Overview
Some contact information may be considered sensitive, and organizations may want to ensure that a contact has validated their identity before this information is shared in communications. These contact fields can be indicated as Requires Authentication in the Contact Fields Manager. (See Contact Fields Manager.)
For example, if a school is using Personalized Answers to give different responses to students based on a custom field like financial aid status, this information might be considered sensitive. Therefore, the school would want to prevent students from seeing these personalized answers unless they have authenticated first.
Additionally, contacts who engage with the bot via web-chat may also have a primary SMS account. The Authentication process allows them to temporarily "log in" as that primary account so they can receive personalized answers during their web-chat session.
How Authentication Works
Mainstay uses a simple Authentication process to validate a contact's identity, similar to logging into your online banking with a short code that was sent to your email.
There are multiple triggers:
- On web-chat, they contact can be asked if they want to "log in" right away. To disable this trigger, see the settings below.
- Also on web-chat, if your institution has Quick Actions enabled, then a contact will see "Login" (or, if already logged in, "Logout") in this menu:
- A contact on any channel (web, SMS, etc.) can proactively authenticate at any time using the command #login.
- An unknown contact (such as a web-chat user) who is not already authenticated will be able to log in when asking a question that has Personalized Answers.
- A known contact (such as an SMS user uploaded by your institution) who is not already authenticated will be able to log in when asking a question that has Personalized Answers that reference sensitive fields.
Then, once triggered, this is the Authentication flow:
- The person is asked if they want to Authenticate.
- If they decline, Mainstay will not ask again for a certain amount of time. To edit this configuration, see the settings below.
- If the person does want to authenticate, Mainstay asks for their email address. Mainstay then looks at your organization's contact records to find one with this email address. To select which email field to use, see the settings below.
- If no match is found, Mainstay will not ask to authenticate again for a period of time. To edit this amount of time, see the settings below.
- If a possible match is found, then Mainstay sends a message to this email address. The message will contain a short validation code.
- If they enter an incorrect code too many times, or if too much time passes and the code expires, Mainstay will not ask to authenticate again for a period of time. To edit these amounts of time, see the settings below.
- The person then enters that validation code back into the Mainstay chat. Mainstay will remember they are authenticated for a period of time. To edit this amount of time, see the settings below.
The contact will be automatically logged out when the authentication expires. They can also proactively log out at any time using the command #logout.
Customize Authentication Settings
Your organization can customize this authentication process. Navigate to the Settings page and scroll down to the Authentication section. Your settings will automatically save when you change them.
- Enable Authentication - This controls whether the authentication process is on for your institution.
- Note: If this is turned off, then no contacts will be able to authenticate. That means no contacts will ever receive Personalized Answers that incorporate "sensitive" contact fields.
- Automatically ask to authenticate webchat users - This controls whether new web-chat contacts are immediately prompted with an option to authenticate.
- Note: If this is turned off, then these web-chat contacts will only be prompted to authenticate when asking a question that has personalized answers.
- Authenticate with - Set which email field you would like to use for the identity validation match. You can select the default email field or any custom contact fields of the email type. (See Contact Fields Manager.)
- default: (Default 'email' field)
- Authenticate known contacts for - Set how long a known contact's authentication lasts for before it is reset. Once it expires, the person goes back to being un-authenticated and would go through the process above again.
- default: 30 days
- A known contact is an SMS contact created by your institution via CSV import, API, SFTP, integration, or manually in the platform.
- If failed or declined, known contacts will be eligible for authentication again after - Set how long a known contact's decision to decline authentication lasts, after which, Mainstay would again ask them to authenticate.
- default: 30 days
- A known contact is an SMS contact created by your institution via CSV import, API, SFTP, integration, or manually in the platform.
- Authenticate unknown contacts for - Set how long an unknown contact's authentication lasts for before it is reset. Once it expires, the person goes back to being un-authenticated and would go through the process above again.
- default: 30 days
- An unknown contact is a contact created by reaching out to your bot, such as web-chat, Facebook Messenger, or an unknown SMS phone number contacting an "open" bot.
- If failed or declined, unknown contacts will be eligible for authentication again after - Set how long an unknown contact's decision to decline authentication lasts, after which, Mainstay would again ask them to authenticate.
- default: 30 days
- An unknown contact is a contact created by reaching out to your bot, such as web-chat, Facebook Messenger, or an unknown SMS phone number contacting an "open" bot.
- Authentication code expires after - Use this to determine how long the validation code that Mainstay emails to the person remains valid.
- default: 30 minutes
Comments
0 comments
Article is closed for comments.