Obtaining signatures and approvals from recipients can require varying levels of authentication depending on the document involved. Adobe Acrobat Sign supports a full range of authentication methods, from simple, single-factor email verification to sophisticated, two-factor authentication based on government-issued documents.
Authenticating a recipient's identity is a key element of the Acrobat Sign system to obtain a legal signature and improve non-repudiation.
However, different business purposes have different demands on identity authentication. Consider the different levels of identity assurance you would demand for the below transactions:
Acrobat Sign provides a control set that allows authentication types to be defined at the account and group level with definable default values to streamline the sender's experience and better ensure compliance with company signature policies.
Keeping in mind that the more robust authentication methods insert more "friction" to the signature process, admins should configure the account or group defaults to support the most common authentication requirement, opting for the least complex option where possible, and allowing editable options if some transactions demand more complex solutions.
Internal vs. External Recipients
Authentication controls make specific accommodations to configure authentication methods for two types of recipients, Internal and External:
Delineating the recipients in this manner allows workflows to leverage high-level authentication for external recipients while using more cost-effective authentication for internal users.
It is possible for one company (email domain) to have multiple Acrobat Sign accounts.
Only the users resident in each discrete account are internal to each other. External accounts house external recipients in all cases.
Acrobat Sign uses email as the default first-factor authentication method, fulfilling the requirements for a legal electronic signature under the ESIGN Act. For many customers, this is sufficient for most needs.
Email verification requires that the recipient:
Access to the email link establishes a reasonable measure of identification, as all email addresses are unique, and access to email is password authenticated.
Integrations or actions that bypass the email notification to a recipient should include a suitable second-factor authentication method for non-repudiation.
Acrobat Sign Authentication prompts the recipient to authenticate to the Acrobat Sign system.
This method is primarily used as a "low-friction" counter-signature option for your internal recipients when you have signature requirements that require a logged/authenticated event for each signature.
Care should be taken before assigning Acrobat Sign Authentication to external recipients:
Recipients are asked to authenticate to Acrobat Sign before they can view the agreement contents:
Acrobat Sign supports several second-factor authentication methods for higher-value transactions that demand more than simple email verification.
The method of authentication is usually dictated by the type of document or industry of the involved parties. It is incumbent on the admin to understand their internal signature policies and possible compliance demands.
Below is a summary of the available second-factor authentication options with links to more detailed descriptions:
Signer password authentications require the sender to type in the password (twice)
Recipients are asked to enter the password before they can view the agreement contents:
Phone authentication delivers a six-digit code to the recipient which must be entered for the agreement to be exposed.
The recipient requests the code, and must enter it prior to viewing the agreement content:
Knowledge-Based Authentication is a high-level authentication method used mainly in financial institutions and other scenarios that demand a strong assertion of the signer's identity.
The recipient is prompted to enter personal information, which is used to gather several nontrivial questions from their past (using public databases). Each question must be answered correctly to gain access to the agreement.
KBA is valid only for recipients in the USA.
Government ID authentication instructs the recipient to supply an image of a government-issued document (Driver's license, Passport) and a selfie to establish a strong verification record.
Recipients are challenged to provide a phone number to a smartphone initially and then are walked through the process of uploading the document and selfie images:
Phone, KBA, and Government ID are "premium" authentication methods.
Premium authentication methods are a metered resource that must be purchased prior to use. Contact your success manager or sales agent for details.
New enterprise and business-level accounts are given 50 free Phone and KBA transactions when the account is launched.
All second-factor authentication methods have configurable thresholds that cancel the agreement when a recipient fails to authenticate an unacceptable number of times.
Digital Identity verification leverages a Federated identity provider (IdP) that is licensed externally to the Acrobat Sign service and must be configured prior to becoming accessible when composing agreements.
Full details of the Digital Identity solution can be found here >
The details of the recipient experience vary based on the identity provider that the sender uses. At a high level, the recipient is informed that identity verification is to be resolved through a federated IdP, with a Verify Identity button available to trigger the verification process.
When configuring an agreement, senders can select an authentication method from a drop-down menu just to the right of the recipient's email address.
Most authentication methods can be configured to be the selected default value to simplify the sending process. Only the Digital Identity options can not be configured as a default authentication value.
Typically, a recipient is first made aware of an agreement awaiting their attention via email.
Each second-factor authentication method has an explicit success message that identifies the method used.
Email authentication simply indicates that the document was signed:
The account-level settings can be accessed by logging in as an Adobe Sign account-level admin and navigating to Account Settings > Send Settings > Signer Identification Options
All controls can also be configured at the group level. Remember that:
The controls are divided into two sections:
The primary authentication controls:
The internal recipient controls provide the options you would like to apply to internal recipients:
Web forms are employed in a multitude of unique use cases, and frequently there is a diminished demand for enforced identity authentication.
For accounts/groups that do not need to authenticate web form signatures, the option to disable email verification can be configured by: