When obtaining signatures or approvals from recipients, many agreements demand a higher assurance of authentication than simple email verification. Adobe Sign provides several options for senders to insert a second-factor authentication into the process, establishing a higher confidence level that your recipients are properly certified.


Identity verification of a recipient is a key element in obtaining a legal signature.

Adobe Sign uses email as the default first-factor authentication method, which fulfills the requirements for a legal electronic signature under the ESIGN Act. For many customers, this is sufficient for their needs.

However, some customers prefer to add a second-factor authentication to provide an elevated assurance that the intended recipient is properly identified. To this purpose, Adobe Sign provides several options to choose from, depending on the level of assurance deemed appropriate.

Generally speaking, more robust authentication methods insert more "friction" to the signature process, so it is left to the administrator to set the available options that the internal policies dictate are reasonable and appropriate.

The more complex "premium" authentication methods include additional costs per transaction.

Signer authentication methods

  • Email - Email is the default first factor authentication of a recipient
    • All service levels initially employ this as the default authentication method
  • Password - An alphanumeric password is supplied by the sender while configuring the agreement that the signer must enter
    • Available to all service levels
    • Unique alphanumeric password set per recipient
    • Passwords are not exposed in the agreement records, nor are they recoverable after the agreement is sent
  • Social - The signer is required to authenticate to one of the allowed third-party services
    • Available to business and enterprise level accounts only
  • Adobe Sign authentication - The signer is required to authenticate to Adobe Sign
    • Available to enterprise level accounts only
    • Must be enabled on the back end by your success manager

"Premium" signer authentication methods

Premium authentication methods may incur additional per recipient costs. Contact your sales or success manager for details.

  • Knowledge-based (KBA) - The signer is required to answer several randomly selected questions pulled from public databases
    • Available to business and enterprise level accounts only
    • 50 free authentications per year
      • Additional per recipient cost if more than the original 50 are desired
    • Applicable to US recipients only
  • Phone (SMS) - A verification code is sent to the recipient's phone number
    • Available to enterprise level accounts only
    • Recipient phone number must be provided when the agreement is being created
    • 50 free authentications per year
      • Additional per recipient cost if more than the original 50 are desired
  • Government ID - The recipient must provide an acceptable government-issued ID and selfie
    • Available to enterprise level accounts only
    • Additional per recipient cost that must be enabled before the option can be exposed in the Admin UI

How it's used

The Sender's perspective

Senders can select an authentication method from a drop-down menu just to the right of the recipient's email address.

The list of available options is limited by the admin, and the default value can also be set (see Configuration). 

It is also possible to set different authentication methods per recipient. This is particularly valuable if you have internal counter-signers that don't require a high-friction authentication method (like KBA or Government ID).


Selecting the authentication method is a simple click and select process with two exceptions:

  • Password authentications require the sender to type in the password (twice)
    • Passwords are Alpha/Numeric only. No special characters
    • The sender must communicate the password to the recipient through some external channel
    • Note that the password is not stored in clear text anywhere in the application. If the password is lost, it cannot be recovered or reset. The agreement will need to be canceled and resent


  • Phone authentication requires that a phone number for the recipient be provided

The Signer's perspective

Signing via email authentication

Signing via the email link is the default process for all transactions. Accessing an email box is an authenticated process, so gaining access to the email is a method of recipient validation.

If no second-factor authentication is applied, clicking the email link will open the agreement content directly giving the recipient full access to the documents sent for their review.



Agreements that are secured with second-factor authentication mask the document thumbnail.



The audit report records a successful e-signature.


Second-factor authentication experiences

Signing an agreement with a password installed as the second-factor authentication starts with the email link.

Once the link is clicked, the recipient is challenged with the password interface.


An email link is provided (under the name of the sender) if the recipient needs to contact the sender to obtain the password.

If the recipient fails to enter the password correctly five times, the agreement will be canceled.

  • The sender will be notified that the agreement was canceled with a note that the recipient has failed to provide the correct signing password.

