According to business processes and the law, authentication and electronic signature process are different steps in the same transaction. For example, an iris scan authenticating you does not mean that you have actually reviewed and agreed to the terms of a contract. Likewise, because you were able to use your PKI token to electronically apply your digital signature to an electronic record does not necessarily mean you could even see the document.

Because both authentication and signing are important, and different, DocuSign makes an important distinction between the two. In DocuSign, they are tied together into the overall transaction or ceremony of agreement.

DocuSign’s secure authentication model enables you to leverage several different authentication tools for both prior and post authentication modes. DocuSign addresses two general signing scenarios – “remote” signing over the internet and “in-person” signing where the signer is present. DocuSign also provides several layers of authentication that are improvements over typical business practices.

DocuSign’s Authentication Options

DocuSign provides an integrated authentication system that works with the electronic signature process to ensure any level of authentication can be provided and that the authentication provides positive identification of the person signing. 

The DocuSign authentication process is designed and architected with no single point of authentication failure. Authentication can be required each time a signer reviews and signs a document, if requested. One authentication session for a document from company “A” does not mean that company “B” must rely on that authentication, as is the case with PKI digital certificates. 

The DocuSign secure authentication system provides several levels and tools integrated into the system:

1. Email authentication: validates a person’s email address and access to that email address.

2. Access code authentication: validates the person’s ability to provide a shared secret or passphrase.

3. ID check: validates a person’s knowledge based on a knowledge-based authentication process provided by RSA.

4. OFAC checking: validates whether a person’s name is on the Specially Designated Nationals List administered by the Office of Foreign Assets Control.

5. Age verification: validates a person’s age is correct as entered.

6. STAN PIN system: validates the person’s Student Authentication Network as entered.

7. Federated authentication: accepts and records authentication by another system when integrated with DocuSign. This can be any form.

The DocuSign secure authentication system supports a workflow of authentication for integrated customers, enabling decision-making during the authentication process. For example, if a person’s age verification results in an age older than 18 years, then the authentication process will also include knowledge-based authentication or if the age is 18 years or younger then the authentication process will also include the Federal STAN PIN system.

In addition to these prior authentication tools, DocuSign collects IP addresses of all the users and time stamps all activity into the audit trail along with all the authentication results.

In-Person Signing

If your signing process takes place in person, consider what authentication steps you require. Depending on your business, you may do one of the following:

1. No authentication other than accepting a signature. The vast majority of processes happen this way. The signer appears, signs a contract and it is considered good. In this case, you don’t have an electronic authentication process is really nothing. Simply have the signer appear in person and sign. No need to use additional authentication.

2. Identification before signing. In some cases, the signer is required to produce a valid drivers license or other form of picture ID for the person hosting the transaction to identify the signer.

3. Notarization. This is the most stringent form of in-person authentication and it is used in only very sensitive situations.

Using DocuSign, it is possible to sign in person by selecting the recipient type as “In-Person Signer.” Once this is selected for a recipient, the system asks for a signing host and depending on the business process defined will require whatever credential is typically used. One example is using a drivers license for authentication. 

DocuSign’s In-Person Signing process is a witnessed signing with credential collection support. Once the signer is authenticated by the witness, he or she may electronically sign on the local computer. Once done, the witness must re-apply his or her signature to record he or she was present for the whole signing. In addition to the local credential collection, the signer may also be requested to process a knowledge-based authentication or a shared secret for multi-layer authentication. Therefore, this can be either a prior or post authentication mode authentication process. 

Remote Signing

The most common form of electronic signing with DocuSign is remote signing. The signer receives an email that he or she has a document to sign. This remote signing process uses at least email authentication and the sender may elect to use additional layers of authentication for more sensitive transactions. 

In situations where the signing process is embedded into another portal or website, that portal’s authentication can be passed along when signing starts, and used as the only authentication process or supplemented by the authentication tools DocuSign provides.

In all cases, the signer’s authentication is recorded in the DocuSign Audit Log and the DocuSign Certificate of Signing regardless of how the person signed – in-person, remote, or embedded. The Audit Log and Certificate of Signing are encrypted and tamper-proof.

When considering your signer authentication strategy, you should evaluate your current processes and risks. Then establish any increased or decreased risks that might be present by transitioning from a paper process to an electronic one. Once you have this understanding, you can establish the policies and authentication procedures you should use with your electronic signature service. 

  • Share/Bookmark