Introduction

OTP stands for "One-Time Password," and TOTP stands for "Time-based One-Time Password." Both are authentication methods that provide an additional layer of security beyond traditional passwords. In essence, OTPs, including TOTPs, are dynamic and time-sensitive, providing an effective means of securing digital accounts and transactions. When the documents are shared on the web with other users, it's important to upscale the security levels for preventing fraudulent attempts and bad actors compromising your document security. SigningHub provides you with an option to configure One Time Password (OTP) and Time based One Time Password (TOTP) for login authentication, document opening authentication, and document signing authentication.


How it works?

  1. Configure the SMS and Email connectors, in SigningHub Admin.
  2. Configure OTP and TOTP against your service plan, in SigningHub Admin.
  3. Authentication via One Time Password (OTP) and Time based One Time Password (TOTP)
    • Login Authentication 
    • Document Access Authentication 
    • Document Signing Authentication
      • Signing Server-level Authentication
      • Recipient Permission-level Authentication
      • Field-level Authentication
      • OTP preference



Configuring Connectors in SigningHub Admin 

Configure the "SMS Gateway" connector to be used for sending SMS OTPs, and the "Email Gateway" connector to be used for sending Email OTPs.


  • Configure an SMS Connector

To see in detail, how to create a Twilio Connector in SigningHub, click here. (Alternatively, either the Generic SMS connector, or the Clickatell connector could also be used.)  

Make the following configurations to a connector in SigningHub Admin:


  1. In the "Basic Information" section, choose "Twilio" as the "Provider".



  1. In the "Details" section, fill in the required fields.



  • Configure an Email Connector

To see in detail, how to create an SMTP Server Connector in SigningHub, click here.

Make the following configurations to a connector in SigningHub Admin:


  1. In the "Basic Information" section, choose "SMTP Server" as the "Provider".



  1. In the "Details" section, fill in the required fields.





Service Plan Configuration in SigningHub Admin

To see in detail, how to create a new service plan in SigningHub, click here.

Make the following configurations against the service plan. 

  1. From the Settings screen, check the "Enable One Time Password (OTP)" and the "Enable Time based One Time Password (TOTP)" checkboxes, as required.




Authentication via One Time Password (OTP) and Time based One Time Password (TOTP)

One Time Password (OTP) and Time based One Time Password (TOTP) can be used for login authentication, document access authentication, and document signing authentication.

  • Login Authentication
    • Configuration:

To see in detail, how to configure a secondary authentication method for login in SigningHub, click here.

Make the following configurations to the user role settings SigningHub Web:


  1. In the "Login Authentication" tab, choose either "One Time Password" or "Time based One Time Password (TOTP)" as the "Secondary Authentication Method".
  1. Once the enterprise administrator enforces Time based One Time Password as a secondary authentication method on to a role, and a user under that role does not have two factor authentication (2FA) configured at the time of login, they will be sent an email to set up and to provide a Time based One Time Password. If the user has already configured two factor authentication (2FA) they will be prompted to provide the Time based One Time Password from the authenticator app configured on their mobile device.
  2. To configure the two factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The email sent to the user to configure two factor authentication (2FA) will contain:
    • QR Code
    • Manual Key
    • Recovery Codes

To set up, the user can either scan the "QR Code" or manually input the "Manual Key" in the Authenticator app. Once the registration is successful, the user can provide the automatically generated Time based One Time Password from the Authenticator app to SigningHub in order to proceed. The list of recovery codes included in the configuration email can be used in place of a Time based One Time Password, once each recovery code, to regain access to your SigningHub account, in case you lose access to your mobile device. It is advised to save the recovery codes in a safe place. The user can however, regenerate a new list of the recovery codes from the Manage Two Factor Authentication (2FA) option. In case enterprise user loses access to your mobile device and recovery codes, or have used all of the recovery codes, you can ask your enterprise admin to reset the two factor authentication (2FA) against your account.


    • Authentication:
  1. Once a secondary authentication method has been configured for login, the user will be prompted for secondary authentication upon login, after primary authentication.



  • Document Access Authentication
    • Configuration:

To see in detail, how to configure document access authentication for a workflow in SigningHub, click here.
Make the following configurations to a workflow in SigningHub Web:


  1. From the "Set Access Security" dialog, check the "Document Access Authentication", and from the following options choose either "OTP Authentication" or "Time based One Time Password".
  1. The OTP method under "OTP Authentication" will be the same as per the configured OTP method in the document owner's service plan.
    • "(Email)", in case only "Email OTP" is configured in the service plan
    • "(SMS)", in case only "SMS OTP" is configured in the service plan
    • "(SMS and Email)", in case both "Email OTP" and "SMS OTP" are configured in the service plan
  1. If the user does not have two factor authentication (2FA) configured, they will be sent an email to set up and to provide a Time based One Time Password. If the user has already configured two factor authentication (2FA) they will be prompted to provide the Time based One Time Password from the authenticator app configured on their mobile device.
  2. To configure the two factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The email sent to the user to configure two factor authentication (2FA) will contain:
    • QR Code
    • Manual Key
    • Recovery Codes

