Skip to main content
arrow-left Back to Docusign.com
Solved

Security Concern: authentication methods are not prompting on completed envelopes

  • November 26, 2024
  • 3 replies
  • 80 views
K
Newcomer
Forum|alt.badge.img+2

Hello,

In our account, we have the following settings enabled: 

  • Recipient Authentication Triggers: The first time a recipient accesses an envelope per device. 
  • Recipient Authentication Skip Option: Recipients cannot skip authentication when accessing subsequent envelopes from the same sender.

When utilizing in-person signing, the user is prompted to enter the access code to initially access the envelope to sign (on the hosted device). However, once all parties have signed the document, a completed email is sent to the signer where they can view the completed document. If the user clicks that link on a different device, they are not prompted to enter the access code and can view the contents of the document.

This is a major security concern if the wrong email was entered or the email was compromised - documents may contain NPPI. Why isn't the access code being prompted on subsequent access of viewing the completed envelope, even if switching the authentication trigger to: Every time a recipient accesses an envelope?

Best answer by Alejandro.Ramos

Hi ​@Kurt Oberhausen,

 

Thank you for following up.

This behavior is exclusive to In-Person Signers because the access code workflow is triggered when accessing the envelope through the host’s profile. In contrast, the recipient who opts to have the completed documents emailed to them gets access to them through a permanent link that is not tied to the recipient role that completed the envelope. This is expected behavior from eSignature, according to our documentation and engineering team. More details on this topic can be found, here:

Conduct an In Person Signing Session
Nevertheless, I understand your position on this matter and I also find this behavior to be an existing flaw based on the expectations given in the “Authentication Settings” guide, I have taken the necessary steps to request an update to the guide to correct this problem. I would also like to encourage you to consider submitting your idea for review by our development team for possible implementation. If you’re a Docusign Administrator for a corporate plan, you can file your request through a support case or by contacting your Account Team. Otherwise, we invite you to share your product suggestions and feature requests on our dedicated ideas page (https://community.docusign.com/ideas), where we can collaborate to shape the future of our product together.

 

Please don't hesitate to let me know if you have any other questions or concerns and I will address them as soon as possible.

Best regards,  

Alejandro R. | Docusign Community Moderator  

  

"Select as Best" below if you find the answer a valid solution to your issue!  

 

View Original
Is this content helpful?

3 replies

A
Community Moderator
Forum|alt.badge.img+15
  • Alejandro.RamosCommunity Moderator
  • Community Moderator
  • 2070 replies
  • November 27, 2024

Hi ​@Kurt Oberhausen,

 

Thank you for reaching out to the Docusign Community.  

Does the issue persists if you pick “Every time a recipient accesses an envelope” instead of “The first time a recipient accesses an envelope per device”?

It is expected behavior to allow a recipient to access the envelope without being asked to authenticate, after they have verified their identity once when using “The first time a recipient accesses an envelope per device”. For more details on this topic, see:

Authentication Settings

Feel free to let us know if you need further assistance with this. 

 

Best regards,

Alejandro R. | Docusign Community Moderator  

Please click "Best Answer" below if you find my reply to be a valid solution to your issue!

 

K
Newcomer
Forum|alt.badge.img+2

Hi ​@Alejandro.Ramos,

 

We tested this by changing the setting:

 

  • Recipient Authentication Triggers: Every time a recipient accesses an envelope.

 

If the document is sent using "Needs to Sign", everything operates as expected. Recipients will be prompted to enter the access code the first time, and subsequent times when accessing the completed envelope.


If the document is sent using "In-Person Signer", the problem still persists. The access code will prompt for the hosted device, and after the signer enters their email address to receive a copy, they can open the envelope on their personal device without answering any authentication methods.

A
Community Moderator
Forum|alt.badge.img+15
  • Alejandro.RamosCommunity Moderator
  • Community Moderator
  • 2070 replies
  • Answer
  • November 29, 2024

Hi ​@Kurt Oberhausen,

 

Thank you for following up.

This behavior is exclusive to In-Person Signers because the access code workflow is triggered when accessing the envelope through the host’s profile. In contrast, the recipient who opts to have the completed documents emailed to them gets access to them through a permanent link that is not tied to the recipient role that completed the envelope. This is expected behavior from eSignature, according to our documentation and engineering team. More details on this topic can be found, here:

Conduct an In Person Signing Session
Nevertheless, I understand your position on this matter and I also find this behavior to be an existing flaw based on the expectations given in the “Authentication Settings” guide, I have taken the necessary steps to request an update to the guide to correct this problem. I would also like to encourage you to consider submitting your idea for review by our development team for possible implementation. If you’re a Docusign Administrator for a corporate plan, you can file your request through a support case or by contacting your Account Team. Otherwise, we invite you to share your product suggestions and feature requests on our dedicated ideas page (https://community.docusign.com/ideas), where we can collaborate to shape the future of our product together.

 

Please don't hesitate to let me know if you have any other questions or concerns and I will address them as soon as possible.

Best regards,  

Alejandro R. | Docusign Community Moderator  

  

"Select as Best" below if you find the answer a valid solution to your issue!  

 

K
1 person likes this
  • K
    Kurt Oberhausen

Reply


Most helpful members this week

Code of Conduct

Docusign Community

Code of Conduct