Security Concern: authentication methods are not prompting on completed envelopes

Question

Hello,In our account, we have the following settings enabled: Recipient Authentication Triggers: The first time a recipient accesses an envelope per device. 	Recipient Authentication Skip Option: Recipients cannot skip authentication when accessing subsequent envelopes from the same sender.When utilizing in-person signing, the user is prompted to enter the access code to initially access the envelope to sign (on the hosted device). However, once all parties have signed the document, a completed email is sent to the signer where they can view the completed document. If the user clicks that link on a different device, they are not prompted to enter the access code and can view the contents of the document.This is a major security concern if the wrong email was entered or the email was compromised - documents may contain NPPI. Why isn't the access code being prompted on subsequent access of viewing the completed envelope, even if switching the authentication trigger to: Every time a recipient accesses an envelope?

Alejandro.Ramos · Accepted Answer

Hi ​@Kurt Oberhausen,Thank you for following up.This behavior is exclusive to In-Person Signers because the access code workflow is triggered when accessing the envelope through the host’s profile. In contrast, the recipient who opts to have the completed documents emailed to them gets access to them through a permanent link that is not tied to the recipient role that completed the envelope. This is expected behavior from eSignature, according to our documentation and engineering team. More details on this topic can be found, here:Conduct an In Person Signing SessionNevertheless, I understand your position on this matter and I also find this behavior to be an existing flaw based on the expectations given in the “Authentication Settings” guide, I have taken the necessary steps to request an update to the guide to correct this problem. I would also like to encourage you to consider submitting your idea for review by our development team for possible implementation. If you’re a Docusign Administrator for a corporate plan, you can file your request through a support case or by contacting your Account Team. Otherwise, we invite you to share your product suggestions and feature requests on our dedicated ideas page (https://community.docusign.com/ideas), where we can collaborate to shape the future of our product together.Please don't hesitate to let me know if you have any other questions or concerns and I will address them as soon as possible.Best regards,Alejandro R. | Docusign Community Moderator"Select as Best" below if you find the answer a valid solution to your issue!

Alejandro.Ramos · Answer

Hi ​@Kurt Oberhausen,Thank you for reaching out to the Docusign Community.Does the issue persists if you pick “Every time a recipient accesses an envelope” instead of “The first time a recipient accesses an envelope per device”?It is expected behavior to allow a recipient to access the envelope withoutbeing asked to authenticate, after they have verified their identity once when using “The first time a recipient accesses an envelope per device”. For more details on this topic, see:Authentication SettingsFeel free to let us know if you need further assistance with this.Best regards,Alejandro R. | Docusign Community ModeratorPlease click "Best Answer" below if you find my reply to be a valid solution to your issue!

Reply

Sign up

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Docusign Community

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Scanning file for viruses.

This file cannot be downloaded