We are investigating using eSignLive as an Authenticator for known people in conjunction with it's normal eSignature capture case.  The idea would be to present the user with a bootstrapping form first so not to expose pii data:

  1. Email user a link to a Bootstrapping form
  2. on load DDS call launches eSignLive in an iFrame (InPerson), 
  3. the user is challenged with SMS pass code (and KBA possibly), 
  4. detect "authenticated" via postmessage event from iFrame,
  5. call DDS to get SessionId via eSign Api*
  6. eSignLive SessionId is to be held (on server)
  7. then redirect to the Real form with pii data. 
  8. Fill/Review form
  9. When signing, SessionId is passed to Signing Initiation (skip SMS/KBA if still valid - 30min)

Want to verify these steps and the security of this model.  

*Client TM code is currently not capturing the SessionId so have to modify a Wrapper they have to expose the api which can return it.

An Alternative is to pass real form without pii data, detect "authenticated" and have DDS call return Form XML and use javascript to load the data (not certain how feasible this is with large data with various repeating content)



  1. Christopher Eagar

    Hi Trevor, 

    Did you get anywhere with this in the end?

    Regards, Chris

CommentAdd your comment...