Signing

OTP Identity Verification

How one-time password verification works and why it's required before signing.

3 min read

What Is OTP Verification?

Before a signer can access and sign a document, DottSign requires them to verify their identity using a One-Time Password (OTP), a 6-digit code sent to their email or phone number.

This step ensures that:

  • The person signing is the same person who received the invitation
  • No one can sign on someone else's behalf without access to their inbox or phone
  • The audit trail is legally defensible, the signature is tied to a verified identity

How It Works

For Email Signers

  1. The signer opens the signing link from their email invitation.
  2. DottSign sends a 6-digit OTP to the same email address where the invitation was sent.
  3. The signer enters the OTP in the verification screen.
  4. Once verified, the document opens for review and signing.

For WhatsApp Signers

  1. The signer opens the signing link from their WhatsApp message.
  2. DottSign sends a 6-digit OTP via WhatsApp to the same number.
  3. The signer enters the OTP.
  4. The signing flow proceeds normally.

OTP Code Details

PropertyValue
Code length6 digits
Expiry time10 minutes
ResendClick Resend code at any time after the code expires

If the code expires, the signer can click Resend code at no cost to get a new one.

Why Can't OTP Be Disabled?

OTP verification is a required step for all DottSign contracts. It cannot be bypassed or disabled.

This is intentional: electronic signature regulations in Brazil (MP 2.200-2), the EU (eIDAS), and the USA (ESIGN Act) require that a signature be attributable to a specific person. The OTP step, combined with the signer's email address, IP address, device fingerprint, and timestamp, forms the proof of intent required for legal validity.

Removing OTP would reduce the legal strength of the signature.

What Appears on the Audit Trail?

Every OTP verification event is recorded in the signed document's audit trail certificate, which is embedded in the final PDF. The certificate includes:

  • ✅ Signing invitation sent to [email address]
  • ✅ OTP verification code sent at [timestamp]
  • ✅ OTP verification completed from IP [IP address]
  • ✅ Signature applied at [timestamp]
  • ✅ Document finalised at [timestamp]

This certificate can be exported and used as legal evidence in the event of a dispute.

Common Issues with OTP

"I didn't receive the OTP email"

  1. Check your Spam and Promotions folders
  2. Wait 1–2 minutes, email delivery can occasionally be delayed
  3. Click Resend code on the verification screen
  4. If you still don't receive it, contact the person who sent you the contract, they can resend the invitation with a fresh link

"The code says it's already expired"

OTP codes are valid for 10 minutes from the moment they are sent, not from when you open the email. Click Resend code to get a fresh code and enter it immediately.

"I entered the code incorrectly"

Request a new OTP by clicking Resend code and enter the fresh code immediately.

"The signer received the OTP but can't complete the verification"

Make sure they are entering the code in the same browser session where they opened the signing link. Opening a new browser tab or a private window after receiving the code may cause the session to be lost.

Was this helpful?
Our support team usually replies within 1 business day.
Contact support
Related articles
OTP Identity Verification · DottSign Help · DottSign