New

Authenticaton Settings for Recipients

Related products:eSignature

7 months ago
August 22, 2024
8 replies
88 views

newtoclm
Conversation Starter
21 replies

I just found out today that if a recipient forwards the email that they receive with the link to the envelope and they already opened and authenticated their access using and Access Code, then the person that they sent the link to can open the document and basically just sign it as the first person. This seems risky to me. Also, the Authentication Settings for the Access Code feature basically do not allow for a person to require an access code for each new browser. Basically, its either every single time or only once - no in between. So all someone who is being nefarious would need to do is wait until you look at your document, allow you to enter your access code and then - boom, they’re in signing as if they were you with no record on the certificate.

https://support.docusign.com/s/document-item?language=en_US&bundleId=pik1583277475390&topicId=muh1583277327950.html&_LANG=enus

Per the Authentication Settings, "When using Access Codes with this setting, the recipient is not prompted to authenticate again after the first time, even if using a different device."

I would like to suggest that this be changed in light of the forwarding issue, to allow for this to be switched to allow for the same as Phone Authentication, SMS Authentication, and Knowledge-Based ID checks. It should be allowable to require the access code every time they log in from a different browser. Like in the setting "Any recipient must authenticate on every envelope sent from this account"

+3

lcornwell
Conversation Starter
17 replies
7 months ago
August 27, 2024

Have you opened a DocuSign ticket for this? This sounds like a huge security issue to me. I will be following this topic for sure and will be checking all of our DocuSign accounts for this setting. Thank you for bringing it to our attention!

N

+4

newtoclm
Author
Conversation Starter
21 replies
7 months ago
August 27, 2024

I did open a ticket. I felt the same way. I also asked for an enhancement. I’ve been on DS for awhile and was surprised that this was even a thing.

+3

lcornwell
Conversation Starter
17 replies
7 months ago
August 27, 2024

I was discussing this with my teammate. We were talking about possibly changing all of our accounts to “Every time a recipient accesses an envelope”, but we don’t want to do that either. We’ll be charged every time someone opens the envelope if anything other than access code is used. That could get costly REALLY quickly.

N

+4

newtoclm
Author
Conversation Starter
21 replies
7 months ago
August 27, 2024

We switched ours to the below, however that still puts the onus on the sender to remember to use Access codes. We also added a message to the envelope reinforcing the recipient not to forward the link but instead to download and send the document if they want someone else to look at it.

I would like to have it allow the first “always” and to be able to use the Skip Option for a limited time. The best of both worlds. Or better yet if it is sent to someone else, a different desktop, or different browser, then require an access code. That would be win-win all the way around.

N

+4

newtoclm
Author
Conversation Starter
21 replies
7 months ago
August 27, 2024

Also, according to the documentation the “always” feature only applies to the cost items not access code so definitely would get costly.

N

+4

newtoclm
Author
Conversation Starter
21 replies
1 month ago
February 7, 2025

Haven’t really heard anything new on this subject and wondered if anyone else had?

+11

mshealy
Digital Collaborator
103 replies
1 month ago
February 10, 2025

I have heard nothing. Not surprised.

Denise

Authenticaton Settings for Recipients

8 replies

Reply

Most helpful members this week

Reply

Related topics

What account or permission profile settings control the availability of Recipient Privileges and Document Visibility settings?icon

Authentication settings for recipientsicon

Account settings indicate the recipient must be an active DocuSign user.icon

I am trying to change my Legal Disclosure settings to require that recipients accept the ERSD each time they receive an envelope, but that option is grayed out for me. How can I change this? I am having trouble contacting support about this.icon

Setting a field that either recipient 1 OR recipient 2 can fill in.icon

Most helpful members this week

Sign up

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Docusign Community

You can login or register as either a Docusign customer or developer. If you don’t already have a Docusign customer or developer account, you can create one for free when registering.

Scanning file for viruses.

This file cannot be downloaded