LiquidFiles Documentation
LiquidFiles Documentation

Access Pass Authentication

Access Pass Authentication is an authentication method in LiquidFiles to enable authenticated access for external users with no local user accounts.

Access Pass Authentication was introduced in LiquidFiles v3.4 and replaced with Temporary Users Authentication in LiquidFiles v3.5.

Video Overview

This video walks through Access Pass authentication and configuration.

Access Pass Overview

When an external recipient receives an Access Pass, it will look similar to this:

The Access Pass (ZA03-EI4c-nFBi in the email above) will uniquely idenfiy each user. When users click on the link in the email, they will be taken to an Authentication Page like this:

At this page, the user can:

  1. Enter their Access Pass and be granted access to the Secure Message.
  2. Request a new Access Pass — in case they've deleted the Access Pass email.
  3. Login using an existing username and password, for existing users.

Configuration

There's three available configuration settings for Access Pass authentication:

Access Pass Expiration

The Access Pass Expiration (in seconds) determine how long a user can use an Access Pass. The default is 604800s, or 1 week. This means that if you send a Secure Message to an external user with no user account on your LiquidFiles system, the Access Pass they will receive is valid for 1 week.

Access Pass Remove After

In order to make Access Pass Authentication as user friendly as possible, we keep expired Access Passes on the LiquidFiles system for a fairly long time. On default they will be removed after 90 days. If someone enters an expired Access Pass, they will automatically receive a new one.

Access Pass Resend After

Because users will likely delete the Access Pass email. After this time, defaulting to 12h, a new Access Pass email will be sent. If the previous access pass is still valid, the same access pass will be re-sent in the new email. This is so that there's a balance between reminding users and not be annoying.

If john.doe@company.com receives 5 Secure Messages in a day, he will only receive 1 Access Pass email. It's only after 12h (on default) has passed until he receives another Secure Message that he will receive another Access Pass email.

One of the reasons why we wanted to keep old Access Passes is that say that the user john.doe@company.com can also receive emails as jdoe@company.com or just john@company.com. If we ask the user to enter their email address (how external user authentication worked before LiquidFiles v3.4) if the Secure Message was sent to john.doe@company.com, that's what the user had to enter. The LiquidFiles system has no way of knowing that john.doe@company.com, jdoe@company.com and john@company.com is the same user.

Access Pass Expiration Example

Lets say a user sends a Secure Message to john.doe@company.com on 1st of February at 9am. john.doe@company.com does not have an account on this LiquidFiles system. We assume this LiquidFiles system has the default configuration above. john.doe@company.com will receive an Access Pass in a separate email: ZA03-EI4c-nFBi. One of three things will now happen:

  1. john.doe@company.com clicks on the link in the email before 9am on the 8th of Febrary, enters the Access Pass ZA03-EI4c-nFBi and will be successfully authenticated.
  2. john.doe@company.com clicks on the link in the email after 9am on the 8th of February but before the 1st of March (90 days later), enters the Access Pass ZA03-EI4c-nFBi. Since the Access Pass has expired, it can't be used to authenticate john.doe@company.com, but since it hasn't been removed, we know that Access Pass ZA03-EI4c-nFBi used to authenticate john.doe@company.com so the LiquidFiles system automatically sends a new Access Pass to john.doe@company.com that can be used to authenticate.
  3. john.doe@company.com clicks on the link in the email after 1st of March. There will no longer be any record of the Access Pass ZA03-EI4c-nFBi so the LiquidFiles system will prompt the user to enter their email address to send a new Access Pass.