You are viewing limited content. For full access, please sign in.

Question

Question

Direct Approval Authentication

Forms Version 11
Updated April 1, 2024
asked on March 13, 2024 Show version history

I'm finally playing with the new direct approval options that embed task buttons into the email notification. It appears there is no authentication to verify that it was pressed by the person in question.

Am I missing something? The task history--which our internal auditors quite appreciate--shows that the task was approved by the person it was assigned to even if somebody else (me) got the email notification and pressed the approval button.

1 0

Answer

APPROVED ANSWER
replied on March 13, 2024 Show version history

Hi Pieter,

You're correct there is no authentication for Forms Direct Approval via Email. Forms constructs massive unique strings for the action button links, which are associated with the task assignee. It's assumed that the Direct Approval email is going to the correct email address of the person assigned the task. 

This is conceptually similar to the default auth setting ("Not Required to Login") for DocuSign signing requests:

Once you select the documents to send, you can add up to 99 recipients who will receive and sign your documents or receive a copy. You provide an email address and name for each recipient. Recipients don't need a DocuSign account to open your document and complete their signing action.

Accordingly, if you require stricter controls on approver attribution, either (a) take extra care to validate that in Production you're always sending Direct Approval emails to the correct individual's email address (especially do not send Direct Approval emails to shared inboxes), or (b) do not use the feature.

The current documentation on Direct Approval via Email does not adequately describe security/authentication/auditing considerations. We'll at minimum get that updated so people have the information they need to make an informed decision about using the feature.

2 0
replied on March 13, 2024

Thank you for the clarification, Sam.

I guess I have a feature request now: to at least have the option of requiring authentication when using one of those buttons.

1 0
replied on April 1, 2024

Hey Sam-

Quick follow up here for a use-case. There is a branch president that needs to do approvals for this process; he is out of the country currently and wants to do everything by email. To approve, he'll need to use his laptop and connect to VPN, which he hasn't been doing. For a case like this, he'll forward the email notification to a relevant person to approve in his place. But if they click the button (if it was there, I'm not using this feature) it would say that the president was the one that approved.

As it stands now, the person who receives the email can claim the task or at least ask a process manager to assign it to them. But if they see an Approve button it's likely they'll want to push it. So, it's not an issue with group inboxes or email security.

1 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...