Here's a brief overview of the 2 options you have around client security: passwordless accounts and passworded accounts.

‍

Passwordless accounts:

• Clients do not need to remember password.
• We send a magic-link to client's email. The client can use the link complete questionnaire. This link expires in 1 hour thus it is highly secure.
• When the link expires, the client can easily request another link or request a verification code via SMS.
• Expiring link and verification code are more secure than password because the client may use a weak/common password.

‍

Passworded accounts:

• We send a default password to client's email.
• The client can changes the password after login.

‍

Our Security Suggestions:

• A way for clients to enable 2FA in case the client's email is compromised.
• A way to suggest that client updates password.

‍

How to Enable Passwordless Sign-In

Here's how you can enable passwordless sign-in for a client.

‍

Once you send a questionnaire to this client (can be an open item or reminder), the client would receive the following email (with your firm's white labeling), where they can click a link to automatically sign in and redirect the client to the questionnaire. For security purpose, this link expires after 1 hour.

‍

‍

If the above link is expired, it will show 2 options for the client to continue.

‍

‍

If client selects "Send new link to email", a new link will be sent to the client's email. This link also expires after 1 hour.

‍

If client selects "Send verification code via SMS," we will send a 6-alphanumeric code to client's phone. For security purpose, the verification code expires after 5 minutes.

‍