For users providing forms to their clients without client log in through anonymous embedding, there are two approaches to the form submission process. Firstly the user can provide no means for return to the form, and require that the client fill out the entire form and submit in the same session. The second approach involves setting up an anonymous on-save workflow to send the client a return link to the form and record. In this second use-case it may be desirable to set up two-factor authentication (TFA) to protect against bad-actors.
For more information on setting up an on-save workflow or anonymous link generator without two-factor authentication, please see the linked articles.
Two-Factor Authentication Behaviour
When a record is loaded into an anonymous form, generally via a link, the client will be presented with a modal to input their TFA code. This code is sent to the authentication email address. The client will need to receive this email and copy the code into the modal to continue working through the form and record. The TFA code is valid for 10 minutes after it is sent, and is single use. Once the code has been used, the form will allow the user to keep working on the form and record until they either exit the browser window or 24 hours has elapsed.
Enable Two-Factor Authentication
To enable two-factor authentication on a form, simply go to the submission settings for the form and under records select 'Enable Two-Factor Authentication for Anonymous Access'. You will also need to provide the field name of the field on the form which will collect the client's email. This should be the same field used to send the link in the on-save workflow.
In your link generator you will need to include some extra script. Depending on where your script is that runs your link-generating app, you will need to include the following function:
function getSessionId() {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookieParts = cookies[i].split('=');
var key = cookieParts[0].trim();
var value = cookieParts[1] || '';
if (key === 'sessionId') {
return value;
}
}
return null; // No valid session cookie found
}
In the line where you define the data for the API call to the app, you will need to include a new key/value pair which references the value you receive from running this function, as follows:
"TFASessionToken": "' + getSessionId() + '",
The addition of this parameter will not affect any other use cases that the script might be used for.
For full script examples, please see the link generation article [toadd]
Comments
0 comments
Article is closed for comments.