Authenticaton Settings for Recipients

Have you opened a DocuSign ticket for this?  This sounds like a huge security issue to me.  I will be following this topic for sure and will be checking all of our DocuSign accounts for this setting.  Thank you for bringing it to our attention!

I did open a ticket.  I felt the same way.  I also asked for an enhancement.  I’ve been on DS for awhile and was surprised that this was even a thing.  

I was discussing this with my teammate.  We were talking about possibly changing all of our accounts to “Every time a recipient accesses an envelope”, but we don’t want to do that either.  We’ll be charged every time someone opens the envelope if anything other than access code is used. That could get costly REALLY quickly.  

We switched ours to the below, however that still puts the onus on the sender to remember to use Access codes.  We also added a message to the envelope reinforcing the recipient not to forward the link but instead to download and send the document if they want someone else to look at it.  

I would like to have it allow the first “always” and to be able to use the Skip Option for a limited time.  The best of both worlds.  Or better yet if it is sent to someone else, a different desktop, or different browser, then require an access code.  That would be win-win all the way around.  

Also, according to the documentation the “always” feature only applies to the cost items not access code so definitely would get costly.

Haven’t really heard anything new on this subject and wondered if anyone else had?  

I have heard nothing.  Not surprised.

Nothing here either.

Hi.  There are 3 settings here that work together and things can get confusing quickly, so I may be confused.  It looks like all the needs mentioned here can be met, so let me walk through this and get your thoughts.

The Recipient Authentication Settings setup the sender experience and this only applies to the authentication methods that are provided for an extra cost:  Phone Authentication, SMS Authentication, and Knowledge-Based ID checks.

The Recipient Authentication Triggers setup what the recipients/signers encounter when accessing an envelope.  Some customers don’t want to make recipients authenticate on every access due to concerns with the user experience and/or additional costs.  This setting applies to both paid and unpaid authentication methods:  Phone Authentication, SMS Authentication, Knowledge-Based ID, and Access Code checks.

The Recipient Authentication Skip Options allows for recipients to access multiple envelopes in succession without needing to authenticate for each envelope so long as they remain on the same device and browser for a time specified by the sending account.  This provides a better user experience and can reduce costs if a paid authentication method is used.

​@newtoclm , If the envelopes sent from your account used the Recipient Authentication Trigger setting of Every time a recipient accesses an envelope, then the forwarded envelope would require the other person to use the access code.  Would this address the concern you raised?  Also, the quote you added (When using Access Codes with this setting, the recipient is not prompted to authenticate again after the first time, even if using a different device.) can be misleading since it only applies to the first setting.  It’s there to warn people about the very concern you uncovered, so we know the documentation could be clearer!  The full text explains how this works:   The first time a recipient accesses an envelope per device The recipient must pass the authentication check the first time that they access an envelope on a given device.  Lastly, I didn’t quite follow what you meant by the “always” option being more costly since the setting also allows for skipping to provide a way to save on cost.  The only reason there is an option to always require authentication is because some customers have very high authentication requirements that Docusign needs to support.  It seems like there’s a setting to meet everyone needs...and that Docusign could do a better job writing clearer guides.  ;-)

​@lcornwell , You are correct that if the setting to require authentication on each access is used with a pay per use authentication method, there could be more charges.  In an attempt to address this, the Recipient Authentication Skip Option was created and it includes a setting so the sending account can decide how long they want to allow authentications to be skipped after the first successful authentication to balance their risk tolerance with their expense constraints.  

I hope this helps and please let me know if I missed something or if there’s a use case the current settings are missing.  We’d love to get your ideas for how we can make our product (and our guides) better!

Unless DocuSign has made updates to the way this functions, then there are definite ways around the safeguards and they are not difficult to get around.  

In regards to your question:

So if you are setting up an envelope and the setting is “always require” an authentication then it requires one of the paid methods, not the free one.  So not free is more than free, thus more costly.  Up to a $1 or more per envelope more costly.  

As far as the Skip and Triggers -- if this is updated then yes that would be perfect.  The way it worked when I and many others wrote these posts was that if you used “first time” or allowed them to “Skip” then if they forwarded the request to anyone, then that person did not need to use an access code because it was already “unlocked”  even if they were on a different browser, even if they were on a different device.  

I asked that if the envelope was forwarded, that the person who received should have to reenter the access code.  I also asked that for the authentication settings there be an option to require that every envelope have authentication - including the free ones.  

If it was updated then Yay! it solves most of the issue and my InfoSec department will be thrilled as will most of the people signing.  I haven’t tested as I was unaware of any changes.  If it isn’t then I guess I’m still waiting… 

Hope this helps.

Hi ​@newtoclm.  I’d like to help, but I’m struggling to understand what isn’t working they way you’d like.  Let me share what I think the desired outcome is and how Docusign can be used to provide it.  If you could tell me where I’ve gone wrong, that would help me focus on what you need.

Desire Outcome:  To require a free authentication method each time an envelope is accessed in order to reduce the risk that others could use a forwarded Docusign email to access an envelope without being required to authenticate and potentially sign as the intended recipient.

Instructions:  From Admin → Account → Security Settings → Enable the “Every time a recipient accesses an envelope” setting under Recipient Authentication Triggers.  This will require all recipients receiving envelopes from this account to use the authentication methods set by envelope senders every time anyone attempts to access the envelope.  This includes free access codes and all other methods.

Behavior:  For every envelope sent from the account, all recipients will be required to use the authentication methods set by senders each time they, or anyone else, accesses the envelop.

