Security Changes in version 2023.1 of Castor Connect
An explainer on changes to how participants access Castor Connect as of release 2023.1
What is changing in version 2023.1 of Castor Connect?
Participants must currently create and use a unique 4 digit PIN to access the Castor Connect app. As of version 2023.1 of Castor Connect, participants will be asked to create a 6 digit PIN and enable native security on their device to access the app. Native security will be the primary method for accessing the app, with the PIN as a back-up.
What is ‘native security’ in this context?
Native security, or device security, are the methods used by Android and iOS devices to ensure the security of a user’s data. For example, Apple commonly includes Face ID or Touch ID on their devices for biometric authentication via a face scan or fingerprint respectively. Touch ID or pattern recognition is more common on Android devices. These methods of authentication rely either on the user’s biometric data or on a code/pattern the user creates themselves.
Is this personal security information stored or sent anywhere?
No. At no point does the participant’s security data - their fingerprint, facial data, device passcode or otherwise - leave their device in the authentication process. Castor does not and will not store a participant’s device security information in order to facilitate authentication in Castor Connect. The only security credential for participants using Castor Connect that is stored by Castor is their back-up PIN to access the app to facilitate remote resetting of this PIN
Why is security changing now?
Castor continues to strongly believe in the future of users participating on studies from the comfort of their own devices (Bring Your Own Device, or BYOD.) We also believe in doing so in a secure way that fits with what a participant would expect of a consumer-grade application. The longer PIN requirements expand on the benefits of the existing security method, and native security means we can leverage biometrics to make authentication even more secure - allowing participants to use the security method they are already familiar with on their personal devices.
Does this mean it wasn’t secure before?
Not at all. From a user experience perspective, the new security flow, once enabled, will be very similar to the pre-existing method of accessing the app. Castor feels this is an important step to ensuring security in the future, as the nature of security threats to personal and mobile devices evolves over time.
How will this be made available to my study participants?
For newly activated participants (i.e., participants who are either activating Castor Connect for the first time, or are re-activating having switched to a new devices), when they successfully activate the app, they will be asked to enable native security and then provide a 6 digit personal PIN
For participants already using the Castor Connect app, when they install the latest version of the app - they will be prompted to submit any/all data currently stored locally and then enable the new security method. Guidance on ensuring the app is updated is available in the Castor Connect Participant User Guide available on request. Users will not currently be forced to update the app if they do not already have automatic updates turned on.
Practically speaking, what does this mean for my study participants and me as a study clinician?
When a participant opens the app, they will be able to log in using the native security method they have set up for their device. If they have touch/fingerprint access set up for their phone, that very same access will be usable for accessing Castor Connect. As a clinician you will now have the ability to remotely trigger a PIN reset for the participant.
What if native security fails?
If the participant cannot remember their passcode or another native security method has failed - they will be able to use the PIN they set up on activation to access the app.
What if the participant either does not have or does not enable native security on their device?
The vast majority of, if not all, supported iOS and Android devices actively encourage users to set up some form of native security for their own protection in general use.
If a participant elects to not set up, enable, or use native security, the 6 digit PIN will be available as a back-up or primary means of authentication and accessing the app.
What happens if a participant needs their PIN resetting?
When a participant is unable to access the app having attempted to log in multiple times, this will trigger the system to send a reminder email to any clinicians with both ‘Manage participants’ and ‘Send Email’ permissions for that participant’s site.
An additional ‘Reset participant PIN’ has been added to the activation management modal in the CDMS for Castor Connect enabled studies to enable clinicians to trigger the sending of a reset email to the participant.