When obtaining signatures or approvals from recipients, many agreements demand a higher assurance of authentication than simple email verification. Adobe Sign provides several options for senders to insert a second-factor authentication into the process, establishing a higher confidence level that your recipients are properly certified.

Feature description

Identity verification of a recipient is a key element in obtaining a legal signature.

Adobe Sign uses email as the default first-factor authentication method, which fulfills the requirements for a legal electronic signature under the ESIGN Act. For many customers, this is sufficient for their needs.

However, some customers prefer to add a second-factor authentication to provide an elevated assurance that the intended recipient is properly identified. To this purpose, Adobe Sign provides several options to choose from, depending on the level of assurance deemed appropriate.

Generally speaking, more robust authentication methods insert more "friction" to the signature process, so it is left to the administrator to set the available options that the internal policies dictate are reasonable and appropriate.

The more complex "premium" authentication methods include additional costs per transaction.

Signer authentication methods

  • Email - Email is the default first factor authentication of a recipient
    • All service levels initially employ this as the default authentication method
  • Password - An alphanumeric password is supplied by the sender while configuring the agreement that the signer must enter
    • Available to all service levels
    • Unique alphanumeric password set per recipient
    • Passwords are not exposed in the agreement records, nor are they recoverable after the agreement is sent
  • Social - The signer is required to authenticate to one of the allowed third-party services
    • Available to business and enterprise level accounts only
  • Adobe Sign authentication - The signer is required to authenticate to Adobe Sign
    • Available to enterprise level accounts only
    • Must be enabled on the back end by your success manager


"Premium" signer authentication methods

Premium authentication methods may incur additional per recipient costs. Contact your sales or success manager for details.

  • Knowledge-based (KBA) - The signer is required to answer several randomly selected questions pulled from public databases
    • Available to business and enterprise level accounts only
    • 50 free authentications per year
      • Additional per recipient cost if more than the original 50 are desired
    • Applicable to US recipients only
  • Phone (SMS) - A verification code is sent to the recipieint's phone number
    • Available to enterprise level accounts only
    • Recipient phone number must be provided when the agreement is being created
    • 50 free authentications per year
      • Additional per recipient cost if more than the original 50 are desired
  • Government ID - The recipient must provide an acceptable government-issued ID and selfie
    • Available to enterprise level accounts only
    • Additional per recipient cost that must be enabled before the option can be exposed in the Admin UI


How it's used

The Sender's perspective

Senders can select an authentication method from a drop-down menu just to the right of the recipient's email address.

The list of available options is limited by the admin, and the default value can also be set (see Configuration). 

It is also possible to set different authentication methods per recipient. This is particularly valuable if you have internal counter-signers that don't require a high-friction authentication method (like KBA or Government ID).

recipient_list_-uniqueauthentications

Selecting the authentication method is a simple click and select process with two exceptions:

  • Password authentications require the sender to type in the password (twice)
    • Passwords are Alpha/Numeric only. No special characters
    • The sender must communicate the password to the recipient through some external channel
    • Note that the password is not stored in clear text anywhere in the application. If the password is lost, it cannot be recovered or reset. The agreement will need to be canceled and resent
Password

 

  • Phone authentication requires that a phone number for the recipient be provided
phone_authentication

Signing via email authentication

Signing via the email link is the default process for all transactions. Accessing an email box is an authenticated process, so gaining access to the email is a method of recipient validation.

If no second-factor authentication is applied, clicking the email link will open the agreement content directly giving the recipient full access to the documents sent for their review.

email_authentication

Note:

Agreements that are secured with second-factor authentication mask the document thumbnail.

protected_email

 

The audit report only records a successful e-signature.

email_authenticationauditreport

Signing via password

Signing an agreement with a password installed as the second-factor authentication starts with the email link.

Once the link is clicked, the recipient is challenged with the password interface.

password_authentication

An email link is provided (under the name of the sender) if the recipient needs to contact the sender to obtain the password.

If the recipient fails to enter the password correctly five times, the agreement will be canceled.

  • The sender will be notified that the agreement was canceled with a note that the recipient has failed to provide the correct signing password.

Once the password is successfully entered, the recipient is given full access to the content.

 

The audit report indicates that the password was successfully entered.

password_authenticationauditreport


Signing via social (web) identity authentication

Social-identity (or "web") authentication requires signers to log in to a third-party web service successfully.

  • Google, LinkedIn, and Facebook are the default options, though the account admin can request that other options be enabled

The signer can select any of the service options made available:

social_authentication

Once the service is selected, a window to that service's log in screen is opened.

The recipient authenticates to the service using the correct credentials for that service.