To the point about using “The first time a recipient accesses an envelope per device” setting, you are correct that authentication will only be used on the first access and that if anyone attempted to access the envelope after that, there would be no authentication challenge.  That is by design to meet what customers have asked for and it is certainly less secure, so it doesn’t seem like the fit for what you want.

To the other point about using the “Recipients can skip authentication when accessing subsequent envelopes from any sender when using the same browser on a device for the following duration:” setting allowing others to access an envelope when the message is forwarded, this should not be the case unless the person who receives the forwarded email is on the same browser and same device within the duration specified.  The language used there is not clear and could easily be misinterpreted as skipping authentication if the person receiving the forwarded email had the same device and same browser.

It seems like what you described can be met and that the concerns mentioned can be addressed...at least I hope so!  If not, please be patient with me and we will get this figured out.

I agree that “allowing others to access an envelope when the message is forwarded, this should not be the case” but it was.  Not only was it not limited to the initial browser and device but it also signed as if the person who originally got it had signed it.  

I put in an enhancement.  If they fixed it, then the enhancement was completed.  If not then forwarding breaks the system if you use Skip at all.  

As you can see we had to setup as follows which is slightly less friendly if a person has a lot to sign:

Hi ​@newtoclm .  The settings you show are what I used to test.  When I required an access code, I was prompted to enter it before I could reach the envelope.  After seeing the documents, I clicked Finish Later to close it.  I then forwarded the DS message to another email account where I tried accessing envelope several different ways:  same laptop and browser, my phone and a different browser, and even forwarded it to my wife.  In every case a free access code was required to access the envelope.  If you can reproduce this problem, we’d want our Support team to investigate in case there could be a bug.

If there are any use cases that can’t be addressed by the current functionality or if anything isn’t working as expected, please let us know.  I also sent you a private message in case you’d like to share a screen so we can look at this together.  It should never have taken so long your post to be answered and I’d like to make sure things are addressed.

Hello ​@newtoclm,

I hope you are doing well. Just checking if you still need further assistance. To share, I mirrored your current settings and got the same results as my colleague, where an access code is asked each time when the link is forwarded, and the envelope is accessed using a different browser/ device. If this is not what you experienced, please send me a private message with your details (email and account number), and we will have a Technical expert take a closer look at this to see if it is a potential bug. Or if there is already an existing case, I can help with the follow up (kindly send me a private message of the case number). Rest assured, this will be highly prioritized. 

Please let us know if you have other concerns or questions and we'd be happy to help and are here to provide any further assistance you may need. We are converting this post as a question for now, and we look forward to hearing from you. Thank you!

Best regards,

Melanie | Docusign Community Moderator

"Select as Best" below if you find the answer a valid solution to your issue.

Hello, 

Yes.  I know that my settings work.  That is why we set them that way.  

We wanted to allow the signers to have a window where they do not have to enter an authentication code.  That was the start of the rabbit hole with forwarding.  When we found out that if you use that setting, the forwarded envelope could be signed by the next person as if they were the first person without any indication or notice or traceability, that is when we set our settings to the above.  

According to Matt.Pelham above, I believe he indicated that the settings may have been updated to allow you to choose, allow “the first time” and it will not allow the forwarded email to be used without an access code by the new person, however I have not tested that out since it was updated.  

The reason I know that this was not working is that an officer forwarded an email to another officer asking him a question and that officer signed the contract without using an access code.  The first officer went to sign and it said it was already signed and indicated that he was the one that signed it.  Meanwhile, he did not.  We then did two more tests and forwarded envelopes were able to be signed as long the person forwarding had used their access code to open the item first.  If they did not enter the access code then the person who received the forwarded item had to enter an access code. It is distinctly possible that the per device was not there when we first opened the ticket.  If it was, then at the time of my original post (as well as others) it was not per device as indicated as the forwarded email was on a different device.

We opened a support ticket at that time and they said “don’t forward” and yep, that’s right - basically.  We opened an enhancement.  From the flurry of activity on this post the last couple of days, it seems that this may have been fixed since the enhancement request was submitted.  As the person who submitted the enhancement request does not receive notice that it was completed (mostly), I am glad it went through, or at least according to your testing.  I, however, have not had the opportunity to confirm that this is the case.  

We also put in an enhancement request to force the use of another authentication method at the ORG company level (for all accounts) with the inclusion of the “free” methods or the other “pay” methods.  I don’t think that happened yet. The ORG would like to dictate the use of access codes or another method across all accounts.  

Also, I have not tested the Skip options at this time.  It looks like the option: Recipients can skip authorization when assessing subsequent envelopes from same sender…. would help with recipients not having to repeatedly entering codes, but I am guessing there is a reason we have that switched off.  It’s been a hot minute since we set up our e-sig side.   

Hopefully the first part of the enhancement request truly is corrected and myself and others no longer need to worry about which Trigger Option we choose. 

Thank you for the feedback.

Hello ​@newtoclm,

Thank you for getting back to me. Currently, the process is still the same. If you use "The first time a recipient accesses an envelope per device," then the Access Code requires one use as highlighted in the documentation: Authentication Settings.

In my understanding, Matt is saying that if you change your settings to "Every time a recipient accesses an envelope" this will solve the concern (because the Access Code would be required every time, no matter which browser the envelope is opened through). I understand this is your workaround and current settings, and I'm glad it is working as expected. However, we understand that your requests are specific.

I received your message and found your Enhancement request, EMT-3499, which is currently under review. All of the Docusign Release Notes are available here. We apologize for any inconvenience this might have caused you.

Don't hesitate to let us know if you have any questions or need further assistance. Thank you and have a great day!

Best regards,

Melanie | Docusign Community Moderator

"Select as Best" below if you find the answer a valid solution to your issue.