Skip to main content
Forms can be protected with various security methods to ensure only the intended recipient can access them. Choosing the right security level balances protection with user convenience.

Security Methods

Penbox offers multiple ways to secure form access:

OTP Email

One-time password sent via emailSecurity Level: Medium to High

OTP SMS

One-time password sent via SMSSecurity Level: High

Password

Username and password protectionSecurity Level: Medium

Auto Access

Direct access via linkSecurity Level: Low

OTP Email Security

One-Time Password via Email requires the contact to verify their email address before accessing the form.

How It Works

  1. Contact clicks the form link
  2. System prompts for email verification
  3. One-time code is sent to their email
  4. Contact enters the code
  5. Form becomes accessible
  6. Code expires after use or timeout (typically 10 minutes)

Configuration

{
  "access_security": {
    "otp": {
      "email": {
        "enabled": true,
        "default": true,
        "mandatory": true,
        "template": "otp-email"
      }
    }
  }
}
Properties:
  • enabled: Make this option available
  • default: Use by default when creating forms
  • mandatory: Must be used (can’t be disabled for individual forms)
  • template: Email template to use for sending OTP

When to Use

  • Moderate security needs
  • Email verification required
  • Professional/business contexts
  • When you already have email addresses
  • Documents and data collection
  • Highest security requirements
  • When contacts may not have email access
  • Time-sensitive forms (email delays)
  • Very short forms (friction may reduce completion)

OTP SMS Security

One-Time Password via SMS requires the contact to verify their phone number before accessing the form.

How It Works

  1. Contact clicks the form link
  2. System prompts for phone verification
  3. One-time code is sent via SMS
  4. Contact enters the code
  5. Form becomes accessible
  6. Code expires after use or timeout

Configuration

{
  "access_security": {
    "otp": {
      "sms": {
        "enabled": true,
        "default": false,
        "mandatory": false,
        "text": "Your verification code is: {code}. Valid for 10 minutes."
      }
    }
  }
}
Properties:
  • enabled: Make this option available
  • default: Use by default
  • mandatory: Must be used
  • text: SMS message template (must include {code})
SMS messages must include the {code} placeholder where the actual code will be inserted.

When to Use

  • High security requirements
  • Phone number verification needed
  • Financial or sensitive information
  • When email is unreliable
  • Identity verification
  • Contacts without mobile phones
  • International users (SMS costs)
  • Areas with poor mobile coverage
  • Budget-sensitive situations (SMS costs money)

Password Security

Password Protection requires a username and password to access the form.

How It Works

  1. Contact clicks the form link
  2. System prompts for username and password
  3. Contact enters credentials
  4. Form becomes accessible
  5. Credentials can be reused (no expiration)

Configuration

{
  "access_security": {
    "password": {
      "enabled": true,
      "default": false,
      "mandatory": false,
      "length": 8,
      "lower": 1,
      "upper": 1,
      "numeric": 1,
      "alpha": 2,
      "login": {
        "username": "client",
        "password": "SecurePass123"
      }
    }
  }
}
Properties:
  • enabled: Make this option available
  • default: Use by default
  • mandatory: Must be used
  • length: Minimum password length
  • lower: Minimum lowercase characters
  • upper: Minimum uppercase characters
  • numeric: Minimum numeric characters
  • alpha: Minimum alphabetic characters
  • login: Default username/password (optional)

Password Requirements

You can enforce password complexity:
RequirementDescriptionExample
lengthMinimum total characters8
lowerMinimum lowercase letters1 (a-z)
upperMinimum uppercase letters1 (A-Z)
numericMinimum numbers1 (0-9)
alphaMinimum alphabetic characters2 (a-z, A-Z)

When to Use

  • Shared access (multiple people, same credentials)
  • Internal team forms
  • Reusable access
  • Partner portals
  • When you control credential distribution
  • Individual verification
  • One-time use
  • High security (passwords can be shared)
  • Forgot password support needed

Auto Access

Automatic Access provides direct access to the form without additional authentication.

