GDPR Security Improvements

Changes coming soon.

Security Improvements

New Password Policy Options

The platform has to date enforced a simple 6 character minimum length password, with a focus on making it easy for users to get started with our service. We’re adding a Password Policy drop-down to the Organisation Setup page which gives you more control over user password requirements. Aside from our default Basic policy, there will be two further options based on current best practice recommendations:

  • NIST SP 800-63
    A phrase-based policy based on the latest recommendations of NIST, which encourages human-friendly passwords that are still hard to crack.
  • OWASP 2017
    A strict policy which favours complex passwords that are hard to crack but also harder for people to remember.

Both of these new policy options will add stronger password security requirements for your user accounts, so consider what is best for you.
For now, our platform will continue to set our Basic 6 character minimum policy as the default on new company accounts, but you can change this at any time. When you change the Password Policy, this will be applied to existing users when they next change their passwords.

Maximum Password Attempts Lockout

We’re adding a temporary lockout feature to user accounts which will be applied when an incorrect password is attempted more than 5 times in a row.  This is based on NIST recommendations and provides better security against brute force password attacks.  For now, this will apply to our web platform, but we’ll be extending this behaviour to app logins within the next few months.

Validation of Passwords Against 10,000 Most Common

We’ve loaded up the 10,000 most common passwords – as found by NIST linked security researchers – and will be blocking users from setting/updating their passwords to be any of these. This enforces NIST and OWASP guidance on preventing users from having easily crackable passwords.

Regenerable Integration API Keys 

When working with our API there has been only one secret Key value per company account, and this Key value was fixed at the date of account creation. We’re adding a second Key which works just the same as the existing one, thus allowing you to rotate between using Key 1 and 2 in your integrations. This also unlocks the ability to regenerate an unused Key at any time, thus enabling you to enact greater security procedures (i.e. key rotation/regeneration) when using our API.

 

New Personal Data Options

We wanted to make it easier for you to export data out of our platform while still being able to meet obligations you may have around personal data. Basic user account information like name and email is also considered to be personal data by default.
For other data that you control, we’re adding a new “Is Personal Data” checkbox into key areas of the platform including Forms, Data Sources and Connectors.

This new checkbox allows you to indicate that a field or column may contain personal/sensitive data.  In of itself, this option does not add any further security or protection, but it enables the platform to offer anonymisation of those data values when exporting.
You’ll notice this through new “Anonymise Personal Data” options that will appear on most system exports and Form Connectors when the presence of personal data has been indicated.

For API users, we adding a new set of “Anonymise” Keys.  These work the same as our existing Full Access keys, with the difference being that any responses to requests authenticated on Anonymise keys will result in personal data values being converted to non-human readable formats.

 

 

EU Move Completed for FormsFly

Moving VanAs planned, the FormsFly cloud’s move to the Netherlands data centre has now been completed successfully.

Users of the FormsFly mobile app will automatically be connected to the new location when they next sync, so long as they are running app version ending 4.46 or greater.

 

Metadata on Company and Users

Metadata

You now have the ability to associate key/value metadata on both the Company/Organisation and User level on our platform.
This enables you to record additional information against these entities, and then access this data in Forms and other areas of the system via new META formula functions.

Adding/Editing Metadata

To get started with adding or editing metadata, simply head over to the “Edit User” and “Organisation Setup” pages in the secure website.
There you will see a new “Metadata” field, which lets you add key/value sets of information.
Don’t forget to hit the Save button to persist your changes :)

Screen Shot 2015-09-07 at 9.19.22 pm

The new metadata is also available right now on our v2 Company and User APIs, so you can programatically get and set metadata values as desired.

Accessing Metadata

To make use of the metadata you have loaded, we’ve added two new formula functions:

  • ORGMETA(‘keyname’)
  • USERMETA(‘keyname’)

Both the above functions will get you the value for the given key name at Organisation and User level respectively.
As this is part of our formula engine, you can make use of these functions anywhere formulae are supported – Form screens, data templates, conditions etc.

 

New External User Auth Functionality

If your users are already maintained in a separate external system, then today’s update is for you!

