Dropbox Sign security and access controls

Strengthen your Dropbox Sign security by managing authentication methods, controlling access, and protecting sensitive signing workflows.

7 minute read

Your organization is up and running in Dropbox Sign. Now it's time to decide how you'll protect access to your account, documents, and users.

The good news is that most security settings are straightforward to configure. While some features, such as SAML SSO, may require support from your IT team, many security controls can be enabled with just a few clicks.

In this module, you'll explore the security and access controls available in Dropbox Sign, understand when to use them, and learn how they can help support your organization's security and compliance requirements.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) adds an extra layer of protection by requiring users to verify their identity using an additional authentication factor, such as a one-time passcode, in addition to their password.

Common authentication methods include:

  • SMS verification, which sends a one-time code to the user's mobile device.

  • OTP (One-Time Passcode) authentication, which generates temporary verification codes through an authenticator app such as Google Authenticator.

Enabling MFA helps reduce the risk of unauthorized account access, particularly when users access Dropbox Sign from multiple devices or locations.

Dropbox Sign | Admin console MFA

Why use MFA?

MFA can help protect against:

  • Stolen passwords

  • Credential reuse

  • Unauthorized account access


For organizations handling sensitive documents, MFA is a recommended security control.

Note

Admins can require all users in the organization to use MFA. Once enabled, users will be prompted to set up their second factor the next time they log in and won't be able to skip the setup process.

If you're enabling MFA for a large team, consider communicating the change in advance so users know what to expect at their next login.

Ready to enable MFA? See Dropbox Sign two-factor authentication - Google Authenticator for setup instructions and guidance you can share with your users.

Signer authentication overview

In addition to securing user accounts, admins can control how signers access documents.

Signer authentication adds an additional verification step before a signer can open and complete a signature request.

Available options include:

  • Custom access codes

  • Text message authentication

While senders choose whether to apply these controls to individual requests, admins determine whether certain authentication methods are available across the organization.

Dropbox Sign | Admin console signer authenticator

Custom access codes

Custom access Codes allow senders to add an extra layer of security to a signature request by requiring signers to enter a code before accessing a document.

Admins can enable it for their organization and allow senders to use them when additional signer verification is required.

Custom access codes can be useful when:

  • Documents contain sensitive information.

  • Signers need an additional verification step.

  • Security requirements don't require SMS-based authentication.

Text message authentication

Text message authentication sends a one-time verification code to a signer's mobile device before they can access a document.

This provides an additional layer of identity verification without requiring senders to manage access codes manually.

Note

Admins must enable Text message authentication before team members can use it when sending signature requests.

Common issue

If senders cannot see Text message authentication when creating requests, verify that it has been enabled in the Admin console.

When should organizations use text message authentication?

Consider enabling Text message authentication when:

  • Documents contain sensitive information.

  • Additional signer verification is required.

  • Regulatory or compliance requirements apply.

SAML Single Sign-On (SSO)

SAML Single Sign-O (SSO) allows organizations to authenticate users through their identity provider (IdP), enabling centralized user management and a consistent login experience.

To configure SAML SSO, you'll need information from your identity provider, including:

  • Sign-in URL

  • Issuer

  • X.509 certificate

Dropbox Sing | Admin console SAML SSO

You'll typically need to work with the team responsible for managing your identity provider to obtain these values. If your organization uses Okta, Microsoft Entra ID (formerly Azure AD), or a similar identity platform, your IT team can help locate the required information.

Once these values are configured in the Admin console, users can authenticate through the organization's identity provider instead of maintaining separate Dropbox Sign credentials.

Before enabling SSO

When configuring SAML SSO for the first time, keep standard admin logins enabled until testing is complete.

If the SSO configuration is incorrect and standard logins are disabled, admis may be unable to access the account.

Best Practice

Test SSO with a non-admin user account before rolling it out more broadly. If something isn't configured correctly, you'll still be able to access the Admin console with your admin account and make any necessary changes.

Working with your IT team to configure SSO? See Dropbox Sign SAML SSO configuration for setup instructions, provider-specific guidance, and testing recommendations.

System for Cross-domain Identity Management (SCIM) support

System for Cross-domain Identity Management (SCIM) support

Many organizations use System for Cross-domain Identity Management (SCIM) to automate user provisioning and deprovisioning across applications.

Current limitation

Dropbox Sign does not currently support SCIM.

Organizations that use SSO should plan to manage Dropbox Sign user provisioning through their existing administrative processes. This means new users must be invited manually, and access must be removed manually when users leave the organization.

If your organization relies on automated provisioning for other applications, consider including Dropbox Sign in your onboarding and offboarding processes.

Electronic Identification (eID)

Electronic Identification (eID) provides a higher level of signer identity verification than standard electronic signatures.

Organizations may use eID when:

  • Strong identity verification is required.

  • Industry regulations mandate additional verification.

  • Signatures must meet specific legal requirements.

The availability and requirements of eID can vary depending on region and use case.

Note

Most organizations won't need eID for everyday signature workflows, but it's important to understand when stronger identity verification may be required. eID is available as a paid add-on for Dropbox Sign.

If you think your organization may need it, speak with your Dropbox Sign account team before enabling it.

NOM-151

NOM-151 is a Mexican standard that supports the preservation and validation of electronic documents and records.

Organizations operating in Mexico may use NOM-151 to help support compliance and evidentiary requirements for electronic transactions.

When is NOM-151 relevant?

You may encounter NOM-151 requirements when:

  • Conducting business in Mexico.

  • Managing regulated electronic records.

  • Supporting long-term document validation requirements.

Note

If your organization operates in Latin America, consult your legal or compliance teams to determine whether NOM-151 requirements apply to your workflows.

Working with customers or transactions that require NOM-151 compliance? See Dropbox Sign and NOM 151 Compliance for information about enabling the feature, sending compliant signature requests, and validating NOM-151 certificates.

Security best practices

As an admin, security isn't a one-time setup task. People change roles, new compliance requirements emerge, and settings that made sense when your account was first configured may need to be reviewed as your organization grows.

To help keep your account secure:

  • Enable 2FA where appropriate.

  • Review authentication settings regularly.

  • Test SSO configurations before full deployment.

  • Enable additional signer verification for sensitive documents.

  • Stay informed about compliance requirements that apply to your region.

Security controls are most effective when they're reviewed regularly and aligned with organizational policies.

You've configured the settings that help protect your users, documents, and organization.

Now it's time to see what's happening across your account by exploring reports, monitoring activity, and understanding the information available for security and compliance reviews.