Once the password is successfully entered, the recipient is given full access to the content.


The audit report indicates that the password was successfully entered.


Social-identity (or "web") authentication requires signers to log in to a third-party web service successfully.

  • Google, LinkedIn, and Facebook are the default options, though the account admin can request that other options be enabled

The signer can select any of the service options made available:


Once the service is selected, a window to that service's log in screen is opened.

The recipient authenticates to the service using the correct credentials for that service.

  • This process takes place entirely within the authority of the third-party service. No part of this authentication process takes place in Adobe Sign space, and the credentials are not captured

Once a signer successfully authenticates, the service reports back to Adobe Sign that the authentication was successful, and that success is captured as valid identity verification.


Some content is passed back to Adobe Sign at this time to update the Audit report. For example, LinkedIn will insert the Name value from the account into the signature field, and insert a link in the audit report that points to the authenticating LinkedIn profile.


Adobe Sign authentication requires the signer to enter their Adobe Sign credentials to authenticate to the agreement.

This process is similar to the social authentication method above, but the only option for authentication is Adobe Sign. 

  • This is very useful for internal authentication processes where you know the recipient has an Adobe Sign account
  • If the recipient does not have an Adobe Sign password, they will be required to register their email address (to establish their password) before they can access the agreement

By default, the authentication panel inserts the email address of the recipient.

  • You can contact your Success Manager to have the default changed to leave the email field empty.

The audit report clearly indicates that the recipient was verified with Adobe Sign authentication.


Knowledge-based authentication is a high-level verification used mainly in financial institutions and other scenarios that demand a strong assertion of the signer's authenticity.

The signer is first prompted to enter personal information that the KBA application uses to gather several customized, nontrivial questions from their past (using public databases). Each question must be answered correctly to gain access to the agreement.

The recipient has a limited number of attempts to answer the questions correctly, or the agreement will be canceled and the sender will be notified.

Adobe provides this feature through a partnership powered by InstantID Q&A from LexisNexis Risk Solution.

Learn more about LexisNexis Identity Verification.



The successful KBA identity verification is then logged in the audit report, including the authentication token from Lexis Nexis.


Phone authentication delivers a five digit code to the recipients mobile phone which must be entered for the agreement to be exposed.

  • The phone number must be entered during the creation of the agreement
  • If the recipient delegates their signature authority, they will be asked to provide a valid phone number for the new recipient. A correct phone number must be provided or authentication will ultimately fail
  • The recipient has the option to select a Text Message (for smart phones that can receive text messages) or a Voice Call (if a text enabled phone isn't available)
    • The authentication code is valid for ten minutes after it is delivered
  • Only the last four digits of the phone number are exposed.  If the recipient identifies that the phone number is not correct, there is an email link under the senders name to facilitate contact


Once the recipient clicks the Send Code button, the page refreshes to allow the input of the access code.

  • The recipient has five attempts to enter the correct code.
  • If the recipient fails five times, the agreement will be canceled, and the sender will be notified.


The audit report clearly identifies that a phone number was used for verification. 

  • Only the last four digits of the phone number are exposed

Government ID authentication uses a recipient supplied image of a government-issued document, along with a selfie, to establish a strong verification record.

The documents supported are :

  • Global Passport
    • All ICAO-compliant passport books
  • Driver license / National ID
    • United States of America
    • Great Britain
    • Canada
    • France
    • Ireland
    • Italy
    • Netherlands
    • Spain

Once the email link is clicked, the recipient is prompted to provide a phone number to a smart phone. This is required for the image capturing application that will compare the ID to the government database.

  • There is a 15 minute time limit to complete the verification process that starts once the email link is clicked.
  • Once the text message is sent, a blue message appears indicating the message is sent, and the link in that message has a five minute expiration.


If the signature process is started on a mobile phone, this phone number step is skipped.



On the smart phone, a text message is delivered with a link.

Once the link is clicked, the recipient is giventhe option to authenticate with either a Driver License / ID card or a Passport.



