we have noticed the following point, which could lead to forgery of the signature: If a signatory does not open the document, but only forwards the mail itself to a person who is not stored as a signatory in the entire workflow, this recipient can open the document and sign on behalf of the person originally stored. How can this be prevented? In our opinion, this is not possible by adding a code, as this code is contained in the mail that is forwarded. Creating the highest security level when sending would be too much effort for what is in this case a simple signature process.
Thank you very much in adcanve for your reply!
Katrin
Best answer by Alexandre.Augusto
Hello, @Katrin
Welcome to the DocuSign Community!
There are some options depending on your account plan.
Add an Identity verification SMS - the recipient who must sign provide to you his/her mobile number so when the notification email arrives, clicking in the Review button will make a pop-up windows shows up to send a security token to the mobile phone, only who is the owner of that number will get the token, he/she needs to type the security token in a pop-up window to get access to the envelope, that will be recorded in the Audit trail document.
Add an Identity Verification IDV - you can select one of the IDV verification accordingly available for your country to check a Driver License or Passport document, thus the recipient must have the Driver License or Passport to confirm his identity.
Not forwarding the email that contains the personal link to DocuSign eSignature for signing is most important and this is also emphasised in the “Do Not Share This Email” section. This is how it can be prevented. This not forgery of a signature but a user error in sharing the access with someone else by forwarding the email. It is like giving that person the car keys. If they want and there is no additional security in place they are able to open the car and perform actions afterwards, in this case signing the documents.
For internal signers you can enforce a login into the DocuSign eSignature account to prevent this when you claim the domain and configure the settings accordingly. If you set up an Access Code, this needs to be shared by you with the recipient. It should not be included in the DocuSign email body and be communicated on a different way, so not via email.
There are some options depending on your account plan.
Add an Identity verification SMS - the recipient who must sign provide to you his/her mobile number so when the notification email arrives, clicking in the Review button will make a pop-up windows shows up to send a security token to the mobile phone, only who is the owner of that number will get the token, he/she needs to type the security token in a pop-up window to get access to the envelope, that will be recorded in the Audit trail document.
Add an Identity Verification IDV - you can select one of the IDV verification accordingly available for your country to check a Driver License or Passport document, thus the recipient must have the Driver License or Passport to confirm his identity.
Unfortunately, it will be difficult to prevent forwarding by all of our suppliers and customers no matter what the guidelines say. They often have little digital maturity and would hand out their car keys as well ;-)
SMS verification or other validation is not always possible as we do not have the mobile numbers of all potential recipients (or do not even know them by name) or the recipients don´t have a mobile phone for business purposes.
This means that we will have to check more closely whether we can use docusign for our simple standard cases where we cannot or do not want to carry out any additional verification.
Thank you for reaching back and sharing your concerns.
We apologize for any inconvenience this may have caused you, however, any feedback that can improve our users’ experience is always more than welcome.
If you’re a DocuSign Administrator for a corporate plan, you have the additional option of filing your request directly when you’re logged into your account. You’ll be able to click the “Give Feedback” button at the bottom of the screen to submit your idea.
If you found our response to be a useful solution to your question, please mark it as the best answer by clicking “Select as Best” to make it easier for other users to find.
Let us know if you need further assistance with this.
Best regards,
Nathaly | DocuSign Community Moderator
"Select as Best" below if you find the answer a valid solution to your issue!
If it helps I opened an enhancement for this one. I agree that this is big RED FLAG and had we known this when we started, we may have went a different route.
The biggest issue we had was the out of the box access codes also did not work because we had a setting that the signer did not need to enter an access code within so many hours/minutes of entering the first time.
When the email was forwarded and if the original receiver had opened with the access code the new receiver could open without the access code and then noone was the wiser. There is nothing to indicate that the new person is not the original person… Nothing.
We feel that access codes should have the same security measures as SMS and IDV authentications. Once the email is forwarded, the access code should be reapplied and the new person should have to use the security that is applied.
Also, DS says it uses these community posts to decide what enhancements are needed. This same issue has been in multiple posts but has only received a few hits on each post. That seems to me that it is something that should be looked into and resolved at DS because quite a few people have created posts on the same issue and each time different people have commented they have the same issue or our concerned by the lack of security that this causes.
This isn’t solved. ID verification methods are an inconvenient workaround and optionally added to envelopes. There’s no way to address this at the global account level.
Our Financial Institution’s C-Level executives have just realized their envelopes can be signed by someone else when they forward the email notification. Minus the warnings in the email, I don’t think any reasonable person would believe that someone could sign on their behalf if they forward the email notification. It’s more like showing someone the inside of your car while the keys are in it, and they steal it! It’s not like handing over the keys to your car.
Why does the ability to forward an email notification to another recipient even exist? Is this working as intended or a security flaw?
How is there a setting to ‘prevent the forwarding of completed envelopes’ but not one to prevent the forwarding of all envelopes?
Exactly. We added additional notes to the message section and we made the security setting that you need to reenter an access code every time you open a document not just the first one, plus we also had to train all our senders that they need to ALWAYS use an access code for everyone to ensure that others can’t access. A lot of hoops for something that shouldn’t be this complicated or shall I say flawed considering it is the one and only reason we use a digital signature provider and don’t just use pdf signatures.
You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.
You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.
Back to Docusign.com
