So I'm currently running an analysis task for my company. I won't go into too much detail but we are dealing with medical records and other confidential data. Previously this application was only used internally but now there's come a business requirement that would allow for external access by an unauthenticated user outside of the business to view a document once they've completed a sort of handshaking process involving emails and an access code.
So, my question is, should I separate the new requirements into another publicly accessible application separate from the original application that requires user authentication? The app currently sits on an angular/.Net/MSSQL stack so this could require duplicating all or some portions of the stack. What are the things to consider in regards to one app with both public and private access vs two apps, one for the public and one used internally?