The following discusses security implications of certain "Document Preferences" settings. To access "Document Preferences", go to the "Administration" tab, click on settings, and look for the "Document Preferences" heading.
Require Signatory Passwords
We recommend you set "Require Signatory Passwords" to "Yes". How you determine what is an acceptable password is a business policy decision you must make.
Documents will either be initiated by your users through the AssureSign interface or through integration methods described in the DocumentNOW documentation. If "Require Signatory Passwords" is set to "Yes", then manually launched documents will require an entry of a password. Depending on the level of security you require, your AssureSign users could enter the signatory’s last four digits of their Social Security Number or their account number. There are a number of possibilities for manually assigning a shared secret.
When this setting is on, DocumentNOW methods will require that a password be programmatically passed in for each signatory described in your submission. We recommend this password not be communicated in any invitation to sign, but rather be based on a shared secret or closely-held account based information.
Configuring Password Complexity Requirements for Signer Passwords
Most documents are created using templates. If this is the case, it is possible to configure the parameters (used to populate signer attributes such as name, email address, password, etc.) to ensure that password complexity requirements are met. This can be done by doing the following:
- Navigate to the Classic Templates tab
- Select Existing from the side menu
- Click the Edit link on the template you would like to modify
- Click the Edit Workflow link
- Click the Edit link on the signer you would like to modify
- In the Signatory Authentication section, click the Change link next to the Password parameter
- In the popup, leave Parameter selected and click Next
- Leave Edit Parameter selected and click Next
- Enter a Validation Message and Validation Expression (regular expression) that will be used to ensure that the signer password meets complexity requirements and then click Finish
- Click the Save link to persist your changes
Knowledge Based Authentication (KBA)
AssureSign also optionally supports Knowledge-based Authentication for signers. This can provide and additional level of security by helping ensure the identity of the signer. If this option is not already available for your account, please speak with your administrator who can contact AssureSign to have it enabled. Note that additional charges apply when Knowledge-based authentication is used.
Require Passwords for Access to Completed Documents
Access to completed – signed – documents may be locked down by a number of configuration options, depending on the type of information contained in the documents. Although email templates in the AssureSign system provide convenient ways to send links to completed documents, these templates could be overridden by your own custom email templates that omit this link. In this way, even if the setting "Require Passwords for Access to Completed Documents" is "No", you will be protecting the documents by process (only authenticated users in the AssureSign system with document view access for the account or role will be able to see these documents). However, if sending the link to a complete document is beneficial – or even required by regulation or business obligation – then we recommend setting "Require Passwords for Access to Completed Documents" to "Yes".
When this setting is "Yes", then any initiation of document signing through the AssureSign online system or through DocumentNOW methods will require that a completed document password be specified. Should a user attempt to access the document at a later time from outside the authenticated AssureSign system (such as via a link you send to them) then they will be asked to enter the password. Also, any programmatic attempt to stream down the completed document will also require knowledge of the password.
Document Link Expiration Configuration
You may specify how long signing links and access links to documents (such as those sent in signing completed emails) remain active. The recommended best practice is to specify an expiration date for all signing and document access links. Avoiding the use of permanent links to documents plays an important role in helping ensure the security and privacy of your data. Note that this is also a requirement for certain security compliance standards such as PCI.
You may specify individual settings for:
- Signing Link - links specific to signatories on a given document or envelope
- Original Document Link - link to the document as it existed prior to signing
- Interim Document Link - link to the document as it might be if signing has started but has not yet completed
- Completed Document Link - link to the document after signing has been completed