To set up, the user can either scan the "QR Code" or manually input the "Manual Key" in the Authenticator app. Once the registration is successful, the user can provide the automatically generated Time based One Time Password from the Authenticator app to SigningHub in order to proceed. The list of recovery codes included in the configuration email can be used in place of a Time based One Time Password, once each recovery code, to regain access to your SigningHub account, in case you lose access to your mobile device. It is advised to save the recovery codes in a safe place. The user can however, regenerate a new list of the recovery codes from the Manage Two Factor Authentication (2FA) option. In case enterprise user loses access to your mobile device and recovery codes, or have used all of the recovery codes, you can ask your enterprise admin to reset the two factor authentication (2FA) against your account.


    • Authentication:
  1. Once a document access authentication has been configured for a workflow, the user will be prompted for authentication upon opening the document.



  • Document Signing Authentication

Document signing authentication can be classified into three different categories; Signing Server-level Authentication, Recipient Permission-level Authentication, and Field-level Authentication.


    • Signing Server-level Authentication
      • Configuration:

To see in detail, how to configure a secondary authentication method against a signing server in SigningHub, click here.
Make the following configurations to the user role settings SigningHub Web:


    1. In the "Authentications" section, choose either "One Time Password" or "Time based One Time Password (TOTP)" as the "Secondary Authentication Method".
  1. Once the enterprise administrator enforces Time based One Time Password as a secondary authentication method for a signing server against a role, and a user under that role does not have two factor authentication (2FA) configured at the time of signing with that signing server, they will be sent an email to set up and to provide a Time based One Time Password. If the user has already configured two factor authentication (2FA) they will be prompted to provide the Time based One Time Password from the authenticator app configured on their mobile device.
  2. To configure the two factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The email sent to the user to configure two factor authentication (2FA) will contain:
    • QR Code
    • Manual Key
    • Recovery Codes

To set up, the user can either scan the "QR Code" or manually input the "Manual Key" in the Authenticator app. Once the registration is successful, the user can provide the automatically generated Time based One Time Password from the Authenticator app to SigningHub in order to proceed. The list of recovery codes included in the configuration email can be used in place of a Time based One Time Password, once each recovery code, to regain access to your SigningHub account, in case you lose access to your mobile device. It is advised to save the recovery codes in a safe place. The user can however, regenerate a new list of the recovery codes from the Manage Two Factor Authentication (2FA) option. In case enterprise user loses access to your mobile device and recovery codes, or have used all of the recovery codes, you can ask your enterprise admin to reset the two factor authentication (2FA) against your account.


      • Authentication:
    1. Once a secondary authentication method has been configured against a signing server, the user will be prompted for authentication at the time of signing.




    • Recipient Permission-level Authentication
      • Configuration:

To see in detail, how to configure recipient permission-level signing authentication for a workflow in SigningHub, click here.
Make the following configurations to a workflow in SigningHub Web:


    1. From the "Set Access Security" dialog, check the "Document Signing OTP Authentication", and from the following options choose either "OTP Authentication" or "Time based One Time Password".
  1. The following rules will be followed for initiating the OTP process:
    • The system will initiate when the recipients attempt to sign a signature field, and will not initiate OTP process when recipient attempts to mark an Initials field.
    • Even if Document Signing OTP Authentication is configured, OTP process will fail to initiate in case the signer is performing Bulk Sign. 
    • When the recipient is a registered user and attempts to sign a signature field, the system will follow the OTP authentication settings (including mobile number) as configured by document owner via "Set Access Security" dialog. 
      • In case the OTP authentication is not configured by the document owner, the system will follow the OTP authentication settings configured in the Enterprise Role while using the mobile number specified on the user's "My Settings" page.
      • In case OTP authentication is not configured in the Enterprise Role or Service Plan, then OTP process will not initiate. 
    • When the recipient is a guest user and attempts to sign a signature field, the system will follow the OTP authentication settings (including the mobile number) as configured by document owner via "Set Access Security" dialog.  
      • In addition, even if the OTP authentication is configured in the Enterprise role, OTP process will still not initiate.
  1. The OTP method for "Document Signing OTP Authentication" will be the same as per the configured OTP method in the document owner's service plan.
    • "(Email)", in case only "Email OTP" is configured in the service plan
    • "(SMS)", in case only "SMS OTP" is configured in the service plan
    • "(SMS and Email)", in case both "Email OTP" and "SMS OTP" are configured in the service plan
  1. If the user does not have two factor authentication (2FA) configured, they will be sent an email to set up and to provide a Time based One Time Password. If the user has already configured two factor authentication (2FA) they will be prompted to provide the Time based One Time Password from the authenticator app configured on their mobile device.
  2. To configure the two factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The email sent to the user to configure two factor authentication (2FA) will contain:
    • QR Code
    • Manual Key
    • Recovery Codes

