- rwaldenjrAsked on January 19, 2018 at 07:25 PM
Since using passwords is not allowed on JotForm, I'm trying to disable my forms until verified by the unique secure use the code sent from the E-mail Validator widget to the users via email. This seems like an excellent possible work-around, and it wouldn't leave people's "access codes" visible in the clear (via Inspect)!?!
However, I'm not sure if there's a way to call the widget's validated state, once the code has been entered, and then use that validated status as a conditional trigger to change the default Disabled state of the form to Enabled. Any ideas or suggestions?
- JotForm SupportliyamAnswered on January 20, 2018 at 03:18 AM
Unfortunately, calling the validated status of the widget is not possible. It can only be recognized as validated upon receipt of the form submission since the form will prevent the user from being able to make the submission unless the user enters the validation code which he should receive through his email address.
Can you give us an idea on how you would like to make use of your forms with passwords? Like do you wish to use the form for authentication purposes or do you wish to provide them temporary passwords?
- rwaldenjrAnswered on January 21, 2018 at 04:15 AM
Hi Liyam -
Thanks for your reply. I'm experimenting with a new and hopefully more secure work-around to address JotForm's policy of not allowing us to incorporate passwords on our forms. Personally, I think this leaves many of us in violation of several Federal statutes when we collect financial and personally identifying data as part of our businesses. Transmitting "access" codes in the clear as a work-around, whether in URLs, obfuscated fields or even hidden fields (the latter two of which can still be seen in a browser's Inspect tool) is not a secure method! And, I'm trying to arrive at a means of securing my clients' access to their personal data.
The E-mail Validator widget sends an authentication password to a user's email address. It seems we might be able to use that approved process as a type of single-use secure password for our forms by linking the second step of the validation process to an Enable/Disable Condition!?! I'd like to disable all of the elements of my form by default, except for the Validator widget. And, once the password (which they receive via email) has been validated, the elements would be enabled. How can I accomplish this?
- JotForm SupportliyamAnswered on January 21, 2018 at 12:35 PM
Basically, it's not possible to run authentication for log-in's using JotForm. The purpose of the form is to collect information and not to provide authentication processes.
Many have tried to use JotForm for phishing such as making forms appear like login forms for facebook, etc. Due to such activities, it destroys our service's reputation.
In the event that you have explained where one is able to use form fields using conditions, for acting like password processes, those are actually incidental, and not the main intention for the usage of forms. For this reason why we also do not recommend it. In addition, as you have explained, opening the source code of the form reveals the hidden information. Thu
Following the explanation provided, it gives reason to why we have firm resolve to not allow collection of passwords, practically use forms for similar purpose.
With this, I would recommend instead of creating your own HTML page for authentication processes, and use JotForm by embedding your form in the authenticated-only page.
Feel free to let us know if you have additional questions.
- rwaldenjrAnswered on January 21, 2018 at 02:30 PM
That explanation makes no sense, Liyam! Your site is designed to collect user's personally identifying and financial data, but not provide legally-required security measures for that data once provided?!? Jotform may not be designed to display previously-submitted user data. But, you're doing it anyhow by allowing people to Save and Continue Later. Those "unfinished" forms contain private data which is legally required to be securely retrieved!
JotForm authenticates its own users' data. And, it allows authentication of email addresses via its E-mail Validator widget, which they should provide. But, unscrupulous people could just as easily phish by providing bogus email addresses, and steal confidential information by snooping URLs they receive, or inspect hidden source code, if you're that concerned about the company's reputation.
Personally, I think JotForm should make every possible effort to enable its users to validate and authenticate as much of their customers' personal data as possible, if JotForm is to remain a responsible online company amidst a wave of international disgust and legal reforms coming down the pike, led by the U.S. Congress in the wake of the "2016 Russia election meddling" scandal. Companies like yours, and Facebook, and Twitter (etc.), are not going to be allowed to fail to provide appropriate security measures for its users. And, I think the competitive company would get out ahead of this, and market its new security features (including anti-phishing technologies), rather than leave their platforms wide open to such abuse.
Clearly, you're only repeating the company line, which I understand. So, I appreciate you stating it clearly and succinctly. But, I think JotForm is abrogating its responsibility to its users by maintaining this anti-security policy! And, I would like you to register my opinions to your site developers and management, and my reasons why!
Thank-you for your time.