When using a driver's license or ID card the app will prompt the recipient to take an image of:

  • The front of the card
  • The back of the card
  • Themselves

If using a Passport, only one image of the passport is required.



During the process of gathering and verifying the document content, the original notification page displays a status message that the details are being verified.



The scanned Govt ID is authenticated in real time by validating dozens of elements within the document, including:

  • Document structure
  • Biographical data
  • PDF417 barcode (if applicable)
  • Machine readable zone (if applicable)
  • Security features
  • Photo zone
  • Signature

The selfie image is then compared to the image on the document to provide a real time match of the recipient to the document.

More about the authentication process....

Powered by advanced machine learning algorithms, Adobe Sign’s Government ID process empowers companies across the globe with the ability to authenticate the identity of their digital users to become trusted signers; anytime, anywhere.

Layer 1:

The first layer of technology provides a seamless and secure method to validate an identity document presented in a digital transaction; ensuring the document is both genuine and unaltered.

Combining a best-in-class capture experience with a proven ID document verification engine ensures trusted digital identity proofing with a seamless user experience.

Government ID verification is available for all Latin-based languages and supports thousands of international and domestic identity documents including:

  • Passports
  • ID Cards
  • Driver’s Licenses


To achieve reliable results, the service delivers each of the following:

  • Guided document capture - Users are instructed how to take a quality photo for optimal processing
  • Document classification – “Computer vision” algorithms recognize and classify thousands of government-issued documents, allowing for reliable data extraction and document validation
  • Data extraction - Going beyond simple optical character recognition, this service deconstructs the document and analyzes the content of each field
  • Evaluation of authenticity elements - A combination of artificial intelligence techniques validate dozens of elements within the identity document, including:
    • Document structure - Physical attributes of the ID document are evaluated for correct size, material, shape, color, layout, etc.
    • Biographical data - Printed data that identifies the individual is evaluated for font usage, color, acceptable values, etc.
    • PDF417 barcode (if applicable) - OCR results of the biodata from the front are compared with the data extracted from the PDF417 barcode at the back
    • Machine readable zone (if applicable) - The Machine Readable Zone (MRZ) printed area is checked for font usage, presence, check digits, etc.
    • Security features - Both visual and invisible security features of the ID are checked for presence, position, content, etc.
    • Photo zone - Portrait, or main picture, is evaluated for having a human face, orientation, color, etc.
    • Signature - The signature section is checked for presence, font type, matching with known samples, etc.


Layer 2:

A second layer of authentication matches the portrait extracted from the ID document with a "selfie" from the user through a biometric facial comparison; affirming that the user submitting the ID document is its rightful owner.

Anti-spoofing techniques

  • Video frame analysis is used to ensure the user can take a quality selfie in optimal capture conditions
  • Lighting, focus, and alignment are some of the conditions evaluated

The Signer Identity Report

Once the agreement is completed, a Signer Identity Report (SIR) is generated for each Government ID secured during the transaction.

  • This document persists alongside the Agreement and Audit Report
  • The SIR can be accessed by v6 REST API call >
  • The document is destroyed only through retention or GDPR delete actions


Once both steps are successfully completed, the recipient is granted access to the agreement.

  • The name of the recipient as presented on the ID is imported to the signature field and can not be edited

The recipient has five attempts to successfully verify using their ID. If they fail five times, the agreement is canceled, and the sender is notified.


The audit report clearly indicates that the recipient was verified with a government ID.


Configuration options

All authentication methods and options can be configured at the account and/or group level.

  • Each group can be configured uniquely as required by your business needs.

When any authentication method is enabled, it becomes an available option for:

Options for general access to authentication options

A quick word about configuring internal recipients

There are two sections with similar controls on the Send Settings page.

