If this is the on-prem K2 environment, you perhaps can enable SQL User Manager (SQLUM) and configure Smartforms to for SQLUM, this will allow users to access form with worklist control and they can action tasks similar to AD users.
Configuring the SQL User Manager
Configure SmartForms for SQL Server User Manager (SQLUM)
You can create Anonymous form for external user to upload documents.
To verify whether it is a valid user taken the action on the given url, you can put a encrypted token in querystring.
This token should have information that need to verify the user on smartform level.
example : customer name, email address, one time pin, expiry date, etc
Token is encrypted stringbase64 urlencoding.
you should send one time pin for user in separate email or other scenario that prevent unauthorized users abused this given url.
you should explicitly set filter filetype allowed to be uploaded to K2 on attachment control and limit the maximum file size.
it’s good if you configure different website for K2 anonymous smarform (the url that given to external user)