0

I have a booking system where passengers need to add information that is quite sensitive (passport details etc). When they book, I generate a (difficult to crack) reference number, which they use to log in. I also send it to their email address, so essentially it's an auto-generated password. They can only get access when they enter the reference number. However, the UX dept have asked for passengers to click a link and be automatically logged in.

But I think this might be a risk. For example, I can put the ref in the URL and automatically log them in, but ... what if it's a work computer or shared device. That URL can be found again.

Does anybody recommend a better way? How can I keep my passengers' data safe, but also make their life easy?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Sprep
  • 101
  • How long is the reference number valid for? –  Nov 22 '22 at 08:42
  • 1
    We have many related question here: https://security.stackexchange.com/questions/58215/are-random-urls-a-safe-way-to-protect-profile-photos and https://security.stackexchange.com/questions/111450/access-key-in-url-securing-the-unsecured for example and https://security.stackexchange.com/questions/239762/how-are-hidden-private-urls-being-leaked-to-third-parties – schroeder Nov 22 '22 at 08:47
  • Are you in a jurisdiction where there are defined data protection laws? Like GDPR? – schroeder Nov 22 '22 at 08:49
  • @Spyros until the voyage has expired. – Sprep Nov 22 '22 at 11:22
  • @schroeder yes, GDPR is a big thing for me. – Sprep Nov 22 '22 at 11:23
  • do they need to revisit their data using the link once they've already provided it? in another solution with similar sensitivities, once the form is completed, the user is offered their data in a printable report for the last time, after which it is no longer accessible through the same channel – brynk Nov 22 '22 at 11:27
  • @brynk they do need to revisit, ie changes for the voyage etc, but I think I have come to a compromise here. For example, once they have added their PII, then they would need to log and the auto login will be switched off. So I can allow passengers easy flow to get started with, but one complete, they need to login to edit information. So a one time pass. Maybe that is good. – Sprep Nov 22 '22 at 11:31
  • 1
    yep not a bad control- eg. wordpress has an way of providing a new user with only a password reset link on sign-up, and on click the user must "reset" (ie. set) their pwd, before any PII can be provided – brynk Nov 22 '22 at 11:38
  • 1
    Then stop, take a big step back, and assess your control based on your regulatory responsibilities and not what your UX team says. Not having a login to access PII will put you afoul of GDPR. Full-stop. – schroeder Nov 22 '22 at 15:20
  • At least consider a secondary verification, like a SMS code when entering the reference code, – Wouter Nov 23 '22 at 10:37

0 Answers0