A transaction is the experience of a OneSpan Sign user as they review, accept, sign, and potentially download documents. The sender of a transaction generally performs the procedures in the following sections:

 

Configuring Recipient Authentication

To add an extra layer of security to your online transactions, OneSpan Sign offers robust and flexible recipient-authentication options. Specifically, you can select various ways of validating the identity of the recipient of an invitation to a transaction before they are permitted to access the transaction's documents.

The rest of this section describes how to configure the following types of authentication:

By default, the authentication process is optional. However, it is possible to require an Authentication Method for all recipients of all transactions created in your account. To arrange this, please contact our Support Team.

General Authentication

"General Authentication" refers to tools built into OneSpan Sign that enable you to verify the identity of the recipient. Alternatively, you can use third-party authentication tools as described in the Knowledge-Based Authentication section.

Prerequisites

  • If you want to assign an SMS, Q&A, or SSO method to a recipient, that authentication method must be enabled for your account. You can arrange this by contacting our Support Team.
  • If you want to assign a Document Verification Only or Document Verification with Facial Comparison method to a recipient, that authentication method must be enabled for your account. You can arrange this by contacting your Account Representative.

Action

To specify a General authentication method for a transaction recipient:

  1. Locate the Recipients section of the Transaction page.
  2. Click Add Recipient or locate an existing recipient whose authentication method you'd like to modify.
  3. Click the ellipsis (...) in the last column, and then click Settings.
  4. Select the Authentication tab. A new dialog box appears.
  5. If necessary, select General as the Type.
  6. Select one of the following General authentication methods, and then follow any prompts that appear:
    • None: This is the default authentication type. The recipient's identity is verified by their secure name and password when they log in to their email account.
    • SMS: The recipient's identity is verified by a secure SMS code sent to their cellphone number. The recipient must enter that code to open the transaction.
    • For SMS codes, note the following:

      • SMS codes can only be used once.
      • By default, SMS codes expire 5 minutes after being sent. However, SMS codes can be configured to expire after different times, ranging from 1 to 10 minutes. The maximum expiry time is 10 minutes. To change the expiry time for your SMS codes, please contact our Support Team.
      • The default number of times that a user may attempt to enter an SMS code is three. However, this can be configured to allow up to five attempts. If a user does not successfully enter the SMS code within the defined maximum number of attempts they will be blocked from any further attempts until the current SMS code expires.

      • A valid SMS code will have between four and ten numbers.
      • The SMS message received by signers will be set to “Your SMS verification code is: <passcode>”. The SMS portion of the message can be customized per account by contacting our Support Team. The replacement string must be between 1 and 30 characters.

    • Q&A: The recipient's identity is verified using a secure question & answer defined by the sender. At least one question & answer is required. Once the recipient launches the Signer Experience they will be prompted to answer these questions.
    • SSO: The recipient's identity is verified through an Identity Provider (IdP). For more , see Single Sign-On Authentication.
    • SSO authentication cannot be configured via connectors or mobile applications.

    • Document Verification Only: Validates the recipient's driver’s license, passport, or national identity card.
    • Document Verification with Facial Comparison: Examines one of those identity documents, and compares the recipient's photo on that document with the recipient's selfie.
    • If you selected either of the above Document Verification methods, you will be prompted to enter the recipient's mobile phone number. If you don't do so, and if the recipient starts the transaction on their computer, the recipient will be prompted to provide their phone number before they start the verification process.

      ID Verification is the generic name for the methods Document Verification Only and Document Verification with Facial Comparison.

      • Customers can decide: (1) if they want to enable Document Verification Only and/or Document Verification with Facial Comparison; (2) if they want ID Verification to be used when a recipient tries to access signed documents.

      • Starting with OneSpan Sign 11.44, ID Verification and KBA Authentication can both be assigned to a recipient. To access the relevant transaction, the recipient must pass both authentication methods.

      • ID Verification is currently supported in allOneSpan Sign supported languages, with the exception of Arabic. If Arabic is selected during transaction creation, the ID verification experience will default to English. We are planning to support this language in the future.

      • Once a transaction with ID Verification is complete, robust vendor-independent Audit Trails store all authentication and e-signature actions in a unified Evidence Summary document. The Evidence Summary does not contain images of the recipient’s ID Document or face.

      • ID Verfication for OneSpan Sign is available only in the following environments: US1, US2 , CA and EU. It is not available in the US FedRAMP or AU environments.

      • ID Verification is not supported when Reassigning Recipients.

      • ID Verification is not supported within iFrames.

