Box Status
Print

CAC/PIV E-Signature Authentication

  • CAC/PIV is used by U.S. Federal Agencies and Federal Contractors. 
  • CAC/PIV e-signature authentication is available on Enterprise Plus and Enterprise Advanced plans only and requires customers to be provisioned on the Box Sign CAC/PIV Add-On Pack.
  • Card-specific limitations that we do not support include:
    • Cards with no digital signing capability
    • Unsupported digital signature algorithms (Box supports RSA and ECDSA)
    • Expired certificate

U.S. Government organizations require additional security measures to safeguard critical information and data. Common Access Cards (CAC) are identification cards that are issued to U.S. Department of Defense personnel. These cards enable physical access to buildings and provide access to DoD computer networks and systems. While CAC cards are the primary identification cards for DoD personnel, Personal Identification Verification cards (PIV) are smartcards used by other branches of the U.S. Federal Government that contain a certificate and a private key to gain access to computers, networks, and online resources. With Box Sign, these organizations can enable and require signature request recipients to authenticate themselves using their CAC or PIV smartcards before gaining access to signing Box Sign signature requests. 

Admin Enablement

Admins can enable CAC/PIV authentication for signature requests for their organization by accessing the Admin Console -> Enterprise Settings -> Box Sign.

In the Box Sign tab, select Edit Configuration under the “CAC/PIV disabled for all managed users” option

From there, you can select from four options for your users and groups:

  • Disable for all managed users
  • Enable for all managed users
  • Enable for select users and groups
  • Enable for everyone except select users and groups

Add the specific users and groups to enable the CAC/PIV authentication workflow setting for them. Once you have selected your users and group preferences, click Save.  

Box Tools

To ensure a seamless signing experience, Box Tools must be installed on a computer with a Windows Operation System for each user receiving signature requests requiring CAC/PIV authentication. This step is crucial to enabling CAC/PIV for your organization. A signature request sent with this authentication method can only be completed by a recipient when Box Tools was installed on a Windows OS computer.

Compatibility requirements for using CAC/PIV with Box Tools:

  • CAC/PIV smartcard 
  • Windows 10 or 11
  • Box Tools ver. 4.28 or above

Visit Installing Box Tools – Box Support for further instructions and how to install Box Tools. 

Once complete, recipients can then authenticate themselves using CAC/PIV hardware. 

Sending Process

As a sender, follow steps 1 through 3 from Sending a document for signature

Selecting CAC/PIV Authentication

Note: CAC/PIV is limited to a single signer in a signature request. If the request includes multiple approvers and signers, the CAC/PIV signer must be last in the signing order.

After adding recipients to a signature request, select which recipient to modify, and select the CAC/PIV option within the Additional Recipient Verification dropdown menu.

Depending on the number of recipients included in the signature request, senders may need to adjust the signing order:

  • Single Recipient

No signing order is needed.

  • Multiple Recipients

Only one recipient can be configured to use CAC/PIV authentication, and that recipient must be assigned as the last signer. 

Additional Authentication

The sender can require an added password for the recipient with CAC/PIV. The recipient will first enter a password before proceeding with the CAC/PIV authentication. SMS authentication and Box login are not available. 

Revising a request

If the signer has not completed the signature request, the sender can revise the request as instructed in Changing a sent signature request – Box Support, including updating the CAC/PIV settings.

CAC/PIV Signing Process

Warning: Box Tools must be installed on a computer with a Windows OS before enabling CAC/PIV. The recipient will be presented with an error during the authentication process if Box Tools is not installed. 

As the recipient starts the signing process, click Review document from the email request.

Once a recipient initiates a signature request, they will be required to authenticate with CAC/PIV. 

After a successful connection, the signer will need to select the appropriate CAC/PIV card from the drop-down menu. 

After completing the authentication process, the signer follows the steps in Signing a document – Box Support, and then after clicking Sign & Finish before submitting the signature, the signer will need to enter a PIN to complete the process. 

The recipient’s selection is recorded in their signature block or initials field within the signed document and in the signing log for reference.



Signing Log

Once the signature request is complete, the signing log is available for review and reference. The signing log displays each CAC/PIV signature, and authentication details as pictured below. You can learn how to access the signing log associated with each signature request here.  

For additional information about how Box can support compliance with CAC/PIV, contact your account manager or client success manager.

Related articles