Re-authentication for sensitive actions

This document explains the automatic re-authentication function.

Description

While working with the platform interface, there may be cases of unwanted changes of user/contract data by an unauthorized person who gained access to the interface or by the user himself by accident.

In order to prevent unaware changes and protect against malicious changes of data, the platform has a mechanism - Re-authentication for sensitive actions.

Settings

The mechanism is implemented through a flag in the Tenant configuration and can be activated optionally for all users of the current Tenant.

sensitive_actions_reauth

By default this flag is not active and to enable it you need to make a PATCH request to the Tenant you are interested in, with the following body:

{
  "data": {
    "type": "tenant",
    "attributes": {
     // Enter your tenant attributes
      "feature_flags": {
       // Enter your tenant feature flags
        "sensitive_actions_reauth": true
      }
    }
  }
}

Please Note: You will need Tenant Admin user rights to be able to make changes to Tenant settings.

Changes

When feature flag sensitive_actions_reauth is active, all Tenant users will be required to enter a password to confirm their actions before attempting to make changes to sensitive data.

Sensitive action re-authentication

In case the user does not use a password when authenticating to the platform, the user will be redirected to OIDC/SAML provider for authentication.

This feature will work on all modern web browsers versions from:

  • Chrome 66+
  • Firefox 63+

Please Note: The user will be asked to re-authenticate every 6 hours. It means that after successful authentication the user will be able to do sensitive actions for another 6 hours without additional authentication. This time can also be modified by changing the SENSITIVE_ACTION_AUTH_LIFETIME environment variable for a single installation.

Actions

Below you can see a list of actions that are considered sensitive by the platform and will require additional re-authentication if engaged: