A transaction is the experience of a OneSpan Sign user as they review, accept, sign, and potentially download documents. The sender of a transaction generally performs the procedures in the following sections:

Configuring Recipient Authentication

To add an extra layer of security to your online transactions, OneSpan Sign offers robust and flexible recipient-authentication options. Specifically, you can select various ways of validating the identity of the recipient of an invitation to a transaction before they are permitted to access the transaction's documents.

The rest of this section describes how to configure the following types of authentication:

General Authentication

If you wish, you can require an Authentication Method for all recipients of all transactions created in your account. To arrange this, contact our Support Team.

Prerequisite

  • SMS  and/or Q&A and/or Signer SSO has been enabled on your account. If this has not been done, you will not see the General type on the screen displayed after Step 2 below.
  • if you want to assign Single Sign-On Authentication (SSO) to a recipient who is a sender on your account, Signer SSO must be enabled on your account.

Action

To specify a General authentication method for a transaction recipient:

  1. On the Recipients section of the Drafts tab of the Transaction page, hover your mouse over the row of the recipient. The ellipsis (...) in the last column is replaced by a gear icon () and an X icon.
  2. Click the gear icon, and then click Authentication. A new dialog box appears. Unless you have already configured KBA Authentication, the displayed authentication Type is General.
  3. If necessary, select General as the Type.
  4. Select one of the following General authenticationmethods, and then follow any prompts that appear:
    • Email: This is the default authentication type. The recipient's identity is verified by their secure name and password when they log in to their email account.
    • SMS: The recipient's identity is verified by a secure SMS code sent to their cellphone number. The recipient must enter that code to open the transaction.
    • The SMS code can only be used once, and by default expires 5 minutes after being sent. The maximum expiry time is 90 minutes (1.5 hours). To change the expiry time, please contact our Support Team.

    • Q&A: The recipient's identity is verified using a secure question & answer defined by the sender. At least one question & answer is required.
    • SSO: The recipient's identity is verified through an Identity Provider (IdP).
    • SSO authentication cannot be configured via connectors or mobile applications.

  5. Click Save. A green dot next to the Authentication option indicates that an authentication method has been set.

Video Tutorial

How to Authenticate Signers in OneSpan Sign

KBA Authentication

Knowledge Based AuthenticationKnowledge Based Authentication (KBA) allows you to present challenge questions to your recipient. If the recipient provides the correct answers, they are verified as the correct recipient of the transaction. (KBA) relies on a third-party KBA provider to perform the authentication. That provider is either Equifax US or Equifax Canada.

KBA questions are generated dynamically, based on information in a signer's personal credit report.

KBA authentication can be used in conjunction with any one of the General authentication methods above.

Prerequisite

  • Equifax US and/or Equifax Canada has been enabled on your account. If this has not been done, you will not see a KBA tab in the following procedure.

Action

To specify a KBA authentication method for a transaction recipient:

  1. On the Recipients section of the Drafts tab of the Transaction page, hover your mouse over the row of the recipient. The ellipsis (...) in the last column is replaced by a gear icon () and an X icon.
  2. Click the gear icon, and then click Authentication. A new dialog box appears. Unless you have already configured KBA Authentication, the displayed authentication Type is General.
  3. If necessary, select KBA as the Type.
  4. As KBA Provider, select one of the following:
    • Equifax - CA
    • Equifax - US

    If you want to disable KBA authentication, select None.

  5. Enter information about the recipient (fields marked with an asterisk are required).
  6. Click Save. A green dot next to the Authentication option indicates that an authentication method has been set.

By default, a signer is locked out of signing if they fail multiple KBA authentication attempts. However, such signers can be automatically unlocked once they're locked out. If you want to arrange this, contact our Support Team.

Configuring Recipient Authentication

Before OneSpan Sign permits a user to access a document package, they must be authenticated as an intended recipient of the package. The package owner specifies an Authentication Method for each signer when they add the signer to the package. The owner can specify different methods for different signers.

The basic Authentication Methods are:

If you wish, you can require an Authentication Method for all signers of all packages created in your account. To arrange this, please contact our Support Team.

Email

The default Authentication Method is Email. In this case, a signer's identity is validated based on their ability to access the email message sent by OneSpan Sign. Clearly, this method depends on the security of the email system. The Q&A and SMS Authentication Methods provide enhanced levels of security.

To see how Email Authentication appears to the signer, see Authentication by Email.

Q&A

The Q&A Authentication Method requires the package owner to specify one or two question-answer pairs. If the signer can correctly answer the questions, they are validated as the intended package recipient.

Senders can choose to mask the signer's answers, so that when the signer types an answer, each typed character appears on the screen as an asterisk (*).

OneSpan Sign's default behavior is to mask a signer's answers. This default can be changed by contacting our Support Team. In any case, senders can always overwrite any setting of the "mask answer" check boxes.

To see how Q&A questions appear to the signer, see Authentication by Q&A

SMS

When a package owner chooses the SMS Authentication Method, they must provide the number of the signer's mobile phone. OneSpan Sign sends a code to this number once the package is sent. The identity of the signer is validated based on their ability to provide this code when they attempt to access the package.

The SMS code can only be used once, and by default expires 5 minutes after being sent. The maximum expiry time is 90 minutes (1.5 hours). To change the expiry time, please contact our Support Team.

Customers who dial outside of North America must dial the exit code first (011), then the country code, and then the local phone number. They should omit any listed trunk code, which is typically a "0" at the beginning of the number. A widget is in place to assist you.

To see how a signer provides an SMS code, see Authentication by SMS.