How to enable two factor authentication in Docusign for enhanced security

If you’re using DocuSign to send or sign important documents, you need more than just a good password. Two-factor authentication (2FA) is one of the easiest ways to keep your account from getting hijacked. This guide is for people who want real security, not just the checkbox version.

You’ll learn how to actually set up 2FA in DocuSign, what your options are, and—just as important—what to skip or watch out for. Whether you’re an admin who needs to roll this out to a team, or just locking down your own account, you’ll find all the steps here.

Why Two-Factor Authentication Matters

Passwords get leaked, phished, or guessed. Adding 2FA means even if your password is stolen, someone still can’t get into your DocuSign account without a second proof that it’s really you. It’s a small hassle for a lot more peace of mind.

But let’s be honest: not all 2FA is created equal. SMS codes can be intercepted, email 2FA is only as good as your email security, and sometimes companies make things more complicated than they need to be. So let’s focus on what works—and how to set it up right.

What Kind of 2FA Does DocuSign Support?

DocuSign gives you a few ways to add that second layer of security. Here are the main options:

  • Text message (SMS) codes: You get a code sent to your phone. Easy, but not the most secure.
  • Authenticator app (TOTP): Use apps like Google Authenticator, Authy, or Microsoft Authenticator to generate time-based codes. Much better than SMS.
  • Phone call: You get a call with the code. Rarely used, but an option.
  • Email codes: Least secure—skip this if possible.
  • Single Sign-On (SSO): If your organization uses SSO (like Okta or Azure AD), your IT team handles authentication. This is a bigger setup.
  • Knowledge-based authentication (KBA): For signers, not account security. Ignore for now.

For your own DocuSign login, focus on authenticator apps or SMS. If you’re an admin, you can also require 2FA for users or for people signing documents.

Step 1: Check Your DocuSign Plan and Permissions

Not every DocuSign plan has all 2FA options. Here’s what to check:

  • Personal/Individual DocuSign users: You can turn on 2FA for your own login.
  • DocuSign Admins (Business/Enterprise plans): You can enforce 2FA for everyone or specific groups.
  • Signer authentication: You can require 2FA for people signing your envelopes. Different setup—skip to the end for tips.

Pro Tip: Some advanced 2FA settings may be locked behind “Advanced Authentication” add-ons. If you don’t see an option described here, you might need to talk to DocuSign support or your sales rep.

Step 2: Enable 2FA for Your DocuSign Login

For Individual Users

  1. Log in to DocuSign.

  2. Go to your DocuSign dashboard.

  3. Go to your profile settings.

  4. Click your profile picture or initials in the top right.

  5. Choose “My Preferences” or “Manage Profile” (DocuSign moves this around sometimes).

  6. Find Security Settings.

  7. Scroll to “Security” or “Login & Security.”

  8. Look for “Two-Step Verification” or “Two-Factor Authentication.”

  9. Turn on 2FA.

  10. Click to enable.

  11. You’ll be asked what kind of 2FA you want to set up (SMS, Authenticator app, etc.).

  12. Set up your chosen method.

  13. Authenticator App: Scan the QR code with your app (Google Authenticator, Authy, etc.), then enter the code it generates.
  14. SMS: Enter your phone number and type in the code you receive.

  15. Phone Call: Enter your number and follow the instructions.

  16. Save your changes.

  17. DocuSign usually confirms setup by asking for a code one more time.

Heads up: If you don’t see these options, your admin may have locked things down, or your plan may not support certain 2FA methods.

For Admins (Enforcing 2FA for Users)

If you’re a DocuSign admin and want everyone to use 2FA:

  1. Go to the Admin Console.

  2. Click your profile and choose “Go to Admin.”

  3. Navigate to Security Settings.

  4. Look for “Authentication” or “Login Policies.”

  5. Set authentication policies.

  6. You can require 2FA for all users or specific groups.

  7. Choose which types of 2FA you’ll allow (SMS, Authenticator app, etc.).

  8. Save and notify your users.

  9. Users will be prompted to set up 2FA at their next login.

Tip: Forcing 2FA can cause friction. Warn your users ahead of time and send them setup instructions.

Step 3: Test Your 2FA Setup

Don’t assume it’s working—test it.

  1. Log out of DocuSign.
  2. Log back in and make sure you’re prompted for a second factor.
  3. Try using your backup codes (if available) to make sure you know where they are.

If you can’t get in, follow the account recovery process—before you actually need it.

Step 4: (Optional) Require 2FA for Document Signers

If you send sensitive documents and want signers to verify their identity, you can require 2FA for them too. This is different from securing your own account.

Here’s how:

  1. When preparing an envelope, add recipients as usual.
  2. For each signer, set an authentication method.
  3. Click “Add Access Authentication” or similar (wording varies).
  4. Choose SMS, phone, or knowledge-based authentication.
  5. Enter their phone number (for SMS or call).
  6. Send the envelope.
  7. The signer will have to verify their identity before they can view or sign.

Note: This costs extra on many plans, and not every recipient likes jumping through hoops. Use only when it’s worth it.

What to Watch Out For

  • Backup codes: If you use an authenticator app, DocuSign may give you backup codes. Save them somewhere safe (not just in your email).
  • Phone number changes: If you lose your phone or change numbers, you might get locked out. Update your 2FA settings if anything changes.
  • SMS risks: SIM swapping is real. Authenticator apps are safer.
  • Account recovery: DocuSign’s process for regaining access is decent, but not instant. If you’re an admin, make sure users know how to get help.
  • Overkill: Don’t require KBA for every signer unless you’re in a regulated industry. It’s expensive, slow, and most people hate it.

Real-World Tips

  • Authenticator apps > SMS, every time. Unless you have no other choice, skip SMS.
  • Don’t rely on email 2FA. If someone gets your email, they can get into DocuSign too.
  • SSO is great—if you have IT. If your company already uses SSO, just make sure it’s set up with 2FA. Let your IT team handle the details.
  • Audit your settings. Check who has 2FA enabled every few months. People forget or get lazy.
  • Communicate changes. If you’re rolling this out to a team, let them know what’s coming and give them a cheat sheet.

Keeping It Simple

Two-factor authentication is one of the few security upgrades that’s actually worth the effort. It’s not perfect, and DocuSign’s options are a bit scattered, but it’s way better than nothing. Set it up, test it, and move on. If you’re an admin, don’t go wild with every possible option—pick what works, keep it simple, and tweak as you go.

You don’t need to be paranoid, just practical. And if you run into trouble, DocuSign’s support is slow but usually gets the job done. Set aside 20 minutes, follow the steps above, and you’ll sleep a little better tonight.