This article describes the new Enforce Identity Authentication experience accessed from the Bio-Pharma Settings tab of the admin menu. (Released in November 2023.)
This new experience is enabled by default for new accounts after the November 2023 release and enabled by an administrator for accounts that existed prior to the November 2023 release.
The classic Enforce Identity Authentication process document is still available and will remain so until the experience is retired.
Overview
The Enforce identity authentication feature defines the trigger events that prompt a recipient to re-authenticate when interacting with an agreement. There are three independently selectable options:
- Authenticate when opening the agreement.
- Authenticate when applying a signature.
- Authenticate when completing the agreement.
The triggers that are enabled encompass all signers included in the agreement (internal and external).
Availability:
Enforce identity authentication is limited to enterprise license plans.
Configuration scope:
The features can be enabled at the account and group levels.
The November 2023 release separated the controls for enhanced identity authentication, removing the dependency between them.
Accounts created before the November 2023 release must opt in to the separated controls experience by selecting the Enable Now button on the Bio-Pharma Settings page.
Accounts created after the November 2023 release automatically inherit the modern experience.
The modern experience can only be enabled at the account level. This means that:
- All groups that haven't explicitly configured their Bio-Pharma Settings page will continue to inherit the same configuration as the account-level controls.
- Explicitly configured groups will adopt the new separate control experience, but will also retain their existing control configurations.
It's important to note that enabling the new experience does not change any effect currently observed when signing an agreement, regardless of the group from which the agreement is sent.
The practical impact of enabling the new experience is that you can enable or disable each of the three controls discretely.
Enabling the new Enforce Identity Authentication environment has two consequences:
- The classic experience requires that Challenge the user to authenticate themselves when the agreement is opened must be enabled before either of the subordinate controls can be enabled.
The modern experience removes that requirement, allowing each of the three controls to be enabled individually.
The user interface is updated to show all three controls at the same "level," indicating that all three are equally available.
- The classic experience can show checked boxes in the subordinate controls when the parent control is disabled.
Because the parent control is disabled, the subordinate controls are not active, but the greyed-out checkboxes persist and may give the wrong impression of being active.
When the modern experience is enabled:
• If the Challenge the user to authenticate themselves when the agreement is opened control is disabled, the (previously) subordinate controls will be cleared and properly shown as unchecked.
• If the Challenge the user to authenticate themselves when the agreement is opened control is enabled, the (previously) subordinate controls will retain their values.
Enabling the modern experience is not reversible.
Once you save the enablement, the account is updated and the Enable Now banner is removed from the interface.
How it's used
Prerequisites
For Enforce identity authentication to work, the signer must be authenticating their identity with either:
- Phone authentication (SMS) - Recommended for external signers.
- Acrobat Sign authentication - Recommended for internal signers.
The agreement processes normally if any other authentication method is defined, but Enforced identity authentication isn't applied for that recipient. Configuring some recipients to apply Enforced identity authentication and others to bypass it by leveraging different authentication methods in the same transaction is permissible.
The authentication method is defined on the Send Settings page in the Identity Authentication Methods section.
The recipient experience
The recipient is presented with the authentication UI upon triggering an authentication challenge.
The two authentication options are:
- Phone authentication - An SMS-based text that provides a five-digit code that the signer must enter before affixing the signature
- Acrobat Sign authentication - A request to authenticate to Acrobat Sign through the Adobe identity management system. Because authentication to Adobe is required, this method is primarily recommended for internal recipients where the sender can reasonably expect such an account exists.
Recipients that authenticate using the Acrobat Sign authentication method must authenticate through the Acrobat identity management system. All social authentication options (Google, Facebook, and Apple) are removed during the authentication process.
Accounts that configure their Admin Console organization to allow SSO authentication will authenticate against their configured identity provider, removing the requirement for their internal recipients to be entitled with a license for Acrobat Sign.
Once the authentication is passed, the recipient can continue the form-filling/signing process.
Configuration
To enable Enforce identity authentication options, navigate to Bio-Pharma Settings > Enforce identity authentication.
Enforce identity authentication contains three independently selectable options:
- Challenge the user to authenticate themselves when the agreement is opened - When enabled, each recipient must authenticate before the agreement is opened for viewing.
- Challenge the user to authenticate themselves when the signer clicks a signature field in the agreement - When enabled, all recipients must authenticate every time a signature field is selected (before the signature can be applied).
- Only signature and signature block fields are re-authenticated; initial fields are not.
- The setting impacts both required and optional signature and signature block fields.
- Challenge the user to authenticate themselves when the Click to Sign button is selected after the signing ceremony is complete - When enabled, the recipient must reauthenticate after selecting the Click to Sign button (when they have completed their interaction with the agreement).
Related settings
The option to Challenge the user to authenticate themselves when the agreement is opened can be suspended for recipients in your account if they are logged in to Acrobat Sign when the agreement is opened. This can eliminate some of the friction for your internal signers.
To allow your users to skip the agreement opening authentication if logged in:
- Navigate to Account Settings > Send Settings > Signer Identification Options.
- Enable Don’t challenge the signer to re-authenticate if they are already logged in to Acrobat Sign.
- Save the page configuration.
Audit report changes
When any of the Enforce identity authentication options are enabled, the audit report explicitly logs every authentication in the audit report, and to a lesser degree, in the activity panel of the agreement.
Things to keep in mind...
- Enforced Identity works with authenticated self-signing.
- Enforced identity authentication works with digital and electronic signature fields.
- Enforced authentication does not apply when only a Stamp is used as a signature.
