Security over client tasks

  • 21 October 2022
  • 2 replies

Userlevel 3

Any ideas when client tasks will be made secure agian?

The “magic link” is magic for anyone who has hacked into a client’s email account and wants unfetted access to the contents of a list.  They can magically open and see any sensitive information we send them and see anything typed into the fields by a client that has not yet been completed.

At least the old PIN system provided some protection.

As far as I can see at the moment, we can no longer ask clients for sensitive information through the client tasks functions.

I’d love to hear that I’m wrong.

2 replies

Userlevel 7
Badge +19

Hi @Adrian C Mathews,

I understand and share your concern to safeguard our client’s information.

The magic link, even though it’s easier to use, actually has several security advantages over the PIN. The link locks itself to the browser or device that uses it first. The link will not work If a different device or browser tries to use it a second time. With the PIN, if a bad actor knew a client’s PIN, or could guess it, you could access their client requests from any device.

Also, if a client forgot their PIN, they could request to reset the PIN through their email. Karbon client requests have always relied on email security. If a bad actor is able to log into a client’s email account, they will have access to reset many kinds of passwords, not just Karbon, so its security is on par with other programs that pass medical records, government records, etc.

Both PIN and magic links die when the work is marked completed, so the probability that a bad actor would gain access to a client’s email account and use the magic links there to request new ones to log into unfinished work items is fairly narrow. That activity would also be highly visible to the client which should trigger actions to regain control of the account.

With all those factors, the overall exposure of client information is very small and requires a bad actor to have access to the account at just the right time.

One way to make client tasks even more secure would be to add passwordless or multi-factor authentication as described in these two feature ideas:

Does that help at all?

EDIT: Here’s much more detailed information on the security offered by magic links: 


Userlevel 4

When will 2FA be available for client tasks?