Use identity authentication methods

Signing an agreement with a password installed as the second-factor authentication starts with the email link.

Once the link is clicked, the recipient is challenged with the password interface.

An email link is provided (under the name of the sender) if the recipient needs to contact the sender to obtain the password.

If the recipient fails to enter the password correctly five times, the agreement will be canceled.

• The sender will be notified that the agreement was canceled with a note that the recipient has failed to provide the correct signing password.

Once the password is successfully entered, the recipient is given full access to the content.

The audit report indicates that the password was successfully entered.

Social-identity (or "web") authentication requires signers to log in to a third-party web service successfully.

• Google, LinkedIn, and Facebook are the default options, though the account admin can request that other options be enabled

The signer can select any of the service options made available:

Once the service is selected, a window to that service's log in screen is opened.

The recipient authenticates to the service using the correct credentials for that service.

• This process takes place entirely within the authority of the third-party service. No part of this authentication process takes place in Adobe Sign space, and the credentials are not captured

Once a signer successfully authenticates, the service reports back to Adobe Sign that the authentication was successful, and that success is captured as valid identity verification.

Some content is passed back to Adobe Sign at this time to update the Audit report. For example, LinkedIn will insert the Name value from the account into the signature field, and insert a link in the audit report that points to the authenticating LinkedIn profile.

Adobe Sign authentication requires the signer to enter their Adobe Sign credentials to authenticate to the agreement.

This process is similar to the social authentication method above, but the only option for authentication is Adobe Sign. 

• This is very useful for internal authentication processes where you know the recipient has an Adobe Sign account
• If the recipient does not have an Adobe Sign password, they will be required to register their email address (to establish their password) before they can access the agreement

By default, the authentication panel inserts the email address of the recipient.

• You can contact your Success Manager to have the default changed to leave the email field empty.

The audit report clearly indicates that the recipient was verified with Adobe Sign authentication.

Knowledge-based authentication is a high-level verification used mainly in financial institutions and other scenarios that demand a strong assertion of the signer's authenticity.

The signer is first prompted to enter personal information that the KBA application uses to gather several customized, nontrivial questions from their past (using public databases). Each question must be answered correctly to gain access to the agreement.

The recipient has a limited number of attempts to answer the questions correctly, or the agreement will be canceled and the sender will be notified.

Adobe provides this feature through a partnership powered by InstantID Q&A from LexisNexis Risk Solution.

Learn more about LexisNexis Identity Verification.

The successful KBA identity verification is then logged in the audit report, including the authentication token from Lexis Nexis.

Phone authentication delivers a five digit code to the recipients mobile phone which must be entered for the agreement to be exposed.

• The phone number must be entered during the creation of the agreement
• If the recipient delegates their signature authority, they will be asked to provide a valid phone number for the new recipient. A correct phone number must be provided or authentication will ultimately fail
• The recipient has the option to select a Text Message (for smart phones that can receive text messages) or a Voice Call (if a text enabled phone isn't available)
  • The authentication code is valid for ten minutes after it is delivered
        
    
• Only the last four digits of the phone number are exposed.  If the recipient identifies that the phone number is not correct, there is an email link under the senders name to facilitate contact

Once the recipient clicks the Send Code button, the page refreshes to allow the input of the access code.

• The recipient has five attempts to enter the correct code.
• If the recipient fails five times, the agreement will be canceled, and the sender will be notified.

The audit report clearly identifies that a phone number was used for verification. 

• Only the last four digits of the phone number are exposed

Government ID authentication uses a recipient supplied image of a government-issued document, along with a selfie, to establish a strong verification record.

The documents supported are :

• Global Passport
  • All ICAO-compliant passport books
• Driver license / National ID
  • United States of America
    
  • Great Britain
  • Canada
  • France
  • Ireland
  • Italy
  • Netherlands
  • Spain

Once the email link is clicked, the recipient is prompted to provide a phone number to a smart phone. This is required for the image capturing application that will compare the ID to the government database.

• There is a 15 minute time limit to complete the verification process that starts once the email link is clicked.
• Once the text message is sent, a blue message appears indicating the message is sent, and the link in that message has a five minute expiration.

On the smart phone, a text message is delivered with a link.

Once the link is clicked, the recipient is given the option to authenticate with either a Driver License / ID card or a Passport.

When using a driver's license or ID card the app will prompt the recipient to take an image of:

• The front of the card
• The back of the card
• Themselves

If using a Passport, only one image of the passport is required.