  • This process takes place entirely within the authority of the third-party service. No part of this authentication process takes place in Adobe Sign space, and the credentials are not captured

Once a signer successfully authenticates, the service reports back to Adobe Sign that the authentication was successful, and that success is captured as valid identity verification.

linkedin_authentication

Some content is passed back to Adobe Sign at this time to update the Audit report. For example, LinkedIn will insert the Name value from the account into the signature field, and insert a link in the audit report that points to the authenticating LinkedIn profile.

social_audit_report


Signing via Adobe Sign authentication

Adobe Sign authentication requires the signer to enter their Adobe Sign credentials to authenticate to the agreement.

This process is similar to the social authentication method above, but the only option for authentication is Adobe Sign. 

  • This is very useful for internal authentication processes where you know the recipient has an Adobe Sign account
  • If the recipient does not have an Adobe Sign password, they will be required to register their email address (to establish their password) before they can access the agreement
adobe_sign_authentication

By default, the authentication panel inserts the email address of the recipient.

  • You can contact your Success Manager to have the default changed to leave the email field empty.
adobe_sign_authenticationgump

The audit report clearly indicates that the recipient was verified with Adobe Sign authentication.

adobe_authenticationauditreport


Knowledge-based authentication

Knowledge-based authentication is a high-level verification used mainly in financial institutions and other scenarios that demand a strong assertion of the signer's authenticity.

The signer is first prompted to enter personal information that the KBA application uses to gather several customized, nontrivial questions from their past (using public databases). Each question must be answered correctly to gain access to the agreement.

The recipient has a limited number of attempts to answer the questions correctly, or the agreement will be canceled and the sender will be notified.

Adobe provides this feature through a partnership powered by InstantID Q&A from LexisNexis Risk Solution.

Learn more about LexisNexis Identity Verification.

kba_authentication

 

The successful KBA identity verification is then logged in the audit report, including the authentication token from Lexis Nexis.

kba_authenticatedauditreport


Phone authentication

Phone authentication delivers a five digit code to the recipients mobile phone which must be entered for the agreement to be exposed.

  • The phone number must be entered during the creation of the agreement
  • If the recipient delegates their signature authority, they will be asked to provide a valid phone number for the new recipient. A correct phone number must be provided or authentication will ultimately fail
  • The recipient has the option to select a Text Message (for smart phones that can receive text messages) or a Voice Call (if a text enabled phone isn't available)
    • The authentication code is valid for ten minutes after it is delivered
          
  • Only the last four digits of the phone number are exposed.  If the recipient identifies that the phone number is not correct, there is an email link under the senders name to facilitate contact
phone_authenticationrequest

 

Once the recipient clicks the Send Code button, the page refreshes to allow the input of the access code.

  • The recipient has five attempts to enter the correct code.
  • If the recipient fails five times, the agreement will be canceled, and the sender will be notified.
phone_auth_entercode

 

The audit report clearly identifies that a phone number was used for verification. 

  • Only the last four digits of the phone number are exposed
phone_auth_auditreport


Government ID

Note:

Government ID is currently in limited release.

Contact your success manager if you would like to discuss gaining access to this new feature.

Government ID authentication uses a recipient supplied image of a government-issued document, along with a selfie, to establish a strong verification record.

The documents supported are :

  • Global Passport
    • All ICAO-compliant passport books
  • Driver license / National ID
    • United States of America
    • Great Britian
    • Canada
    • France
    • Ireland
    • Italy
    • Netherlands
    • Spain

Once the email link is clicked, the recipient is prompted to provide a phone number to a smart phone. This is required for the image capturing application that will compare the ID to the government database.

  • There is a 15 minute time limit to complete the verification process that starts once the email link is clicked.
  • Once the text message is sent, a blue message appears indicating the message is sent, and the link in that message has a five minute expiration.
gov_id_notificationmessage

 

On the smart phone, a text message is delivered with a link.

Once the link is clicked, the recipient is giventhe option to authenticate with either a Driver License / ID card or a Passport.

gov_id_first_steps-400

 

When using a driver's license or ID card the app will prompt the recipient to take an image of:

  • The front of the card
  • The back of the card
  • Themselves

If using a Passport, only one image of the passport is required.

gov_id_front_andback-400

 

During the process of gathering and verifying the document content, the original notification page displays a status message that the details are being verified.

gov_id_verificationinprocess

 

The content on the card is scanned and the government database is queried to ensure the ID is genuine.

The selfie image is then compared to the image on the document to provide a real time match of the recipient to the document.

Once both steps are successfully completed, the recipient is granted access to the agreement.

  • The name of the recipient as presented on the ID is imported to the signature field and can not be edited
gov_id_success

The recipient has five attempts to successfully verify using their ID. If they fail five times, the agreement is canceled, and the sender is notified.

 

The audit report clearly indicates that the recipient was verified with a government ID.

gov_id_auth_auditreport


Configuration options

Options for general access to authentication options

A quick word about configuring internal recipients

There are two sections with similar controls on the Send Settings page.