      • The following ID Verification features are planned for future releases: (1) support for Bulk Sending; (2) support for customized workflows; (3) the ability to combine ID Verification for a recipient with the Q&A, SMS and SSO authentication methods.

  7. Click Save. A green dot next to the Authentication option indicates that an authentication method has been set.

By default, a signer is locked out of signing if they fail multiple authentication attempts. However, such signers can be automatically unlocked once they're locked out. If you want to arrange this, contact our Support Team.

Video Tutorial

 

KBA Authentication

Knowledge-Based Authentication Knowledge Based Authentication (KBA) allows you to present challenge questions to your recipient. If the recipient provides the correct answers, they are verified as the correct recipient of the transaction. (KBA) relies on a third-party KBA provider to perform the authentication. That provider is either Equifax US or Equifax Canada.

KBA questions are generated dynamically, based on information in a signer's personal credit report.

KBA authentication can be used in conjunction with any one of the General authentication methods above.

Prerequisites

  • Equifax US and/or Equifax Canada has been enabled on your account. To arrange this, contact our Support Team.

Action

To specify a KBA authentication method for a transaction recipient:

  1. On the Recipients section of the Drafts tab of the Transaction page, hover your mouse over the row of the recipient.
  2. Click the ellipsis (...) in the last column, and then click Settings.
  3. Select the Authentication tab. A new dialog box appears.
  4. If necessary, select KBA as the Type.
  5. As KBA Provider, select one of the following:
    • Equifax - CA
    • Equifax - US

    If you want to disable KBA authentication, select None.

  6. Enter information about the recipient (fields marked with an asterisk are required).
  7. Click Save. A green dot next to the Authentication option indicates that an authentication method has been set.

By default, a signer is locked out of signing if they fail multiple KBA authentication attempts. However, such signers can be automatically unlocked once they're locked out. If you want to arrange this, contact our Support Team.

Starting with the 11.42 release of OneSpan Sign, the Classic User Experience is no longer supported for SaaS customers. This section is thus only intended for on-premises customers who have not yet migrated to our Container deployment.

Configuring Recipient Authentication

Before OneSpan Sign permits a user to access a document package, they must be authenticated as an intended recipient of the package. The package owner specifies an Authentication Method for each signer when they add the signer to the package. The owner can specify different methods for different signers.

The basic Authentication Methods are:

If you wish, you can require an Authentication Method for all signers of all packages created in your account. To arrange this, please contact our Support Team.

Email

The default Authentication Method is Email. In this case, a signer's identity is validated based on their ability to access the email message sent by OneSpan Sign. Clearly, this method depends on the security of the email system. The Q&A and SMS Authentication Methods provide enhanced levels of security.

To see how Email Authentication appears to the signer, see Authentication by Email.

Q&A

The Q&A Authentication Method requires the package owner to specify one or two question-answer pairs. If the signer can correctly answer the questions, they are validated as the intended package recipient.

Senders can choose to mask the signer's answers, so that when the signer types an answer, each typed character appears on the screen as an asterisk (*).

OneSpan Sign's default behavior is to mask a signer's answers. This default can be changed by contacting our Support Team. In any case, senders can always overwrite any setting of the "mask answer" check boxes.

To see how Q&A questions appear to the signer, see Authentication by Q&A

SMS

When a package owner chooses the SMS Authentication Method, they must provide the number of the signer's mobile phone. OneSpan Sign sends a code to this number once the package is sent. The identity of the signer is validated based on their ability to provide this code when they attempt to access the package.

For SMS codes, note the following:

  • SMS codes can only be used once.
  • By default, SMS codes expire 5 minutes after being sent. However, SMS codes can be configured to expire after different times, ranging from 1 to 10 minutes. The maximum expiry time is 10 minutes. To change the expiry time for your SMS codes, please contact our Support Team.
  • The default number of times that a user may attempt to enter an SMS code is three. However, this can be configured to allow up to five attempts. If a user does not successfully enter the SMS code within the defined maximum number of attempts they will be blocked from any further attempts until the current SMS code expires.

  • A valid SMS code will have between four and ten numbers.
  • The SMS message received by signers will be set to “Your SMS verification code is: <passcode>”. The SMS portion of the message can be customized per account by contacting our Support Team. The replacement string must be between 1 and 30 characters.

Customers who dial outside of North America must dial the exit code first (011), then the country code, and then the local phone number. They should omit any listed trunk code, which is typically a "0" at the beginning of the number. A widget is in place to assist you.

To see how a signer provides an SMS code, see Authentication by SMS.