During the process of gathering and verifying the document content, the original notification page displays a status message that the details are being verified.

The scanned Govt ID is authenticated in real time by validating dozens of elements within the document, including:

• Document structure
• Biographical data
• PDF417 barcode (if applicable)
• Machine readable zone (if applicable)
• Security features
• Photo zone
• Signature

The selfie image is then compared to the image on the document to provide a real time match of the recipient to the document.

Powered by advanced machine learning algorithms, Adobe Sign’s Government ID process empowers companies across the globe with the ability to authenticate the identity of their digital users to become trusted signers; anytime, anywhere.

Layer 1:

The first layer of technology provides a seamless and secure method to validate an identity document presented in a digital transaction; ensuring the document is both genuine and unaltered.

Combining a best-in-class capture experience with a proven ID document verification engine ensures trusted digital identity proofing with a seamless user experience.

Government ID verification is available for all Latin-based languages and supports thousands of international and domestic identity documents including:

• Passports
• ID Cards
• Driver’s Licenses

To achieve reliable results, the service delivers each of the following:

• Guided document capture - Users are instructed how to take a quality photo for optimal processing
• Document classification – “Computer vision” algorithms recognize and classify thousands of government-issued documents, allowing for reliable data extraction and document validation
• Data extraction - Going beyond simple optical character recognition, this service deconstructs the document and analyzes the content of each field
• Evaluation of authenticity elements - A combination of artificial intelligence techniques validate dozens of elements within the identity document, including:
  • Document structure - Physical attributes of the ID document are evaluated for correct size, material, shape, color, layout, etc.
  • Biographical data - Printed data that identifies the individual is evaluated for font usage, color, acceptable values, etc.
  • PDF417 barcode (if applicable) - OCR results of the biodata from the front are compared with the data extracted from the PDF417 barcode at the back
  • Machine readable zone (if applicable) - The Machine Readable Zone (MRZ) printed area is checked for font usage, presence, check digits, etc.
  • Security features - Both visual and invisible security features of the ID are checked for presence, position, content, etc.
  • Photo zone - Portrait, or main picture, is evaluated for having a human face, orientation, color, etc.
  • Signature - The signature section is checked for presence, font type, matching with known samples, etc.

Layer 2:

A second layer of authentication matches the portrait extracted from the ID document with a "selfie" from the user through a biometric facial comparison; affirming that the user submitting the ID document is its rightful owner.

Anti-spoofing techniques

• Video frame analysis is used to ensure the user can take a quality selfie in optimal capture conditions
• Lighting, focus, and alignment are some of the conditions evaluated

The agreement signing password has three control options that can be configured by the admin on the Security Settings page:

• Restrict number of attempts - Enabled by default. If disabled, then recipients can try to enter the password an unlimited number of times 
  • Allow Signer XX attempts to enter the agreement password before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement will automatically cancel and notify the sender
• Agreement Signing Password Strength - Defines the complexity of the password that must be entered when the sender is creating the agreement

By default, only three web identity options are available:

• Google
• LinkedIn
• Facebook

Enterprise customers can request their success manager to enable any of the below options:

• Yahoo
• Twitter
• Microsoft LiveID

By default, the Adobe Sign authentication method will insert the email address of the recipient into the authentication window.

If desired, your success manager can disable this auto-population, leaving the email field empty for the recipient to fill.

Knowledge-based authentication has three configurable options that can be found on the Security Settings page:

• Restrict number of attempts - Enabled by default. If disabled, then recipients can try to authenticate an unlimited number of times 
  • Allow Signer XX attempts to validate their identity before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement will automatically cancel and notify the sender
• Knowledge Based Authentication difficulty level - Defines the complexity of the validation process:
  • Default - Signers will be presented with 3 questions and will be required to answer them all correctly. If they only answer 2 correctly, they will be presented with 2 more questions and will be required to answer them both correctly
  • Hard - Signers will be presented with 4 questions and will be required to answer them all correctly. If they only answer 3 correctly, they will be presented with 2 more questions and will be required to answer them both correctly

Phone authentication allows the admin to configure the number of failed attempts allowed before the agreement is canceled.

This setting can be configured on the Security Settings page

Access to Government ID authentication requires that a contract be in place for a specific annual volume of recipients. Until this is configured on the back-end, the option is not visible in the administrators interface.

The number of successful attempts to verify identity is set to five by default.  This number can be adjusted up or down upon request to your success manager.