We have a new option on the Organisation Setup page which allows any Platform Administrator to configure external “pass through” authentication.
This lets your users authenticate against an external system when they log in, avoiding the need to have your user’s passwords stored on our platform.

Once external auth is configured, every time a user logs in (on our website or apps) our system will receive the login request and first ensure the user email is registered on our platform.
Assuming the user email is found, our system will then transparently “pass through” the login credentials to the external service you configured for authentication.
The external service MUST return a 200 HTTP status code to be considered authenticated by our platform; any other response will be deemed a login failure.

Currently HTTP/REST endpoints are supported, we’re looking at adding Active Directory support in the future.
User passwords are never stored on our platform when external auth is configured.

The following placeholders can be used to inject the user’s login details, use these to form a dynamic URL, Headers and/or Body:
{{USEREMAIL}}
{{USERPASSWORD}}
{{ORGID}}

Android Update 1 Available in Preview

IMPORTANT NOTE:

All items described below are considered to be in BETA.

The new features/changes included in this release are:

Title Bar Navigation Text Color option

New option in App Setup page, lets you specify the colour of title bar navigation text (e.g. “Exit”, “Back” etc)

Remember App Logins

New in App Setup page, lets you specify that the app should remember logins for all users of that company account.
This means that after the user’s first initial login, the app will auto-login on subsequent app launches.
Of course users can still log out manually via the Settings screen in the app.

Task Attachments

On the Activities page of Tasks, you can upload files for the user to access on the app.
The new V2 of our Tasks API will include support for Task Files as well as pre-setting answers on the new Table field type in Forms.
Tasks V2 API is due out in the next few weeks.

Push Notifications for Tasks

When a Task is Sent, a push notification will appear on the target user’s registered devices.
This is feature is being switched on progressively across company accounts – we expect full operation by Wednesday.

Download on Demand option for Docs

Previously, Docs were always downloaded to the device when a user had access to them.
This could be heavy on data allowances and often the Docs in question were not needed offline.
Use the Download on Demand option to prevent the pre-emptive downloading of Doc files – when the app user attempts to access the file, it will be downloaded at that point.

Show a Pages tab on Forms

This is a new option in the Title bar part of Form Designer (click on the Title Bar in the design preview to see these options).
When enabled, the app will show a horizontal tab at the top of the Form, with every visible Page name displayed.
Can be useful for quick navigation to Pages, though in complex Forms where Pages are conditionally displayed this may prove confusing for users.

New Table field on Forms

Display a set of captured rows in a tabular format within your Form.
The user can add new rows to the Table, and they can edit existing rows by tapping on the chosen row to enter an editing Page.
In the Form Designer, you define the fields in the Table by dragging fields into the Table field itself.
Control which fields will display as columns by using the “Disable Table Display” property found on fields within the Table.

New “IN” Data Source Filter option on Choices fields

A long requested filter option – allows you to filter a Choices field by looking for all Data Source column values that are found within a given comma or pipe delimited text list of values.

Removed “max 50 column” limit when referencing columns using [] syntax in Forms

For those with larger Data Sources containing more than 50 columns, previously a limit was applied when referring to columns via our [ ] syntax in Form formulae.  This restriction no longer applies.

Settable Background color of horizontal Choices option buttons

Another highly requested improvement, you can now set the “unselected” background of option buttons via the “Option Background Color” property on Choices fields set to use horizontal field layout.

Hosted GET connected Data Sources now display the rows pulled from the given GET url on the Rows page

Key Fixes & “Under the Hood” Improvements

– File downloads to the app have been made more robust and efficient
– Improvements to app handling of timezones in date/time Form fields
– Fix sporadic app crash when no data source sort order is defined
– Fix bug with MIN() formula function returning zero is certain scenarios
– Fix bug with data source filters in certain Form user cases
– Fix Detail screen not refreshing when editing row on Form screen that was access from a field link on said Detail screen
– Fix issues with assigning default or dynamic co-ordinates to Location field in Forms
– Fix bug with Listing screen ordering in cases where not set correctly in Listing Designer