Why easy login can create risk in GRC and Conflict of Interest systems 

By Mike Vidoni
Senior GRC Client Executive & Customer Success, CoreStream GRC 

Key takeaways 

• Conflict of Interest disclosures can contain sensitive personal, professional, and financial information. 
• Simplified login methods can create risk if access depends too heavily on possession of a link or access to an email inbox. 
• Weak authentication creates more than a cybersecurity problem. It can undermine auditability, data integrity, regulatory defensibility, and employee trust. 
• Organizations should assess login design against the sensitivity of the data, the permissions granted, and the harm that could follow unauthorized access. 
• Strong authentication does not need to create a poor user experience. The goal is appropriate friction, supported by secure and intuitive design. 

Introduction: When does convenience become a control weakness? 

GRC teams need people to use their systems. A Conflict of Interest process cannot work properly if employees,  or board members struggle to complete disclosures because the process is unnecessarily complicated. 

But login design is not simply a usability decision. It is part of the control environment. 

When a system holds sensitive information, the priority cannot be to make access as easy as possible. A login shortcut can weaken the identity checks the system is supposed to provide. If possession of an emailed link is enough to enter an account, access may be exposed when that link is forwarded, intercepted, opened through a shared inbox, or accessed from an unsecured device. 

The question is not whether a login method feels quick. It is whether the organization can remain confident that the person accessing, submitting, or amending a disclosure is genuinely the person they claim to be. 

The National Institute of Standards and Technology’s Digital Identity Risk Management guidance provides a useful framework. NIST says organizations should assess both the risks that arise from operating an online service and any additional risks introduced by the identity system itself. Its authentication risk model focuses on the harm that can follow when a false claimant gains access to an account that is not rightfully theirs, including an account takeover caused by a stolen or compromised authenticator. 

For Conflict of Interest management, that distinction matters. A disclosure record is only useful if the organization can trust the identity behind it.

Why does Conflict of Interest data deserve careful handling? 

Conflict of Interest disclosures are not low-value administrative records. They can contain sensitive personal, professional, and financial information that employees, physicians, and other stakeholders have been trusted to disclose. 

The exact information collected will depend on the organization and its regulatory environment. However, a disclosure may cover financial interests, outside positions, professional relationships, gifts, travel reimbursements, family interests, ownership interests, and other activities that could influence, or appear to influence, a person’s decisions.  

For example, the National Institutes of Health requires institutions to address relevant financial interests held by investigators, their spouses, and their dependent children. Its guidance refers to:  

• consulting fees,  
• honoraria,  
• paid authorship,  
• equity interests,  
• intellectual property rights,  
• reimbursed or sponsored travel. 

In healthcare, the scale of financial transparency obligations makes the sensitivity of this information especially clear. The Centers for Medicare & Medicaid Services’ Open Payments Report to Congress states that reporting entities collectively reported $13.18 billion in publishable payments and ownership and investment interests for Program Year 2024. This included 16.16 million records attributable to 651,977 physicians, 338,340 non-physician practitioners, and 1,288 teaching hospitals. 

Of that total, $1.34 billion related to ownership or investment interests held by physicians or their immediate family members. The report also covers general payments such as gifts, meals, consulting fees, honoraria, and travel compensation. 

These are not records that should be protected by the weakest possible route into a system. A Conflict of Interest software solution needs to make disclosures manageable for users without treating identity verification as an obstacle to remove. 

What do organizations mean by “easy login”? 

“Easy login” is often used to describe access routes designed to remove steps from the user journey. These may include “magic links”, emailed access links, or other reduced-password routes. 

But fewer steps do not necessarily mean better design. 

A magic link can turn possession of an email or token into the gateway to sensitive records. If the link is forwarded, exposed, accessed through a compromised inbox, or opened on a device used by someone else, the system may not be able to establish with sufficient confidence who is actually behind the account. 

This is why a magic link should not be treated as a harmless usability feature. It is an authentication decision with consequences for security, data integrity, auditability, and trust. 

The OWASP Secrets Management Cheat Sheet explains the underlying risk clearly. When authentication relies on a token, security depends on protecting that token. OWASP warns that tokens are bearer tokens, meaning that anyone who possesses one can use it. 

