Skip to main content

Overview of Collaborator Email Authentication

Natasha
Updated

Summary

Collaborators must be authenticated with a valid session in order to access projects within Coordinate. These sessions are established via email links that expire and are one time use after a 30 minute grace period. The 30 minute grace period is provided to prevent various spam filters, which often open the links, from effectively blocking collaborators by consuming the email link.

 

Navigate to Collaborator Security

  1. Click your name in the upper right corner in the nav bar
  2. Click Settings
  3. Scroll down and click Collaborator Security on the left hand side 
collaboratorSecurity.jpg

 

Detailed Flow

  1. Emails sent to external collaborators contain a token within all links in an email
    1. Token is generated using Cryptographically Secure Pseudo Random Number Generator (CSPRNG)
    2. Token is not valid after 5 hours.
  2. When link is accessed, the following checks are performed before the collaborator is given access to the portal:
    1. Verify the link has not been used, if it’s older than 30 minutes
    2. Verify the link has not expired
    3. If either of the above failed, redirect to an Email Authentication Page
  3. Set collaborator’s session cookie with 90 day expiration
  4. Redirect to the link provided in step1, (project page, task comments, my tasks etc)
  5. Session will be valid for 90 days. As a user moves between devices such as a desktop and phone, they will need to complete this authentication process once per device every 90 days. This duration can be overridden in the settings.
  6. At any time, access can be revoked by either:
    1. Removing the collaborator
    2. Marking the project as inactive

Page: Email Authentication Page

This allows an unidentified collaborator to request an invite email by providing their email address. If the email address matches a collaborator on that plan, the process outlined above starts from Step 1.

 

If the email address doesn’t match, the project manager will receive an email saying an unknown email address is attempting to access the project. This last piece is helpful to identify new people at the client who should potentially be involved in the project.

Related articles