If my clients can approve content without a password, is my content secure?
Yes. Every email that goes out contains a unique security token, we call it a magic token, and it serves as a temporary, one-time password. The system authenticates the token, which Gain includes in the link, and it logs the user into Gain to review the content. So, the content is never actually public.
Once your client logs in, the system immediately invalidates the magic token so no one else can use it again. Additionally, each token has an expiration, meaning the system automatically invalidates it if the approver doesn't use it within a certain number of hours. They can request another magic token to log in at any time, but they cannot use a previous one.
What happens if someone receives unauthorized access to your client's email account.
If you've ever requested to reset a password for any service on the internet, you've seen that the system sends you an e-mail. This email contains a unique token link to reset the password, a scheme much like the magic token.
So pretty much every secure system used on the internet (including Google or Apple) requires that you keep your email account safe since anyone that gains access to your inbox can reset passwords for your services.
In this sense, the magic token authorization is just as secure as any password-based authorization system.