Box Sign provides an extra layer of security by allowing senders to apply additional recipient authentication methods, including:
- Box login: the recipient needs to log in to their Box account before starting the sign process. (Available only on the Enterprise Plus and Enterprise Advanced plans)
- SMS authentication: Box sends the recipient an SMS text message to verify the recipient’s identity.
- Password: the recipient needs to input the password you provide before starting the sign process.
Available if purchased add-on functionality:
- CAC/PIV: On a computer with a Windows Operating System with Box Tools installed, the recipient uses their Common Access Card (CAC) or Personal Identification Verification (PIV) card to access the signature request and continue with the signature request process. See CAC/PIV E-Signature Authentication – Box Support for more information.
- 21 CFR Part 11: only uses Box login as an authentication method. Optionally, the sender can choose if they want to add an additional password of their choice to the signature request by toggling Require Password.
Senders can only select one of the available authentication methods from the dropdown per signature request.
- Activating additional authentication does not mean the signers also receive a signature request via text message.
- Box login is selected by default and locked as a requirement for CFR Part 11 signature requests.
- CAC/PIV requires a Windows machine and Box Tools to begin and complete the signature request.
Password authentication
To add a password for a recipient:
When preparing a document for signature:
- Add the email address of a recipient.
- Click the recipient's email address.
- Click Require Password.
- Under Enter Password type a password.
- Separately provide the password to this recipient.
Sms authentication
To add SMS Authentication for a recipient:
When preparing a document for signature:
- Add the email address of a recipient.
- Click the recipient's email address.
- Select SMS Authentication in the dropdown.
- Select a country code.
- Visit Multi-Factor Authentication Set Up for your Account to learn more about which countries support SMS authentication.
- Type the recipient's phone number.
Box Login
To require recipients to log in to Box:
When preparing a document for signature:
- Add the email address of a recipient.
- Click the recipient's email address.
- Select Box Login in the dropdown.
CAC/PIV authentication
To require CAC/PIV for a recipient:
CAC/PIV E-Signature Authentication
- Add the email address or name of a recipient.
- Set the recipient last in the signing order.
- Click the recipient's name or email address.
- Select CAC/PIV from the dropdown.
- Set the recipient needed to complete the CAC/PIV authentication process as the last signer.
Note: If the recipient is part of an enterprise that has a Box account, they may need to contact their account Admin and confirm that they can be provisioned to authenticate themselves. If the recipient does not have a Box account to authenticate themselves, they can sign up for a free Box account here.
Revise Request
When revising a request that has already been sent out, and the recipient has not signed or approved the request, senders can change the security settings for the recipient.
If SMS authentication and/or password authentication are applied, you will not have access to the previously chosen password or phone number, but you can replace them by clicking on ‘Change Password’ and ‘Change Phone Number’, if needed.
If a sender modifies the signer authentication method originally applied to a signer within a sent signature request, like changing the authentication method from SMS Authentication to Box Login or removing the Require Password authentication method, then that sender will lose all phone number and password values.
Once the recipient has signed or approved the signature request, the security settings cannot be changed.
Templates
Template creators can apply additional recipient authentication methods to signer, approver, and in-person roles within a reusable template.
If the template creator locks the Recipient panel within a template, then the user:
- Will not be able to change the pre-defined recipient authentication method.
- Will be able to add their desired recipient authentication method if no recipient authentication method was pre-defined at the reusable template level.
If the Recipient panel remains unlocked within the template, then the user:
- Will be able to add or remove recipient authentication methods.
If additional authentication methods are applied to placeholder recipients within a template:
- The template creator can select the method, however, they won’t be able to add or modify authentication values, such as the phone number for SMS Authentication or the password for Recipient Password authentication, until the recipient is defined.
- The template user will need to define the recipient (i.e. add the recipient name or email address) and will need to add the recipient authentication method values depending on the authentication method applied before they can send out the request.
If additional recipient authentication methods are applied to defined recipients within a template:
- The template creator can determine the recipient authentication method and configure the authentication method values, such as the phone number for SMS Authentication or the password for Recipient Password authentication.
- The template user might be able to add and/or change the recipient authentication method and its values except when the Recipients panel is locked.