For a Conflict of Interest system, the practical question is simple: does the login method reliably verify the user’s identity, or does it rely too heavily on access to a link? 

Why do token safeguards not solve the underlying problem? 

A magic link is not a neutral usability feature. It is an authentication decision. 

Technical safeguards can reduce some of the risks associated with link-based access. They do not remove the core problem: the system may still rely too heavily on possession of a link or access to an email inbox, rather than reliable verification of the person behind the account. 

This distinction matters. A link may be securely generated, time-limited, and invalidated after use. But if it is forwarded, exposed through a compromised inbox, opened from a shared mailbox, or accessed on an unsecured device, the system may still grant access to someone other than the intended user. 

The OWASP Forgot Password Cheat Sheet illustrates the level of care required when a URL token is used even for a limited purpose such as resetting a password. OWASP says tokens should be generated securely, be sufficiently long, linked to an individual user, stored securely, invalidated after use, and protected against brute-force attempts. It also recommends HTTPS and measures to prevent referrer leakage. 

These are minimum safeguards for handling a sensitive token. They should not be mistaken for evidence that an emailed magic link provides strong identity assurance for a Conflict of Interest system. 

For organizations managing sensitive disclosures, the better question is not whether a link has been engineered carefully. It is whether the authentication model gives the organization enough confidence that the person accessing, submitting, or changing a record is genuinely the person they claim to be. 

“An audit trail is only as defensible as the identity behind it. If you cannot verify who accessed or changed the record, you have weakened the evidence the system exists to provide.” 

Mike Vidoni, Senior GRC Client Executive & Customer Success, CoreStream GRC 

If an unauthorized person gains access to sensitive records, the organization may face investigation and remediation work, operational disruption, regulatory scrutiny, legal exposure, and reputational damage. For Conflict of Interest teams, there is an additional concern: employees and other stakeholders may become less willing to disclose sensitive information if they do not trust the system used to collect it. 

The financial cost of a data breach can be significant. IBM’s Cost of a Data Breach Report 2025 found that the global average cost of a data breach was $4.44 million. For US organizations, the average reached a record $10.22 million. 

How can authentication choices create regulatory and legal exposure? 

Authentication is not simply a technical setting. It can affect whether an organization is able to demonstrate that sensitive information has been protected appropriately and that the activity recorded in its systems can be trusted. 

This is particularly important in healthcare. Not every Conflict of Interest disclosure will contain electronic protected health information, and the HIPAA Security Rule should not be treated as automatically applying to every Conflict of Interest record. However, healthcare organizations operate in an environment where access controls, auditability, and reliable identity verification are established expectations. 

The HIPAA Security Rule establishes national standards to protect electronic protected health information through administrative, physical, and technical safeguards. These safeguards are intended to support the confidentiality, integrity, and availability of that information. 

The technical safeguards set out in by the Code of Federal Regulations include audit controls that record and examine activity in information systems containing electronic protected health information. They also require procedures to verify that a person or entity seeking access is the one claimed. 

The wider principle is relevant to Conflict of Interest management: where an organization collects sensitive disclosures, access should be attributable to a verified user. A record of activity is less defensible if the authentication method leaves uncertainty about who was actually behind the account. 

Looking beyond: What does this mean beyond healthcare? 

The same principle applies more broadly when a GRC platform processes personal data. 

A system holding sensitive declarations, supporting documents, investigation notes, review decisions, and mitigation plans should not be treated like a low-risk content portal. Organizations need to assess whether access controls are appropriate to the sensitivity of the information and the harm that could follow unauthorized access. 

Where the EU General Data Protection Regulation applies, Article 32 requires controllers and processors to implement technical and organizational measures that provide a level of security appropriate to the risk. It specifically refers to the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, as well as the risks created by unauthorized disclosure of or access to personal data. 

This does not mean that every organization must implement exactly the same authentication model. It does mean that a login shortcut should not be adopted simply because it reduces steps for the user. The organization needs to be able to explain why the access model is appropriate for the information being protected. 

Does stronger authentication need to create more friction? 

Organizations should not have to choose between weak authentication and an unusable Conflict of Interest system. That is a false tradeoff. 

