Welcome to the Onshape forum! Ask questions and join in the discussions about everything Onshape.
First time visiting? Here are some places to start:- Looking for a certain topic? Check out the categories filter or use Search (upper right).
- Need support? Ask a question to our Community Support category.
- Please submit support tickets for bugs but you can request improvements in the Product Feedback category.
- Be respectful, on topic and if you see a problem, Flag it.
If you would like to contact our Community Manager personally, feel free to send a private message or an email.
sharing data and discussing design securely
martin_kopplow
Member Posts: 790 PRO
I have a pretty shy customer. Last time I wanted a CAD model of one of their parts, they sent a guy to bring me a USB stick.
Now, I'd like to share my results with them, but I' can't just share a link that allows anyone with the link to see my data. They wouldn't allow individual employees to sign up for onshape, too. Is there a way to use something that has something on the level of 2-factor auth with an external party who are not yet Onshape users? I guess the'd be okay with it, if it had "2-factor" on the label, and I could give them exclusive access via this.
Comments
Security in this space is about authentication (identifying the correct user) and authorization (describing what they can do). If the user isn't willing to participate in the authentication part by creating an account, it's going to be a challenge to do a secure exchange. It will come down to the equivalent of handing the right person a USB stick.
What format do they want to see your results in?
Hi @john_rousseau
They are not specifying a format, though I know they usually take STEP. My intention, however, is not to just send them a file, like in the old days. I want to share the process and all the thought that has gone into it, as well. So, ideally, I want them to look at my onshape model/drawing, maybe while I have (one of) them on the phone, and I'd like them to be able to discuss it internally after the call, with their staff, while I am not necessarily present to host the meeting (and get on with my job instead).
I have navigated around the first point by sharing my screen in a video conference, but there is more to collaboration than that, right? With less sensible projects, I just sent the head of department a sharing link, so he could summon his staff at any appropriate time and show the current state of the design on their meeting room screen. That has worked out pretty well, with clients and suppliers alike. I would be totally fine if I could do the same, only on a slightly higher security level, like when a shared link was linked to say an individual password or something.
That 'notify me button' has proven to be super useful in the past (when I used a server based file storage system, which I thought was now obsolete), because there is no use in trying to call people before they have actually viewed the info required for a techy talk.
So, if that link sharing dialog looked something like in my above picture, the workflow could be to assign a password for the project, pass it to the person responsible (via a seperate channel), and then go on like before, only they were put in control who could access the information on their end.
Thanks for the info @martin_kopplow. I'm pretty sure we have an IR on file for password-protecting the anonymous link. I don't remember seeing one for the access notification.
Can you open an IR so we can track the need please?
@john_rousseau yes, that would probably be the way. Done it.
To get the best out of Onshape's capabilities, we need to keep the threshold low, for external people to collaborate with us users, while at the same time keeping up a certain level of security measures so they also get clerance to participate.
The strange part of this is that the best way to ensure Authentication & Authorization (as John said is needed for security) is to create an Onshape account.
I think that people sometimes need both "zero-trust" and "full-trust" at the same time, but for the best security, you have to lean in. I totally understand everyone has different threshold for this.
Using a password manager (with built-in 2-factor auth) is easy, fast, and secure for Guest accounts, but only useful if you trust the service you're signing into. For those of us using Onshape regularly, we understand their stance on security, but many others can be very skeptical.
I bet they do their banking online though!
Yes, that's indeed somewhat contradictory, but the world is crazy.
No doubt creating and signing in to an own Onshape account is the best thing to do. But people are reluctant to commit, or their company guidelines require an approval process before whatever accounts may be created. I've been working for such a company myself. Approvals, while aiming to improve security, eventually slow down these things to a level of uselessness that frustrates employees and makes them develop workarounds of their own to circumvent the whole system, just so they can get their job done in time.
That said, we need some low-friction reasonably trustworthy sharing process that does not easily disclose data while nobody gets fired for using it. I think a password protected link sharing would just fit this gap.
Even if a company doesn't have a policy about creating a new account, it's a level of friction that is often a barrier for sharing with many reluctant partners. There are a lot of people out there who will not create a new free account or install a new free app for any random thing.
As far as I can tell, the main reason that Onshape requires an account creation is to possibly sell another seat or seats of Onshape. The last time I shared Onshape files with a customer (who didn't have a paid account) Onshape sales contacted them. It makes some kind of sense, but it also seems obnoxious and desperate.
I would request that Onshape looks very carefully at things like Dropbox or Docusign. Those services work well without account creation, and even if you do create an account the level of nagging and sales BS feels relatively low.