eSignature URL authentication: are your controls strong enough?

TL;DR: Public eSignature links can expose contracts and personal data if the signer is not authenticated, and AI-enabled scanning of exposed URLs increases the attack surface, according to OneSpan. The real control question is no longer convenience versus security, but whether the signing workflow proves identity before access is granted.

NHIMG editorial — based on content published by OneSpan: Comment protéger vos adresses URL de signature électronique contre les cyberattaques

Questions worth separating out

Q: How should security teams protect electronic signature URLs from unauthorized access?

A: They should require signer authentication before the document opens, not after the link is delivered.

Q: Why do public eSignature links create identity and data risk?

A: Because a public link behaves like a bearer credential.

Q: What do organisations get wrong about eSignature authentication?

A: They often treat authentication as an optional user-experience setting instead of a core access control.

Practitioner guidance

• Bind every public signing URL to signer verification Require authentication before the document ceremony opens, rather than relying on the link itself as proof of entitlement.
• Segment signing workflows by transaction risk Create assurance tiers for routine, regulated, and high-value agreements so the authentication method matches the legal and fraud impact of the document.
• Treat eSignature links as sensitive access paths Limit how signing URLs move through email, SMS, and support channels, and assume message infrastructure may inspect the link.

What's in the full article

OneSpan's full article covers the operational detail this post intentionally leaves for the source:

• A fuller breakdown of when public eSignature URLs remain exposed and which notification paths can surface them.
• A step-by-step comparison of signer authentication options for different transaction types and assurance needs.
• Detailed examples of how embedded signing changes the access model for B2E, B2C, and partner workflows.
• Guidance on matching authentication strength to compliance and user-experience requirements.

👉 Read OneSpan's analysis of how to secure electronic signature URLs →

eSignature URL authentication: are your controls strong enough?

Explore further

View Full Forum →  |  NHI Foundation Course →