Most eSignature breaches don't happen because someone cracked the encryption. They happen because the wrong person opened the link. If you're sending contracts, NDAs, or financial agreements without any identity verification layer, you're hoping the right inbox belongs to the right person — and hope isn't a security strategy.
Secure document signing isn't just about what happens after someone clicks "sign." It's about controlling who gets through the door in the first place. GoodSign gives senders layered identity verification options — from basic email confirmation to SMS codes, access codes, and biometric authentication — so you can match the security level to the actual stakes of the document.
Here's how each method works, when to use it, and how to combine them for stronger protection.
GoodSign supports four distinct ways to verify a signer's identity before they can access a document. You don't have to use all of them — but understanding what each one does helps you make smarter choices.
Email link verification is the baseline. The recipient gets a signing link sent to their inbox, and accessing it confirms they control that email address. It's fast, frictionless, and appropriate for low-stakes internal documents where you already know the person.
Access code protection requires the recipient to enter a code before the document opens — a code you set and share separately (via phone call, text, or in person). Because the code travels through a different channel than the signing link, an attacker who intercepts the email still can't open the document.
SMS verification sends a one-time code to the signer's mobile number. The recipient must enter that code before they can proceed. This is true two-factor authentication — something they have (their phone) combined with the email link.
Passkey and biometric authentication ties document access to device-level verification — Face ID, fingerprint, or hardware passkey. This is the strongest option and is increasingly relevant as organizations move toward passwordless security standards.
The right verification method depends on who you're sending to, what the document contains, and how much friction is acceptable.
For internal team documents — onboarding forms, policy acknowledgments, low-sensitivity approvals — email link verification is usually sufficient. The people signing already have accounts and context. Adding extra steps creates friction without meaningful security gain.
Access codes work best when the signer relationship is external but known. Think: a freelancer contract with a new client you've spoken to on the phone, or a vendor agreement with someone your procurement team has already vetted. You set the code, you tell them the code directly, and the document stays locked unless both pieces are in place.
SMS verification is the right choice when identity confirmation matters and you have the signer's mobile number. Client agreements, financial documents, real estate contracts, or anything where you'd want an audit trail showing the signer controlled a verified phone number at the time of signing. With 65.3% of documents signed within 24 hours on average, SMS codes typically reach signers while the session is still active and the context is fresh.
Biometric and passkey options are most appropriate for high-value or regulated documents — executive contracts, legal agreements, healthcare forms — where you need the strongest possible proof of identity and the signer is already set up with device-level authentication.
The most secure workflow combines two methods from different channels. Email delivers the signing link. SMS or access code provides the second factor. Neither one alone is enough to open the document.
When you set up a document in GoodSign, you choose the verification method at the envelope level — before it goes out. That means protection is baked into the document, not bolted on afterward. Senders control this, not recipients.
This matters more than it sounds. If a signing link gets forwarded, shared accidentally, or intercepted in a phishing scenario, access code or SMS verification acts as a hard stop. The link is useless without the second factor.
For agencies and businesses sending high volumes of contracts, the per-envelope model makes this financially straightforward. At $1.50 per envelope with no subscription and no user limits, you're not paying a premium for security features locked behind higher tiers — every envelope gets access to the same verification tools regardless of how many people on your team are sending documents.
Not every document needs the same protection level, and over-engineering security for routine paperwork creates unnecessary friction. The goal is proportional protection — lightweight verification for low-risk documents,
All rights reserved © GoodSign Limited 2026
2 Stuart St, Ponsonby, Auckland 1011, New Zealand..