AveeCare protects tenant data with two complementary controls: a 2FA challenge at sign-in (TOTP from an authenticator app) and an idle timeout that signs users out after a stretch of inactivity. There is no separate Security tab inside Settings. Idle timeout lives on the Business Settings tab for tenant-wide policy, and on the My Notifications tab as a per-user override. Two-factor authentication is enforced at the login screen, not from a toggle inside the app.
Quick answer
Open Settings. On the Business Settings tab, scroll to Session Idle Timeout and set Idle Timeout (minutes). Default is 15 minutes, minimum is 1 minute, and 0 disables idle timeout. Click Save Business Settings. Users with the User or RootUser role can override it for themselves on the My Notifications tab under Personal Idle Timeout Override. 2FA is handled at sign-in by Cognito and uses a 6-digit authenticator code such as Google Authenticator, Microsoft Authenticator, or 1Password.
What this covers and what it does not
AveeCare ships idle-timeout in the Settings UI and 2FA at the login screen. It does not ship a separate “Login Activity Log” panel for every sign-in. Recent caregiver and admin actions show up on the Activity page (visit starts, completions, incidents, inquiries), and the Accounts page is the place to disable a user account that is suspected of being compromised.
1. Open Settings and the Business Settings tab
Click Settings in the left sidebar.
Settings sits near the bottom of the sidebar, under Help. The page opens on Business Settings by default.
Scroll down past EVV and Notifications to Session Idle Timeout.
The card sits below SMS Notifications and above Save Business Settings. It has an orange clock icon, the heading Session Idle Timeout, and a single numeric input.
2. Set the company-wide Session Idle Timeout
Type the number of minutes in Idle Timeout (minutes).
Default is 15. Minimum is 1. Set the field to 0 to disable idle timeout for the whole company (not recommended for HIPAA workloads). This applies to all four role types: Patients, Caregivers, Users, and RootUsers.
Click Save Business Settings at the bottom right.
The change takes effect on the next sign-in for every user that does not have a personal override. Active sessions already open keep their current timer until the next page load.Watch for the 20-second warning modal.
Twenty seconds before sign-out, AveeCare shows a warning modal so the user can stay signed in with one click. Mouse movement, a keyboard press, or a touch event resets the timer.
3. Override the timeout per user on My Notifications
Click the My Notifications tab in Settings.
Personal Idle Timeout Override only shows up for accounts with the User or RootUser role. Patient and Caregiver accounts cannot override the company default and instead inherit whatever you set on Business Settings.Scroll to the Personal Idle Timeout Override card.
It sits below the granular notification toggles. The description reads Override the company-wide idle timeout setting for your own account. The company default is N minutes.
Type a number, leave it blank, or set 0.
A number sets your personal cap and overrides the company default. Leaving the field empty pulls from the company default. Setting 0 disables the timeout for your account only, which the purple Note callout flags is still subject to the 20-second warning. Click Save My Preferences.
4. Understand 2FA at sign-in
AveeCare enforces 2FA through the sign-in flow, not from a Settings toggle.
The first time a user signs in, Cognito walks them through pairing an authenticator app and scanning a QR code. After that, sign-in always asks for the current 6-digit code on top of the password. There is no in-app button to disable it for a user, which is by design for HIPAA workloads.Use any TOTP authenticator app.
Google Authenticator, Microsoft Authenticator, 1Password, Authy, and Bitwarden all work. The link reading Need help with 2FA? on the sign-in screen opens a help dialog with the recommended apps and the full QR-code walkthrough.Lost your authenticator? Reset from the Accounts page.
A RootUser can open Accounts and use the per-user actions menu to disable the affected account, then re-invite it. The re-invite flow walks the user through pairing a new authenticator on their next sign-in.
Common pitfalls
- Setting idle timeout too low for clinicians. A 5-minute timeout sounds tight but kicks caregivers out mid-visit on a slow phone signal. Most agencies land between 15 and 30 minutes for caregivers and between 15 and 60 for office staff.
- Personal Idle Timeout Override card is missing. The card only renders for User and RootUser roles. Patients and Caregivers do not see it, which is intentional, since they should inherit the tenant policy.
- Looking for a Security tab. There is no standalone Security or 2FA tab inside Settings. Idle Timeout lives on Business Settings, the personal override lives on My Notifications, and 2FA is handled at the sign-in screen by the authenticator app pairing flow.
- Forgetting to click Save. Changing the Idle Timeout (minutes) field but not clicking Save Business Settings at the bottom right leaves the old value in place on the next page load. Same for the personal override and theSave My Preferences button.
- Lost authenticator with no RootUser available. A user who has lost their phone and is the only RootUser on the tenant cannot reset 2FA themselves. Contact AveeCare support before locking the last admin out.