Two-factor authentication (TOTP)
RFC 6238 TOTP with QR enrolment, 8 single-use recovery codes, and email-link reset.
What it does
Optional but recommended. Enrol any TOTP app (Google Authenticator, 1Password, Authy) โ DocSign renders a QR + manual secret. Login enforces TOTP after password (and after PIN, if PIN is enabled). Recovery codes are 8 random codes, hashed at rest, and consumed one-shot if you lose your authenticator.
How it works
- 1
Settings โ Two-factor โ Enable. Scan the QR with your authenticator.
- 2
Enter the current 6-digit code to confirm enrolment.
- 3
DocSign shows your 8 recovery codes. Save them somewhere safe โ they're shown exactly once.
- 4
At next login, after password (and PIN if set), DocSign challenges for a TOTP code; recovery codes are accepted as a fallback.
Why it matters
- Layered with PIN and password, the login pipeline is password โ PIN โ TOTP.
- Recovery code acceptance is tolerant: dashed, undashed, with spaces, upper or lower โ all match.
- If you lose access entirely, the email-link 2FA reset can clear the second factor (audited separately).
Want to try it?
Most features are available the moment you sign up. No card required.
Related features
Random-positions PIN login
After password, DocSign asks for three random positions of your PIN โ the UK-bank pattern.
Email-confirmed keys
Every new public key is tied to a one-time email link before it can sign anything.
Tamper-evident audit log
Every security-relevant event is recorded with user, action, IP, user-agent, and timestamp.