  • The upper group of controls establishes the "general" access rules
  • The lower group allows for a different set of rules to be applied to your "internal recipients"
    • Internal recipients are defined as any recipient (email address) within your Adobe Sign account
      • Note that this does not necessarily include all of the people at your company
      • Recipients in a different Adobe Sign account are not "internal" from the application's perspective, even if they are in your company and share an email domain

Configuring internal recipients with a different authentication method (e.g. Adobe Sign authentication) has benefits:

  • There is less frustration for your signers
  • A less complex signature process accelerates signing for recipients that might have to counter-sign many agreements
  • The costs for premium authentication can be obviated

 

General access controls

There are three general access controls:

  • Require senders to specify one of the enabled authentication methods - When enabled, Email will be removed from the list of authentication methods. One of the second-factor authentication methods must be selected
    • You will be required to select a default authentication method
  • By default, use the following method - Establishes the default method inserted when a recipient is added to an agreement
  • Allow senders to change the default authentication method - If enabled, the sender will have the option to select any method enabled from a drop down list 
    • When disabled, only the default method of authentication can be used
Controls

 

Internal recipient controls

There are also three controls related to internal recipients:

  • Enable different identity authentication methods for internal recipients - When enabled, internal recipients will apply different authentication rules
  • By default use the following method - Establishes the default method for internal recipients
  • Allow senders to change the default authentication method - Grants the sender the authority to change the default authentication method to any other option enabled by the admin

Password options

The agreement signing password has three control options that can be configured by the admin on the Security Settings page:

  • Restrict number of attempts - Enabled by default. If disabled, then recipients can try to enter the password an unlimited number of times 
    • Allow Signer XX attempts to enter the agreement password before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement will automatically cancel and notify the sender
  • Agreement Signing Password Strength - Defines the complexity of the password that must be entered when the sender is creating the agreement

Note:

The options to configure the security settings are only visible if the authentication method is enabled on the Send Settings page.

agreememnt_passwordsettings

Social options

By default, only three web identity options are available:

  • Google
  • LinkedIn
  • Facebook

Enterprise customers can request their success manager to enable any of the below options:

  • Yahoo
  • Twitter
  • Microsoft LiveID

Adobe Sign authentication options

By default, the Adobe Sign authentication method will insert the email address of the recipient into the authentication window.

If desired, your success manager can disable this auto-population, leaving the email field empty for the recipient to fill.

KBA options

Knowledge-based authentication has three configurable options that can be found on the Security Settings page:

  • Restrict number of attempts - Enabled by default. If disabled, then recipients can try to authenticate an unlimited number of times 
    • Allow Signer XX attempts to validate their identity before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement will automatically cancel and notify the sender
  • Knowledge Based Authentication difficulty level - Defines the complexity of the validation process:
    • Default - Signers will be presented with 3 questions and will be required to answer them all correctly. If they only answer 2 correctly, they will be presented with 2 more questions and will be required to answer them both correctly
    • Hard - Signers will be presented with 4 questions and will be required to answer them all correctly. If they only answer 3 correctly, they will be presented with 2 more questions and will be required to answer them both correctly

Note:

The options to configure the security settings are only visible if the authentication method is enabled on the Send Settings page.

kba_authenticationsecuritysettings

Phone options

Phone authentication allows the admin to configure the number of failed attempts allowed before the agreement is canceled.

This setting can be configured on the Security Settings page

Note:

The options to configure the security settings are only visible if the authentication method is enabled on the Send Settings page.

phone_authenticationsecuritysettings

Note:

Phone authentication affords the user the option to customize the SMS message and insert the company name from the sender's profile in place of "Adobe Sign". See here for more details

Government ID options

Note:

Government ID is currently in limited release.

Contact your success manager if you would like to discuss gaining access to this new feature.

Access to Government ID authentication requires that a contract be in place for a specific annual volume of recipients. Until this is configured on the back-end, the option is not visible in the administrators interface.

The number of successful attempts to verify identity is set to five by default.  This number can be adjusted up or down upon request to your success manager.


How to enable or disable

The default email verification process for standard agreements cannot be disabled readily through the user interface. 

Widgets are the exception (see below)

Enterprise customers can explore creative methods (such as the API) with their success manager to circumvent the authentication methods if they have a process to externally satisfy their authentication requirements.

Second-factor authentication methods are enabled or disabled through the administrator's interface: Account Settings > Send settings

nav_to_identify_authenticationmethod


Disable Widget email verification

Widgets are employed in a multitude of unique use cases, and frequently there is a diminished demand for strongly enforced recipient authentication.  

For accounts that do not need to authenticate widget signatures, the option to disable email verification can be configured by navigating to: Account Settings > Signature Preferences > Widget Email Verification

Note:

This setting only disables the email verification of the signature.

  • This setting applies to all Widgets within the account or group where the setting is defined.

If a password is enabled to grant access to the Widget, that security gate is not impacted.

disable_widget_identity

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy