription written, consult completed — flows into the same hash-chained audit log as your authentication. After-hours sign-ins (outside Africa/Lagos 08:00–18:00) are flagged automatically for compliance review.

Active sessions15-min access · 24h refresh · rotated
DeviceWhereLast seenAction
This device · Chrome 124 · macOSLagos · 102.89.42.7Now
iPhone 15 · SafariAbuja · 41.220.11.8812 min agoEnd session
Doorcta app · iOSLagos · 102.89.42.72 hours agoEnd session
All sessions AAL2
End all other sessions
3 active
fastlogin.fastclinic.xyz/account/sessions
What you get

MDCN-verified identity portable across hospitals

One licence check. Multiple employers. The hospitals share a verified provider directory; you don't pile up duplicate KYC artefacts on your phone.

Phishing-resistant MFA, mandatory

Both passkey and TOTP enrolled at registration. Clinical scopes need AAL2-fresh sessions. A stolen password proves nothing on its own.

Audit trail that follows you, not the building

Your authentication and clinical-access events live in one chain regardless of which hospital you signed in from. NDPA 2023 retention rules apply to the chain; you can request your own access record on demand.

Visible session control

Active sessions show every device with its IP, last-seen, and AAL. End any of them with one click. After-hours sign-ins are flagged for review without you having to chase a log.

Capabilities

Auth
  • Email + phone verification (OTP)
  • Passkey (WebAuthn / FIDO2)
  • TOTP authenticator app
  • Backup recovery codes (lookup_secret)
  • Password as fallback only
  • Session-bound CSRF on every flow
MFA / step-up
  • Phishing-resistant by default
  • AAL2 step-up before sensitive scopes
  • Per-device session listing + revoke
  • Configurable step-up freshness window
  • Hardware-key support (YubiKey / Titan)
KYC
  • Didit liveness (passive single-frame)
  • iBeta Level 1 PAD certified
  • MDCN licence verification (provider)
  • NIN verification (patient)
  • 3 retry attempts before terminal decline
  • 30-day Didit retention, 24-hour purge
OAuth2 / OIDC
  • 15-min access tokens
  • 24-hour refresh with rotation
  • JWKS · 5-min cache
  • Scope-limited consent screen
  • Authorization-code with PKCE
  • Client-credentials for service tokens
Audit
  • Hash-chained event log
  • 7-year retention
  • Daily export to WORM S3
  • Africa/Lagos timezone
  • After-hours flagging (08:00–18:00)
  • Per-IP and per-device columns
Compliance
  • NDPA 2023 §25 lawful basis
  • African data residency
  • Documented data-processing record
  • DSAR export pipeline
  • Cross-product consent ledger
  • Quarterly third-party pentest

Integrations

Fastclinic
Doorcta

Telehealth signs patients and doctors in via FastLogin. Consult start requires AAL2 within the last fifteen minutes. Doorcta never sees the user's password.

Fastclinic
OneHealth

Health-record access requires AAL2 plus an explicit scope on the consent screen. Provider identity is the MDCN-verified FastLogin identity — there is no separate clinical login.

Fastclinic
FastCredits

The shared credits ledger trusts FastLogin's identity for both individual and organisation accounts. Hold, capture, and refund actions all carry the FastLogin user ID and write to the same audit chain.

External
Ory Kratos

Open-source identity store. We run pinned releases and edit configuration at fastlogin/ory/kratos/. Container restarts are part of every config change.

External
Ory Hydra

Open-source OAuth2 / OIDC server. Tokens are signed with rotating keys; the public key set is cached by every relying party for five minutes. Hydra never sees user passwords.

External
Didit

External KYC processor for liveness, MDCN licence OCR, and NIN verification. Signed agreement under NDPA 2023; selfie data deleted after thirty days on Didit's side.

Compliance & safety

NDPA 2023 — lawful basis recorded

FastLogin processes personal data under contract, consent, legal obligation, and legitimate-interest bases per NDPA 2023 §25. Every dataset and processor is recorded in the data-processing record kept by the Fastclinic Limited data controller (RC 1919428).

NDPA 2023 (NDPC)
Audit log — 7-year hash chain, daily WORM export

Every authentication event is hashed into a Postgres-side chain. Tampering with any historical row breaks the chain. We export the chain daily to write-once-read-many S3 storage; the seven-year retention satisfies records-of-processing requirements.

African data residency

Identities, sessions, KYC artefacts, and audit logs are hosted in a Nigerian-region AWS account. Cross-border transfer is limited to the named Didit liveness flow under signed processor agreement.

Phishing-resistant MFA policy

Every FastLogin account holds both a passkey credential and a TOTP secret. Passkeys carry the phishing-resistance properties NIST 800-63 names as AAL2-eligible without an authenticator-app fallback. We require both factors so a lost device is recoverable.

NIST 800-63B
Token lifetimes — short by design

Access tokens last fifteen minutes. Refresh tokens last twenty-four hours and rotate on every use. JWKS caches expire every five minutes. Compromise windows are measured in minutes, not weeks.

Plain answers

Verify once. Practise everywhere.

Get an MDCN-verified, MFA-protected, audit-traceable Fastclinic identity that travels across hospitals — and across every Fastclinic product.

Request provider accessRead the docs