How It Works

  1. Contact clicks the form link
  2. Form opens immediately
  3. No additional verification

Configuration

{
  "access_security": {
    // No security configured = auto access
  }
}

When to Use

  • Public surveys
  • Feedback forms
  • Low-sensitivity data
  • Maximum convenience
  • High completion rates needed
  • General inquiries
  • Personal information
  • Financial data
  • Legal documents
  • Compliance requirements
  • Verification needed
Security Risk: Anyone with the link can access the form. Only use auto-access for non-sensitive information.

Combining Security Methods

You can enable multiple security methods and require specific combinations.

Multiple Options (Choose One)

Allow contacts to choose their preferred verification method: 
{
  "access_security": {
    "otp": {
      "email": { "enabled": true, "default": true },
      "sms": { "enabled": true, "default": false }
    },
    "password": { "enabled": true, "default": false }
  }
}
Contact experience:
  • Sees options: “Verify by Email”, “Verify by SMS”, “Use Password”
  • Chooses preferred method
  • Completes that verification

Multiple Requirements (All Required)

Require multiple authentication factors: 
{
  "access_security": {
    "otp": {
      "email": { "enabled": true, "mandatory": true }
    },
    "password": { "enabled": true, "mandatory": true }
  }
}
Contact experience:
  • Must enter password first
  • Then must verify email with OTP
  • Both required to access form
Multi-factor authentication (like password + OTP) provides the highest security for sensitive forms.

Security Best Practices

Choose security level based on data sensitivity:
  • High: Financial, health, legal → OTP SMS + Password
  • Medium: Personal info, documents → OTP Email
  • Low: Surveys, feedback → Auto Access or Password
More security = more friction = lower completion ratesBalance security needs with completion goals. Don’t use high security for low-risk forms.
Before sending forms to contacts, test each security method to ensure it works smoothly and emails/SMS are delivered.
In invitation emails, explain why you’re using security measures. This builds trust and reduces confusion.
Track failed verification attempts. Multiple failures may indicate contact issues or security concerns.
If using SMS, have an email backup. Some contacts may not receive SMS or prefer email verification.
For password-protected forms with shared credentials, update passwords regularly and track who has access.

Security Configurations by Use Case

Financial Information

{
  "access_security": {
    "otp": {
      "email": { "enabled": true, "mandatory": true },
      "sms": { "enabled": true, "mandatory": true }
    }
  }
}
Why: Multi-factor authentication for high-value data

Standard Document Collection

{
  "access_security": {
    "otp": {
      "email": { "enabled": true, "default": true, "mandatory": true }
    }
  }
}
Why: Email verification ensures correct recipient

Partner Portal

{
  "access_security": {
    "password": {
      "enabled": true,
      "mandatory": true,
      "login": { "username": "partner", "password": "SecurePass123" }
    }
  }
}
Why: Shared credentials for partner access

Public Feedback Form

{
  "access_security": {}
}
Why: No barriers to completion for low-risk data

Form Expiration

In addition to access security, forms can have expiration dates: 
{
  "expires_at": "2024-12-31T23:59:59Z"
}
When a form expires:
  • The form link shows an expiration message
  • Contact cannot submit the form
  • Helps maintain data freshness
  • Creates urgency for completion
Use expiration for:
  • Time-sensitive offers
  • Compliance deadlines
  • Event registrations
  • Limited-time data requests

Custom Domains

Forms can be accessed through custom domains for improved trust:
  • Default: forms.penbox.io/abc123
  • Custom: forms.yourcompany.com/abc123
Benefits:
  • Increased trust and brand recognition
  • Can be whitelisted in corporate networks
  • Matches your email domain
  • Professional appearance

Next Steps

Form Presets

Configure security in form presets

Form Templates

Build secure form templates

Forms Introduction

Back to Forms overview

Form Notifications

Set up form communications