What is a magic link?
As an alternative to requiring customers/prospects to create a username and password to review your security information, the SafeBase platform sends them emails with temporary unique links (”magic”) that allow them to “login”. This was a conscious design decision we made from the beginning because of general industry reaction to the various third party risk management systems that require users to create an account before they can fill out a questionnaire, or gain access to a document. These magic links provide for a much better user experience than the traditional username/password requirement, and increase the likelihood that the customer/prospect will forgo a questionnaire. Our initial discussions with Enterprise CISOs during the early days of our company led us to this conclusion, as security teams everywhere are sick of creating passwords.
Is there MFA associated with the magic link?
There is no SafeBase specific MFA associated with these magic links. We are instead relying on the link expiration, and the security of the customer/prospect’s email, which should have MFA in its own right. From our discussions with Enterprise CISOs, we learned that adding anything on top of the magic link would just add additional friction to the already lengthy security review process.
What happens if a customer forwards the link?
Our links expire after their first use, or 24 hours, whichever comes first. In the event that a magic link email is forwarded accidentally, it will likely have already been used, or expired, by the time the second recipient tries to click on it. In addition, each magic link is associated with an email. In the event that your team needs to know exactly which user downloaded a file, viewed the portal, etc, we can provide event logs with the time and date, and email associated with the magic link used to do these activities.
When does the link expire?
The links expire after their first use, or after 24 hours, whichever comes first. Although the links themselves expire immediately after use, customers/prospects may keep the private portals open in a tab for up to 14 days before the secure JWT session cookie expires. The initial recipient can still use this link to gain access because of this session cookie. Users who have this link forwarded to them will find the link to be invalid since their browser lacks this session cookie.
Is the link unique per user?
Each magic link is associated with a specific email and tied to your organization. Different users from the same customer/prospect will each get their own unique magic links.
How do these tie in with the access expiration feature?
Magic links are granted to users with valid emails that have had their access approved. If a user’s Account has access expiration enabled, then any magic link will not allow them to login. In a nutshell, access expiration trumps any magic link validity. A link requested an hour before access was due to expire will no longer allow the user to login two hours later, for example.
How do customers request a new magic link?
Customers can use the "Reclaim access" option on your Trust Center to receive a new magic link. In addition, if they try to use an expired one, they will be informed that the link has expired, and will be prompted to get a new link.