A transaction is the experience of a OneSpan Sign user as they review, accept, sign, and potentially download documents. The sender of a transaction generally performs the procedures in the following sections:

 

Configuring Recipient Authentication

To add an extra layer of security to your online transactions, OneSpan Sign offers robust and flexible recipient-authentication options. Specifically, you can select various ways of validating the identity of the recipient of an invitation to a transaction before they are permitted to access the transaction's documents.

The rest of this section describes how to configure the following types of authentication:

General Authentication

"General Authentication" refers to tools built into OneSpan Sign that enable you to verify the identity of the recipient through SMS, Email, or a custom "Question and Answer" format. Alternatively, you can use third-party authentication tools as described in the Knowledge-Based Authentication section.

By default, the authentication process is optional but it is possible to require an Authentication Method for all recipients of all transactions created in your account. To arrange this, contact our Support Team.

Prerequisites

  • SMS  and/or Q&A and/or Signer SSO has been enabled on your account. If this has not been done, you will not see the General type on the screen displayed after Step 2 below.
  • if you want to assign Single Sign-On Authentication (SSO) to a recipient who is a sender on your account, Signer SSO must be enabled on your account.

Action

To specify a General authentication method for a transaction recipient:

  1. Locate the Recipients section of the Transaction page.
  2. Click Add Recipient or locate an existing recipient whose authentication method you'd like to modify.
  3. Click the ellipsis (...) in the last column, and then click Settings.
  4. Select the Authentication tab. A new dialog box appears. Unless you have already configured KBA Authentication, the displayed authentication Type is General.
  5. If necessary, select General as the Type.
  6. Select one of the following General authentication methods, and then follow any prompts that appear:
    • Email: This is the default authentication type. The recipient's identity is verified by their secure name and password when they log in to their email account.
    • SMS: The recipient's identity is verified by a secure SMS code sent to their cellphone number. The recipient must enter that code to open the transaction.
    • For SMS codes, note the following:

      • SMS codes can only be used once.
      • By default, SMS codes expire 5 minutes after being sent. However, SMS codes can be configured to expire after different times, ranging from 1 to 10 minutes. The maximum expiry time is 10 minutes. To change the expiry time for your SMS codes, please contact our Support Team.
      • The default number of times that a user may attempt to enter an SMS code is three. However, this can be configured to allow up to five attempts. If a user does not successfully enter the SMS code within the defined maximum number of attempts they will be blocked from any further attempts until the current SMS code expires.

      • A valid SMS code will have between four and ten numbers.
      • The SMS message received by signers will be set to “Your SMS verification code is: <passcode>”. The SMS portion of the message can be customized per account by contacting our Support Team. The replacement string must be between 1 and 30 characters.

    • Q&A: The recipient's identity is verified using a secure question & answer defined by the sender. At least one question & answer is required.
    • SSO: The recipient's identity is verified through an Identity Provider (IdP).
    • SSO authentication cannot be configured via connectors or mobile applications.

  7. Click Save. A green dot next to the Authentication option indicates that an authentication method has been set.

Video Tutorial

 

KBA Authentication

Knowledge-Based AuthenticationKnowledge Based Authentication (KBA) allows you to present challenge questions to your recipient. If the recipient provides the correct answers, they are verified as the correct recipient of the transaction. (KBA) relies on a third-party KBA provider to perform the authentication. That provider is either Equifax US or Equifax Canada.

KBA questions are generated dynamically, based on information in a signer's personal credit report.

KBA authentication can be used in conjunction with any one of the General authentication methods above.

Prerequisites

  • Equifax US and/or Equifax Canada has been enabled on your account. If this has not been done, you will not see a KBA tab in the following procedure.

Action

To specify a KBA authentication method for a transaction recipient:

  1. On the Recipients section of the Drafts tab of the Transaction page, hover your mouse over the row of the recipient.
  2. Click the ellipsis (...) in the last column, and then click Settings.
  3. Select the Authentication tab. The displayed authentication Type is General.
  4. If necessary, select KBA as the Type.
  5. As KBA Provider, select one of the following:
    • Equifax - CA
    • Equifax - US

    If you want to disable KBA authentication, select None.

  6. Enter information about the recipient (fields marked with an asterisk are required).
  7. Click Save. A green dot next to the Authentication option indicates that an authentication method has been set.

By default, a signer is locked out of signing if they fail multiple KBA authentication attempts. However, such signers can be automatically unlocked once they're locked out. If you want to arrange this, contact our Support Team.

The 11.35 release of OneSpan Sign deprecated the part of the Classic User Experience for Senders and Admins. Thus the features described on this page are no longer available. If you try to access them, you will be redirected to the corresponding part of the New User Experience. Note: The Classic Signing Ceremony — i.e., the part of the Classic User Experience for Signers — is still supported.

Configuring Recipient Authentication

Before OneSpan Sign permits a user to access a document package, they must be authenticated as an intended recipient of the package. The package owner specifies an Authentication Method for each signer when they add the signer to the package. The owner can specify different methods for different signers.

The basic Authentication Methods are:

If you wish, you can require an Authentication Method for all signers of all packages created in your account. To arrange this, please contact our Support Team.

Email

The default Authentication Method is Email. In this case, a signer's identity is validated based on their ability to access the email message sent by OneSpan Sign. Clearly, this method depends on the security of the email system. The Q&A and SMS Authentication Methods provide enhanced levels of security.

To see how Email Authentication appears to the signer, see Authentication by Email.

Q&A

The Q&A Authentication Method requires the package owner to specify one or two question-answer pairs. If the signer can correctly answer the questions, they are validated as the intended package recipient.

Senders can choose to mask the signer's answers, so that when the signer types an answer, each typed character appears on the screen as an asterisk (*).

OneSpan Sign's default behavior is to mask a signer's answers. This default can be changed by contacting our Support Team. In any case, senders can always overwrite any setting of the "mask answer" check boxes.

To see how Q&A questions appear to the signer, see Authentication by Q&A

SMS

When a package owner chooses the SMS Authentication Method, they must provide the number of the signer's mobile phone. OneSpan Sign sends a code to this number once the package is sent. The identity of the signer is validated based on their ability to provide this code when they attempt to access the package.

For SMS codes, note the following:

  • SMS codes can only be used once.
  • By default, SMS codes expire 5 minutes after being sent. However, SMS codes can be configured to expire after different times, ranging from 1 to 10 minutes. The maximum expiry time is 10 minutes. To change the expiry time for your SMS codes, please contact our Support Team.
  • The default number of times that a user may attempt to enter an SMS code is three. However, this can be configured to allow up to five attempts. If a user does not successfully enter the SMS code within the defined maximum number of attempts they will be blocked from any further attempts until the current SMS code expires.

  • A valid SMS code will have between four and ten numbers.
  • The SMS message received by signers will be set to “Your SMS verification code is: <passcode>”. The SMS portion of the message can be customized per account by contacting our Support Team. The replacement string must be between 1 and 30 characters.

Customers who dial outside of North America must dial the exit code first (011), then the country code, and then the local phone number. They should omit any listed trunk code, which is typically a "0" at the beginning of the number. A widget is in place to assist you.

To see how a signer provides an SMS code, see Authentication by SMS.