Email Templates Auto Login Link

Jason He Updated by Jason He

DeskDirector's email template has the capability to provide a client portal link with auto login token. The end user who receives a ticket email can then access portal without having to manually login.

In the past, we achieved this with the use of the Global Magic token, which worked well enough for PSA's email template. With the introduction of DeskDirector's email template, we wanted to make it more secure.

Auto login has the following traits.

  • It is only valid for short period of time. (Within days)
  • The token is for one user only and hashed, so it's much harder to reverse engineer and gain access inside our portal.
  • The system can void all tokens anytime if necessary.

To enable auto login link inside your Admin Console, head to Email > Settings > General Setting

Let's talk about Security

Auto login token, in a way, is similar to Global Magic token as both them raise security concerns.

  • If the email receiver forwards the email to other people, then they could use the token to login before it expires.
  • If the email receiver CC's someone when replying to it, the people from the CC list can see the login link.
  • After the email receiver replies to the ticket email, the replies are added to the ticket's attachment and note. Thus, auto login token is saved in places outside of user's email inbox.

This is the reason why Microsoft Teams' update or GitHub issue update email never contains any auto login token.

FAQ

Q: I have enabled auto login token for email template, how come the link doesn't allow auto login?

A: You should check the email recipients - if the email has more than one receiver, the system will not add auto login token inside.

Q: How come many platforms can send auto login email but your auto login token raise security concerns?

A: The key is the email with the auto login. When you login and request for a password reset or login token, the email is sent from noreply@xxxxxx.com. If you reply to or forward the email or CC anyone on the reply, that's your own responsibility.

Q: I have enabled auto login token, anyway I can use for PSA email template?

A: You cannot. It is technically impossible to have the auto login token for PSA email template. Each token is generated by the DeskDirector system on-the-fly. The only work around is Global Magic token, which is worse than auto login token in terms of security.

Q: Why is auto login token not enabled by default?

A: The system's default behaviour should always be secure. We place the decision of turning on the auto login to the customer so they take responsibility for it.

How did we do?

Setting Email Templates for Notification Events

HTML Email Templates - ConnectWise

Contact