Box Developer Documentation
 

    Extra security (2FA)

    Extra security (2FA)

    Imagine you want an additional layer of security for your signature requests, by requesting the signer to use a password or a phone verification in the document signing step.

    2FA Signature request

    Phone verification

    You can require the signer to use 2FA through their mobile phone to complete the signature request by passing the verification_phone_number parameter on the signer along with their phone number.

    For example:

    cURL
    curl --location 'https://api.box.com/2.0/sign_requests' \
        --header 'Content-Type: application/json' \
        --header 'Authorization: Bearer ej...3t' \
        --data-raw '{
          "is_document_preparation_needed": true,
          "parent_folder": {
            "id": "234102987614",
            "type": "folder"
          },
          "source_files": [
            {
              "id": "1358047520478",
              "type": "file"
            }
          ],
          "signers": [
            {
              "email": "verify@example.com",
              "role": "signer",
              "verification_phone_number": "+15551232190"
            }
          ]
        }'
    

    When the signer tries to access the signature request a phone verification dialog pops up:

    Phone verification

    Then the signer is prompted to enter the code sent in an SMS:

    Entering the SMS code

    Password verification

    You can require the signer to use a password to open the signature request by passing the password parameter in the signer object. For example:

    cURL
    curl --location 'https://api.box.com/2.0/sign_requests' \
        --header 'Content-Type: application/json' \
        --header 'Authorization: Bearer ej...3t' \
        --data-raw '{
          "is_document_preparation_needed": true,
          "parent_folder": {
            "id": "234102987614",
            "type": "folder"
          },
          "source_files": [
            {
              "id": "1358047520478",
              "type": "file"
            }
          ],
          "signers": [
            {
              "email": "verify@example.com",
              "role": "signer",
              "password": "1234"
            }
          ]
        }'
    

    Once the signer opens the signature request they should see something like this:

    Password verification pop-up

    As the password verification is done on the first step, it prevents the signer from accessing the document until the correct password is provided.