Conduct sets up ttWorkflowMessge-EmailTo field with the UserID value. This sets up the workflow in semi-anonymous mode. A workflow link generated using this method is high security risk. User can forward the workflow email to anyone on their network and they can click and gain access as that user with all the access of original user.
We should setup conduct just like compose where this is driven by parameter. If UseUserIDInWorkflow is checked then only we should use UserID in that field else we should use their email address. Workflow generated using email address will force the user to login.
This was observed when both Integrated and custom authentication was used.
The 'Support Workflow Authentication' functionality in System Administration is designed to allow for the configuration for allowing of users to be automatically logged in with user links: https://dsphelp.syniti.com/721/general/Sys_Admin/Use_Cases/Create_a_Workflow.htm?Highlight=support%20workflow%20authentication