  • The upper group of controls establishes the "general" access rules
  • The lower group allows for a different set of rules to be applied to your "internal recipients"
    • Internal recipients are defined as any recipient (email address) within your Adobe Sign account
      • Note that this does not necessarily include all of the people at your company
      • Recipients in a different Adobe Sign account are not "internal" from the application's perspective, even if they are in your company and share an email domain

Configuring internal recipients with a different authentication method (e.g. Adobe Sign authentication) has benefits:

  • There is less frustration for your signers
  • A less complex signature process accelerates signing for recipients that might have to counter-sign many agreements
  • The costs for premium authentication can be obviated


General access controls

There are three general access controls:

  • Require senders to specify one of the enabled authentication methods - When enabled, Email will be removed from the list of authentication methods. One of the second-factor authentication methods must be selected
    • You will be required to select a default authentication method
  • By default, use the following method - Establishes the default method inserted when a recipient is added to an agreement
  • Allow senders to change the default authentication method - If enabled, the sender will have the option to select any method enabled from a drop down list 
    • When disabled, only the default method of authentication can be used


Internal recipient controls

There are also three controls related to internal recipients:

  • Enable different identity authentication methods for internal recipients - When enabled, internal recipients will apply different authentication rules
  • By default use the following method - Establishes the default method for internal recipients
  • Allow senders to change the default authentication method - Grants the sender the authority to change the default authentication method to any other option enabled by the admin

Second factor method options

The agreement signing password has three control options that can be configured by the admin on the Security Settings page:

  • Restrict number of attempts - Enabled by default. If disabled, then recipients can try to enter the password an unlimited number of times 
    • Allow Signer XX attempts to enter the agreement password before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement will automatically cancel and notify the sender
  • Agreement Signing Password Strength - Defines the complexity of the password that must be entered when the sender is creating the agreement


The options to configure the security settings are only visible if the authentication method is enabled on the Send Settings page.


By default, only three web identity options are available:

  • Google
  • LinkedIn
  • Facebook

Enterprise customers can request their success manager to enable any of the below options:

  • Yahoo
  • Twitter
  • Microsoft LiveID

By default, the Adobe Sign authentication method will insert the email address of the recipient into the authentication window.

If desired, your success manager can disable this auto-population, leaving the email field empty for the recipient to fill.

Knowledge-based authentication has three configurable options that can be found on the Security Settings page:

  • Restrict number of attempts - Enabled by default. If disabled, then recipients can try to authenticate an unlimited number of times 
    • Allow Signer XX attempts to validate their identity before cancelling the agreement - The admin can enter any number to limit the number of attempts to authenticate. Once the number of attempts is crossed, the agreement will automatically cancel and notify the sender
  • Knowledge Based Authentication difficulty level - Defines the complexity of the validation process:
    • Default - Signers will be presented with 3 questions and will be required to answer them all correctly. If they only answer 2 correctly, they will be presented with 2 more questions and will be required to answer them both correctly
    • Hard - Signers will be presented with 4 questions and will be required to answer them all correctly. If they only answer 3 correctly, they will be presented with 2 more questions and will be required to answer them both correctly


The options to configure the security settings are only visible if the authentication method is enabled on the Send Settings page.


Phone authentication allows the admin to configure the number of failed attempts allowed before the agreement is canceled.

This setting can be configured on the Security Settings page


The options to configure the security settings are only visible if the authentication method is enabled on the Send Settings page.



Phone authentication affords the user the option to customize the SMS message and insert the company name from the sender's profile in place of "Adobe Sign". See here for more details

Access to Government ID authentication requires that a contract be in place for a specific annual volume of recipients. Until this is configured on the back-end, the option is not visible in the administrators interface.

The number of successful attempts to verify identity is set to five by default.  This number can be adjusted up or down upon request to your success manager.

Disable web form email verification

Web forms are employed in a multitude of unique use cases, and frequently there is a diminished demand for strongly enforced recipient authentication.  

For accounts that do not need to authenticate web form signatures, the option to disable email verification can be configured by navigating to: Account Settings > Global Settings > Web Forms


This setting only disables the email verification of the signature.

  • This setting applies to all web forms within the account or group where the setting is defined.

If a password is enabled to grant access to the web form, that security gate is not impacted.


This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy