




















TL;DR
Start your free 14-day trial — no credit card required.
In today’s digital-first world, document signing workflows must balance security with user experience. The challenge becomes even more complex when external signers — people outside your organization who don’t have system accounts — need to access and sign documents securely.
We recently tackled this challenge by developing a sophisticated authentication system that enables external users to securely access our workflow signer interface without requiring login credentials, using a combination of encrypted tokens and multi-factor authentication (MFA).
Traditional document signing workflows face a fundamental tension:
Our solution needed to satisfy all three requirements while maintaining the seamless experience users expect from modern digital tools.
Before implementing this authentication system, you’ll need:
We designed a three-layer security system that maintains both security and usability.
When an administrator configures a signing task, our system generates cryptographically secure tokens for each external signer. Here’s how it works:
// Generate unique file access token for the signer.
string tokenGuid = Guid.NewGuid().ToString();
// Store token with context in secure database table.
string sql = @"INSERT INTO ACCESS_TOKENS
(TOKEN_ID, DOCUMENT_ID, OWNER_TYPE,
OWNER_ID, CONTEXT, CREATED_DATE, CREATED_BY)
VALUES (@token_id, @document_id, @owner_type,
@owner_id, @context, @created_date, @created_by)";
The system then encrypts this token, along with tenant and document information, using AES-256 encryption:
// Create data object with all necessary context.
var dataObject = new { fileAccessToken, tenant, documentId = deKey };
string data = JsonConvert.SerializeObject(dataObject);
// Encrypt using environment-specific key.
using (var aes = Aes.Create())
{
aes.Key = encryptionKey;
aes.IV = iv;
aes.Mode = CipherMode.CBC;
aes.Padding = PaddingMode.PKCS7;
// ... encryption logic
}
Each signer receives an email containing a unique, encrypted link. The link structure ensures:
The email link follows this pattern:
https://domain.com/app/external-signature/{encryptedToken}?standalone=true
When a signer clicks the email link, they don’t immediately access the document. Instead, our React-based MFA component intercepts the request:
// MFA verification component handles the security checkpoint.
export function ExternalSignerMFAVerification() {
const { state, setVerified, setFailed } = useSignatureMFA();
const [code, setCode] = useState('');
const [attempts, setAttempts] = useState(0);
// Handle verification with attempt limiting.
const handleSubmit = useCallback(async (e: FormEvent) => {
if (attempts >= MAX_ATTEMPTS || !isValidCode(code)) return;
const result = await SignatureMFA.verifyMFA({
sessionId: state.accessToken,
code: code.trim(),
});
// ... verification logic
}, [code, attempts]);
}
The backend generates and validates MFA codes using Redis for secure, temporary storage:
// Generate secure MFA code.
const mfaCode = Math.floor(100000 + Math.random() * 900000).toString();
const mfaRedisKey = `signerMfa:${accessToken}`;
// Store with expiration and attempt tracking.
await redisClient.setEx(mfaRedisKey, CODE_EXPIRATION_TIME, JSON.stringify({
attempts: 0,
requestCount: 0,
requests: [{ timestamp: Date.now(), code: mfaCode }]
}));
The following diagram shows how these three security layers work together to provide secure, passwordless access for external signers.

Behind each layer of our authentication system are carefully designed security mechanisms that work together to protect document access. The following sections will examine the specific features that make this system both secure and maintainable, from cryptographic validation to session management.
Our token system uses multiple layers of validation:
Cryptographic integrity
Context validation
The MFA system includes several security best practices:
When a signer accesses the system, we validate their encrypted token and verify tenant permissions before granting access. This ensures that only authorized signers with proper licensing can view and sign documents:
async function validateEncryptedToken(encryptedToken) {
// Decrypt and validate token structure.
const parsed = await this.decryptSigningData(encryptedToken);
// Verify tenant permissions.
const hasSignaturePermission = await config.checkModule(
parsed.tenant, 'DigitalSignature'
);
const hasBasicPermission = await config.checkModule(
parsed.tenant, 'DocumentSigning'
);
if (!hasSignaturePermission && !hasBasicPermission) {
throw new Error('Insufficient permissions');
}
return parsed;
}
From the signer’s perspective, the process is straightforward:
This architecture provides several technical advantages, outlined below.
Since implementing this system, we’ve seen a positive impact in the following areas:
User experience
Security and compliance
Key insight — Security doesn’t have to come at the expense of usability. With careful architecture and implementation, you can create systems that are both more secure and more user-friendly than traditional approaches.
For organizations implementing similar systems, focus on these key areas. Success requires balancing strong security foundations with thoughtful user experience design, while maintaining flexibility to adapt to different document sensitivity levels and use cases.
Find out about custom authentication and MFA for your organization.
Passwordless authentication for external signers addresses the challenge of balancing security with user experience. This layered approach — encrypted tokens, multi-factor authentication, and thoughtful interface design — provides secure access without requiring account creation.
The key insight is that security doesn’t have to come at the expense of usability. With careful architecture and implementation, you can create systems that are both more secure and more user-friendly than traditional approaches.
For organizations implementing similar systems, focus on the layered approach: strong cryptographic foundations, well-designed user interfaces, and continuous monitoring and improvement. The result is a system that users trust and administrators can confidently deploy for sensitive business processes.
Ready to modernize your external signer authentication? Explore how Nutrient Workflow Automation Platform can help you implement secure, passwordless authentication for enhanced document security.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。