Logins & Invitations

How your identity is important in Zipwire.

Account Reservations

Zipwire is used to approve work and get people paid, so it's important that you have confidence that the people using the app with you are who they say they are.

There are currently three kinds of actors, senders, approvers and processors, who are invited to use Zipwire using their email address. It is important that you enter their email address carefully to ensure their invitation link is sent to the right person.

If a person has a couple of email addresses, e.g. a personal and a work address, then it doesn't matter which one is used so long as the right person receives the link.

Sending invitations to work emails is more secure. If the email address is wrong, the message is likely to fail to reach anyone at all. Plus, it's harder for an attacker to create a fake address with a corporate ending.

Behind the scenes, Zipwire creates and reserves a user account for the invited.

When they follow the link they'll see their invitation and some basic details about who sent the it and to what it relates, including an email address of the sender so they can get in touch to ensure the invitation is legitimate.

They'll then need to login for the first time, assuming they are new to Zipwire. At this point, they can choose their favourite login provider, e.g. Google or Microsoft et al.

When they login, Zipwire links their login provider's identity to the reserved user account which activates it so it's no longer reserved but claimed and in-use. Zipwire then gets their basic personal user details from Google (or whoever) and updates the Zipwire user account.

If the wrong person follows the link, then this should be obviated by the unexpected name which will appear on their account. For example, you invite Sridhar as an approver but the name changes to Tony.

If a user who has logged in with their Google account subsequently logs in using their Microsoft account, then Zipwire will unlikely be able to link this login to their existing user account and will be treated as a new Zipwire user and a different person.

Auditing

When a user acts upon an item Zipwire imprints any captured information about the actor and their computer into the item.

For example, when an someone approves a timesheet via the website, we'll have information about their login, login provider and the IP address of the device they're using and where in the world that is. And if they use WhatsApp, then we'll know their phone number. This information is permanently written into the timesheet.

By writing this information into the item itself rather than keeping logs, you have control over deleting this data as part of any privacy regime or data policy in your jurisdiction.

Two-factor Authentication

We recommend people use two-factor authentication to secure their account. When enabled, Zipwire allows people to track time and make trivial changes but protects more sensitive operations, challenging the user to enter their two-factor key.

Two factor in Zipwire

Troubleshooting

Tangled Identities

PreviousSetting up Zipwire Collect NextZipwire Collect: Rapid Onboarding, Effortless Compliance

Last updated 4 months ago