New features and improvements – Password management in the Whistleblowing Channel
Password delivery via email has been removed, enhancing credential security across various accesses in the Whistleblowing Channel.
This improvement affects both Back Office users and Whistleblowing Channel communicators, differentiating onboarding and recovery flows based on the user type.
Back Office users
During the onboarding of Back Office users (primary and secondary), the system no longer sends passwords via email.
The user receives an email from which they can securely set their password through a temporary link.
Upon accessing, the system displays the screen to change the password. No changes have been made to the requirements or complexity policies for passwords.
Additionally, the password reset process (“Forgot your password”) for Back Office users has been updated to prevent sending credentials in plain text and to enable secure access recovery.
New communications
Communicator email verification
A new step for email verification of the communicator has been added at the moment of sending the communication.
Before completing the submission, the user must verify their email address through a specific validation screen.
The system sends an email with a 6-digit verification code, valid for a limited time (5 minutes).
Upon entering a valid code, the communicator proceeds to the screen where they can define their username and password, and subsequently access their communication query.
The user and password creation policies are clearly displayed on the screen itself.
Once the process is completed, the communication is successfully sent, and the flow continues with the system's usual behavior.
From now on, if communicators wish to recover their password, they can do so as before.
As detailed in the previous section, they will receive an email with a link to reset their password.
Communicators can recover their password from the Whistleblowing Channel by entering their username and email as before, but the difference is that they will receive an email with a link to set a new password.
Anonymous communications
When the communication is anonymous, email validation is not performed.
In this case, the fields Username, Password, and Repeat password are pre-filled with random values generated by the system, using the current generator, allowing the communicator to modify them if desired before proceeding.
In this way, the communicator can define access credentials for their communication while maintaining anonymity, without needing to verify an email address.