https://man.liquidfiles.com
LiquidFiles Documentation

Q: I See that it's possible for anyone to register on the Home Page of our LiquidFiles Appliance, isn't that really insecure?

A: It's as insecure as accepting emails from the public Internet on your email system — i.e. not at all.

How User Registration work

On a default system, when a user registers on the front page, they will be placed in the External Users group. The External Users group can only send messages to your Local Users but not anywhere else, thereby mimicking how emails normally work on the Internet. Almost every email server will accept emails from any other (legitimate) email server.

LiquidFiles is built to be secure by default, and to be as self administrating as possible. That means in this case that you can further tweak this behaviour by Automatically Assign Users to different groups as needed. So when your own users register, you can set it so that any email that matches "@ourcompany.com" will be placed in the Local Users group. Or you could add a "Partners" group where anyone that registers on your LiquidFiles system with an email matching "@ourpartner.com" will be placed in the Partners group and have diffent setting than the External Users group.

But I really want to disable the Registration Button!

There's absolutely no problems disabling the Registration button on the LiquidFiles Appliance Home Page. There is a setting in Admin → Configuration → Settings that you can use to disable the Registration if you want.

images/general/registration.png

The Default Settings for Secure Messages is that messages Expire after 30 days, and the Max Expiration a user can configure is 180 days. The max setting for both is 3650 days, or 10 years.

Registration Alternatives

User Invites by your Local Users

By default, Local Users can Invite Users to Register on your LiquidFiles system. Local Users can do that by using the Settings → Invite User menu option.

images/general/invite_users.png

Users responding to a User Invite will follow the same rules for Automatically Assign Users as when users register themselves so by default any invited external user will be placed in the External Users Group.

If you wish to disable this option for your Local Users, please go to Admin → Groups, Edit the Local Users Group and in the Basic Settings Tab is a setting that permits users in this group to invite users or not.

Requiring External Users to have Accounts

On default, if you send Secure Messages to external users that doesn't have accounts on your LiquidFiles system, they will be sent a Temporary User account email that they can use for a period of time to authenticate themselves.

Using Temporary Users is very convenient as it doesn't really require any administration, but if you want to increase the security for external users, for instance by requiring that they use Strong TOTP or SMS 2 Factor Authentication, you will need to setup accounts for external users as well.

By Enabling the setting in Admin → Configuration → Settings, that External Recipients are Required to create accounts, they will be required to do so when any of your Local Users sends a Secure Message to an External Recipient:

images/general/require_external_user_accounts.png

Summary

As you can see in this article, LiquidFiles offer several options for using accounts for External Users. We believe that the default options offers the best balance between security and convenience, and feel free to adjust your configuration to match your needs.