To set up, the user can either scan the "QR Code" or manually input the "Manual Key" in the Authenticator app. Once the registration is successful, the user can provide the automatically generated Time based One Time Password from the Authenticator app to SigningHub in order to proceed. The list of recovery codes included in the configuration email can be used in place of a Time based One Time Password, once each recovery code, to regain access to your SigningHub account, in case you lose access to your mobile device. It is advised to save the recovery codes in a safe place. The user can however, regenerate a new list of the recovery codes from the Manage Two Factor Authentication (2FA) option. In case enterprise user loses access to your mobile device and recovery codes, or have used all of the recovery codes, you can ask your enterprise admin to reset the two factor authentication (2FA) against your account.


      • Authentication:
    1. Once a recipient permission-level signing authentication has been configured for a workflow, the user will be prompted for authentication at the time of signing.




    • Field-level Authentication
      • Configuration:

To see in detail, how to configure a field-level authentication for a signature field in SigningHub Web, click here.
To see in detail, how to configure a field-level authentication for an in-person signature field in SigningHub Web, click here.

Make the following configurations to a signature/in-person signature field in SigningHub Web:


    1. From the "Edit Signature/In-Person Field" dialog, enable "Authenticate signer via OTP" and from the following options choose either "OTP Authentication" or "Time based One Time Password".
  1. The "Authenticate signer via OTP" option is not available:
    • For a signature field:
      • If recipient is a group signer or a placeholder.
      • If One Time Password (OTP) and Time based One Time Password options are disabled in the service plan.
      • In case of an Individual workflow type.
    • for an in-person Signature field:
      • If One Time Password (OTP) and Time based One Time Password options are disabled in the service plan.
      • In case of an Individual workflow type.
  1. If there is an unprocessed signature/in-person signature field with the "Authenticate signer via OTP" option configured, the user will not able to "Bulk Sign" and "Bulk Sign and Share" the document. 
  2. The OTP method for "Authenticate signer via OTP" will be the same as per the configured OTP method in the document owner's service plan.
    • "(Email)", in case only "Email OTP" is configured in the service plan
    • "(SMS)", in case only "SMS OTP" is configured in the service plan
    • "(SMS and Email)", in case both "Email OTP" and "SMS OTP" are configured in the service plan
  1. If the user does not have two factor authentication (2FA) configured, they will be sent an email to set up and to provide a Time based One Time Password. If the user has already configured two factor authentication (2FA) they will be prompted to provide the Time based One Time Password from the authenticator app configured on their mobile device.
  2. To configure the two factor authentication (2FA) the user will need to install an authenticator app (Google Authenticator, Microsoft Authenticator, etc.) on their mobile device. The email sent to the user to configure two factor authentication (2FA) will contain:
    • QR Code
    • Manual Key
    • Recovery Codes

To set up, the user can either scan the "QR Code" or manually input the "Manual Key" in the Authenticator app. Once the registration is successful, the user can provide the automatically generated Time based One Time Password from the Authenticator app to SigningHub in order to proceed. The list of recovery codes included in the configuration email can be used in place of a Time based One Time Password, once each recovery code, to regain access to your SigningHub account, in case you lose access to your mobile device. It is advised to save the recovery codes in a safe place. The user can however, regenerate a new list of the recovery codes from the Manage Two Factor Authentication (2FA) option. In case enterprise user loses access to your mobile device and recovery codes, or have used all of the recovery codes, you can ask your enterprise admin to reset the two factor authentication (2FA) against your account.

  1. In case a recipient is changed and the "Authenticate signer via OTP" option was configured, the system will require the mobile number of the new recipient.


      • Authentication:
    1. Once a field-level authentication authentication has been configured, the user will be prompted for authentication at the time of signing.




    • OTP Preference

The following OTP preference will be followed while signing, in case of configuration of Signing Server-level Authentication, Recipient Permission-level Authentication, and Field-level Authentication.


Field-level Authentication

Recipient Permission-level Authentication

Signing Server-level Authentication

OTP preference

No

No

No

-

Yes

Yes

Yes

Field-level OTP

Yes

No

No

Field-level OTP

Yes

Yes

No

Field-level OTP

Yes

No

Yes

Field-level OTP

No

Yes

No

Recipient Permission-level Authentication

No

Yes

Yes

Recipient Permission-level Authentication

No

No

Yes

Signing Server-level Authentication




See Also