A secure process can still be straightforward for employees, physicians, board members, and other occasional users. The goal is to remove unnecessary barriers without weakening the organization’s confidence in the identity of the person behind the account. 

The NIST Digital Identity Guidelines recognize that a positive authentication experience matters. NIST recommends minimizing unnecessary user burden and authentication friction, such as excessive login prompts or overly complicated steps. It identifies single sign-on (SSO) as 1 way to reduce that burden. 

But reducing friction should not mean removing meaningful identity checks. 

Depending on the sensitivity of the records and the actions a user can perform, a proportionate authentication model may include: 

• Enterprise SSO 
• Multi-factor authentication (MFA) 
• Role-based permissions 
• Additional authentication for sensitive actions 
• Appropriate session timeouts 
• Authentication logging and monitoring 
• Prompt removal of permissions when a user’s role changes 

The OWASP recommends additional authentication for sensitive operations. It also recommends logging and monitoring authentication activity so attacks and failures can be detected and reviewed. 

The NIST guidance reinforces this point. It distinguishes between overall session timeouts and inactivity timeouts and says periodic reauthentication should be used to confirm that the authorized user is still present during an authenticated session. 

The result should be a process that feels simple because it has been designed properly, not because important safeguards have been removed. 

Why does risk-based design matter to user logins? 

Not every user, record, or action creates the same level of risk. 

Viewing a general information page is not the same as submitting a financial disclosure. Amending a declaration is not the same as reading guidance. Approving a mitigation plan or accessing investigation notes may justify stronger controls than completing a routine administrative step. 

A mature authentication model reflects these differences. 

The NIST Digital Identity Risk Management guidance says organizations should consider each user group separately. This assessment should take account of the transactions available to that group, the permissions granted, the underlying data being processed, and the potential harm caused by unauthorized access. 

This does not mean that magic links become appropriate for lower-risk parts of a sensitive disclosure process. It means organizations should begin with a reliable baseline for authentication and apply additional safeguards where the potential impact is greater. 

For example, an organization may require additional authentication when a user: 

• Submits or amends a financial disclosure 
• Accesses supporting documents 
• Reviews sensitive personal information 
• Approves or changes a mitigation plan 
• Opens investigation notes 
• Exports disclosure or audit data 
• Changes another user’s permissions 

The more sensitive the action, the stronger the organization’s evidence should be that the right person performed it.

What should  GRC leaders take from this? 

A well-designed GRC platform should make secure behavior straightforward for users while giving compliance, internal audit, and security teams the evidence they need. 

“The goal is not maximum friction. It is the right friction: enough to protect the user, the organization, and the integrity of the disclosure.” 

Mike Vidoni, Senior GRC Client Executive & Customer Success, CoreStream GRC 

Before selecting or simplifying an authentication model, compliance, security, and procurement teams should agree on the level of risk they are prepared to accept. 

The right questions are not limited to whether the login experience feels quick. They should test whether the access model remains secure, traceable, and defensible when something goes wrong. 

The strongest Conflict of Interest software does not force organizations to choose between security and usability. It gives them the flexibility to build an intuitive process that works for their people while protecting the information they have been trusted to disclose. 

Ready to assess your current approach?es 
Book a Conflict of Interest expert workshop with CoreStream GRC to review your existing process, identify gaps, and explore practical improvements. 

Questions to ask when assessing Conflict of Interest software 

• What information will users be able to view, submit, or amend? 
• Does any access route rely solely on possession of an emailed link or access to an inbox? 
• Is MFA available or required for sensitive actions? 
• Does the system support enterprise SSO? 
• Can authentication strength vary based on the user’s role, permissions, or actions? 
• Can permissions be removed promptly when a user changes role or leaves the organization? 
• Are overall session timeouts and inactivity timeouts applied? 
• Can authentication activity be logged and monitored? 
• Can the organization prove who accessed, submitted, reviewed, and modified a disclosure? 
• Are changes time-stamped and retained in the audit history? 
• Can audit logs be exported for investigations, regulatory reviews, or internal audit? 
• Has the authentication model been assessed against relevant privacy, contractual, regulatory, and certification requirements? 
• Would the access model remain defensible after a breach, internal investigation, or dispute? 

Frequently asked questions for GRC login security