Dropbox Sign security and access controls
Strengthen your Dropbox Sign security by managing authentication methods, controlling access, and protecting sensitive signing workflows.
7 minuti di lettura
Your organization is up and running in Dropbox Sign. Now it's time to decide how you'll protect access to your account, documents, and users.
The good news is that most security settings are straightforward to configure. While some features, such as SAML SSO, may require support from your IT team, many security controls can be enabled with just a few clicks.
In this module, you'll explore the security and access controls available in Dropbox Sign, understand when to use them, and learn how they can help support your organization's security and compliance requirements.
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) adds an extra layer of protection by requiring users to verify their identity using an additional authentication factor, such as a one-time passcode, in addition to their password.
Common authentication methods include:
SMS verification, which sends a one-time code to the user's mobile device.
OTP (One-Time Passcode) authentication, which generates temporary verification codes through an authenticator app such as Google Authenticator.
Enabling MFA helps reduce the risk of unauthorized account access, particularly when users access Dropbox Sign from multiple devices or locations.
Why use MFA?
MFA can help protect against:
Stolen passwords
Credential reuse
Unauthorized account access
For organizations handling sensitive documents, MFA is a recommended security control.
Note
Admins can require all users in the organization to use MFA. Once enabled, users will be prompted to set up their second factor the next time they log in and won't be able to skip the setup process.
If you're enabling MFA for a large team, consider communicating the change in advance so users know what to expect at their next login.
Signer authentication overview
In addition to securing user accounts, admins can control how signers access documents.
Signer authentication adds an additional verification step before a signer can open and complete a signature request.
Available options include:
Custom access codes
Text message authentication
While senders choose whether to apply these controls to individual requests, admins determine whether certain authentication methods are available across the organization.
Custom access codes
Custom access Codes allow senders to add an extra layer of security to a signature request by requiring signers to enter a code before accessing a document.
Admins can enable it for their organization and allow senders to use them when additional signer verification is required.
Custom access codes can be useful when:
Documents contain sensitive information.
Signers need an additional verification step.
Security requirements don't require SMS-based authentication.
Text message authentication
Text message authentication sends a one-time verification code to a signer's mobile device before they can access a document.
This provides an additional layer of identity verification without requiring senders to manage access codes manually.
Note
Admins must enable Text message authentication before team members can use it when sending signature requests.
Common issue
If senders cannot see Text message authentication when creating requests, verify that it has been enabled in the Admin console.
When should organizations use text message authentication?
Consider enabling Text message authentication when:
Documents contain sensitive information.
Additional signer verification is required.
Regulatory or compliance requirements apply.
SAML Single Sign-On (SSO)
SAML Single Sign-O (SSO) allows organizations to authenticate users through their identity provider (IdP), enabling centralized user management and a consistent login experience.
To configure SAML SSO, you'll need information from your identity provider, including:
Sign-in URL
Issuer
X.509 certificate
You'll typically need to work with the team responsible for managing your identity provider to obtain these values. If your organization uses Okta, Microsoft Entra ID (formerly Azure AD), or a similar identity platform, your IT team can help locate the required information.
Once these values are configured in the Admin console, users can authenticate through the organization's identity provider instead of maintaining separate Dropbox Sign credentials.
Before enabling SSO
When configuring SAML SSO for the first time, keep standard admin logins enabled until testing is complete.
If the SSO configuration is incorrect and standard logins are disabled, admis may be unable to access the account.
Best Practice
Test SSO with a non-admin user account before rolling it out more broadly. If something isn't configured correctly, you'll still be able to access the Admin console with your admin account and make any necessary changes.
System for Cross-domain Identity Management (SCIM) support
System for Cross-domain Identity Management (SCIM) support
Many organizations use System for Cross-domain Identity Management (SCIM) to automate user provisioning and deprovisioning across applications.
Current limitation
Dropbox Sign does not currently support SCIM.
Organizations that use SSO should plan to manage Dropbox Sign user provisioning through their existing administrative processes. This means new users must be invited manually, and access must be removed manually when users leave the organization.
If your organization relies on automated provisioning for other applications, consider including Dropbox Sign in your onboarding and offboarding processes.
Electronic Identification (eID)
Electronic Identification (eID) provides a higher level of signer identity verification than standard electronic signatures.
Organizations may use eID when:
Strong identity verification is required.
Industry regulations mandate additional verification.
Signatures must meet specific legal requirements.
The availability and requirements of eID can vary depending on region and use case.
Note
Most organizations won't need eID for everyday signature workflows, but it's important to understand when stronger identity verification may be required. eID is available as a paid add-on for Dropbox Sign.
NOM-151
NOM-151 is a Mexican standard that supports the preservation and validation of electronic documents and records.
Organizations operating in Mexico may use NOM-151 to help support compliance and evidentiary requirements for electronic transactions.
When is NOM-151 relevant?
You may encounter NOM-151 requirements when:
Conducting business in Mexico.
Managing regulated electronic records.
Supporting long-term document validation requirements.
Note
If your organization operates in Latin America, consult your legal or compliance teams to determine whether NOM-151 requirements apply to your workflows.
Security best practices
As an admin, security isn't a one-time setup task. People change roles, new compliance requirements emerge, and settings that made sense when your account was first configured may need to be reviewed as your organization grows.
To help keep your account secure:
Enable 2FA where appropriate.
Review authentication settings regularly.
Test SSO configurations before full deployment.
Enable additional signer verification for sensitive documents.
Stay informed about compliance requirements that apply to your region.
Security controls are most effective when they're reviewed regularly and aligned with organizational policies.
You've configured the settings that help protect your users, documents, and organization.