Obtaining signatures and approvals from recipients can require varying levels of authentication depending on the document involved. Adobe Acrobat Sign supports a full range of authentication methods, from simple, single-factor email verification to sophisticated, two-factor authentication based on government-issued documents.
Authenticating a recipient's identity is a key element of the Acrobat Sign system to obtain a legal signature and improve non-repudiation.
However, different business purposes have different demands on identity authentication. Consider the different levels of identity assurance you would demand for the below transactions:
Acrobat Sign provides a control set that allows authentication types to be defined at the account and group level with definable default values to streamline the sender's experience and better ensure compliance with company signature policies.
Keeping in mind that the more robust authentication methods insert more "friction" to the signature process, admins should configure the account or group defaults to support the most common authentication requirement, opting for the least complex option where possible, and allowing editable options if some transactions demand more complex solutions.
Internal vs. External Recipients
Authentication controls make specific accommodations to configure authentication methods for two types of recipients, Internal and External:
Delineating the recipients in this manner allows workflows to leverage high-level authentication for external recipients while using more cost-effective authentication for internal users.
It is possible for one company (email domain) to have multiple Acrobat Sign accounts.
Only the users resident in each discrete account are internal with each other. External accounts house external recipients in all cases.
Acrobat Sign uses email as the default first-factor authentication method, fulfilling the requirements for a legal electronic signature under the ESIGN Act. For many customers, this is sufficient for most needs.
Email verification requires that the recipient:
Access to the email link establishes a reasonable measure of identification, as all email addresses are unique, and access to email is password authenticated.
Integrations or actions that bypass the email notification to a recipient should include a suitable second-factor authentication method for non-repudiation.
Acrobat Sign supports several second-factor authentication methods for higher value transactions that demand more than simple email verification.
The method of authentication is usually dictated by the type of document or industry of the involved parties. It is incumbent on the admin to understand their internal signature policies and possible compliance demands.
Below is a summary of the available second-factor authentication options with links to more detailed descriptions:
Signer password authentications require the sender to type in the password (twice)
Recipients are asked to enter the password before they can view the agreement contents:
Acrobat Sign Authentication prompts the recipient to authenticate to the Acrobat Sign system.
This method is primarily used as a "low-friction" counter-signature option for your internal recipients when you have signature requirements that require a logged/authenticated event for each signature.
Care should be taken before assigning Acrobat Sign Authentication to external recipients:
Recipients are asked to authenticate to Acrobat Sign before they can view the agreement contents:
Phone authentication delivers a six-digit code to the recipient which must be entered for the agreement to be exposed.
The recipient requests the code, and must enter it prior to viewing the agreement content:
Knowledge Based Authentication is a high-level authentication method used mainly in financial institutions and other scenarios that demand a strong assertion of the signer's identity.
The recipient is prompted to enter personal information, which is used to gather several nontrivial questions from their past (using public databases). Each question must be answered correctly to gain access to the agreement.
KBA is valid only for recipients in the USA.
Government ID authentication instructs the recipient to supply an image of a government-issued document (Driver's license, Passport) and a selfie to establish a strong verification record.
Recipients are challenged to provide a phone number to a smartphone initially and then are walked through the process of uploading the document and selfie images:
Phone, KBA, and Government ID are "premium" authentication methods.
Premium authentication methods are a metered resource that must be purchased prior to use. Contact your success manager or sales agent for details.
New enterprise and business-level accounts are given 50 free Phone and KBA transactions when the account is launched.
All second-factor authentication methods have configurable thresholds that cancel the agreement when a recipient fails to authenticate an unacceptable number of times.
When configuring an agreement, senders can select an authentication method from a drop-down menu just to the right of the recipient's email address.
The default authentication method can be configured by an admin to simplify the sending process. Other options can be made available if needed.
Typically, a recipient is first made aware of an agreement awaiting their attention via email.
Each second-factor authentication method has an explicit success message that identifies the method used.
Email authentication simply indicates that the document was signed:
The account-level settings can be accessed by logging in as an Adobe Sign account-level admin and navigating to Account Settings > Send Settings > Identity Authentication Methods
The controls are divided into two sections:
The primary authentication controls:
The internal recipient controls provide the options you would like to apply to internal recipients:
Each group in an account inherits the default authentication settings from the account-level settings.
Every group has the ability to override the inherited account settings to tune the default values and available options for the agreements generated in that group.
The group-level admin controls for identity authentication can be accessed by logging in as an Acrobat Sign admin:
For group-level admins that do not have account-level access:
Web forms are employed in a multitude of unique use cases, and frequently there is a diminished demand for enforced identity authentication.
For accounts/groups that do not need to authenticate web form signatures, the option to disable email verification can be configured by: