SafeBase employs magic links as a secure and convenient method for accessing restricted documentation, replacing traditional username and password logins. Instead of requiring account creation, users are sent a unique, temporary link via email to access the content. This approach simplifies the access process and enhances the user experience, especially in the context of third-party risk assessments.
What is a Magic Link?
A magic link is a temporary and uniquely generated URL sent directly to a user's email address. Clicking this link provides passwordless access to the organization's gated content. This eliminates the need to remember or manage passwords.
Is there MFA associated with the magic link?
SafeBase's magic link system itself does not incorporate multi-factor authentication (MFA). The security of this login method relies on the limited lifespan of the link and the security measures implemented by the recipient's email provider, which should ideally include MFA.
What if the link is forwarded?
Magic links are designed with security in mind. They expire automatically after being used once or after a period of 24 hours, whichever occurs first. If a link is forwarded to another individual, it will likely be invalid due to its single-use nature or the expiration timeframe. Furthermore, each magic link is associated with the specific email address it was sent to, allowing for tracking and preventing unauthorized access.
When does the link expire?
A magic link becomes invalid after it has been clicked the first time or 24 hours have passed since it was issued, whichever occurs first. However, once a user successfully logs in using a magic link, a JWT session cookie is stored in their browser, allowing them to keep the SafeBase portal open for up to 14 days without needing to re-authenticate.
Is the link unique?
Yes, every magic link generated by SafeBase is unique to the intended recipient's email address and the specific SafeBase organization they are trying to access. This ensures that each access attempt is distinct and traceable.
How does it relate to access expiration?
While magic links have their own expiration timeframe (first use or 24 hours), account-level access expiration settings take precedence. If a user's SafeBase account is set to expire before a magic link is used, the magic link will no longer grant access once access has expired.
How does a user request a new link?
If a magic link has expired or a user needs a new one, they can easily request it by navigating to the relevant Trust Center, clicking get access, and entering their email address in the designated field. A new link will be sent to their email address, provided their account is still active and their access has not been revoked by the organization.