Why are signers being prompted to Authenticate?DocuSign has enhanced and improved persistent authentication capabilities for recipients that need to access multiple envelopes where authentication is required. These changes add additional control for the sending account and expand persistent authentication duration options and security. These improvements reduce the amount of time and effort needed for recipients to access documents and reduce the cost of redundant authentication checks for account senders while maintaining the same level of security.
Note: These enhancements apply only when sending with SMS, Phone Authentication, or ID Check types of authentication. The enhancements do not apply to Access Code or social authentication methods.
New Time Intervals for Skipping Authentication
Previously administrators were only able to configure the time duration for authentication expiration in days. With this change administrators can now specify the time duration interval in minutes, hours, or days.
Changes for Skipping Authentication "Authenticate on Every Access Settings"
DocuSign provides the ability to require recipients to authenticate every time they access an envelope, even though the recipient might have recently successfully passed authentication. Previously administrators were unable to configure their account to require authentication on each access and to allow recipients to skip authentication. This was a documented limitation. With this change DocuSign is removing this limitation. Now administrators can configure their DocuSign account to require authentication on each access and allow recipients to skip authentication if they have recently passed authentication.
DocuSign has enhanced the security around recipient authentication and accessing documents. With the latest release, access to documents configured with recipient authentication is governed by the recipient’s browser and device. In cases where an account is configured to authenticate recipients the first time they access documents, recipients are not asked to authenticate again when they access the documents from the same browser on the same device. If the recipient attempts to access the documents from a different browser or a different device, the recipient must pass authentication again. Once authenticated, that recipient is not challenged again on the new device or browser. The ability for a recipient to skip authentication for documents is limited to documents sent from the same sending account.
The following are some of the security enhancements ( change in behavior ):
- Persistence (ability to skip authentication) is tied to a browser on a device.
- Persistence (ability to skip authentication) cannot be carried across account memberships. Recipient authentication can be skipped only if the envelope originates from the same sender and is within the time duration.
- Any changes to recipient information may trigger re-authentication. For example, a change in the email address or the phone number.
- If you are using ID Check, any changes in the account configurations such as the number of questions to be asked will trigger re-authentication.
Deprecation of Never Option
With these changes, DocuSign is deprecating the Never option for configuring the account Authentication Expiration setting.
May 2016 Service Pack Notes
Recipient Authentication - New Docusign Experience
Why am I being prompted to Authenticate when Signing?