# Product Security ## Product Security ### Authentication Security **Authentication Modes** emSigner has multiple modes of authentication; users can use emSigner native authentication, protocols such as SAML 2.0 and Open ID connect for SSO, or integration with external multi-factor authentication systems through REST APIs, Office 365 Cloud AD, and Google accounts for user authentication. **Password Policy** emSigner's native authentication allows the administrators (only) to configure password policies to be imposed through the administrator settings. Administrators can choose the password complexity (length, alphabets, numbers, upper & lower cases, etc.), aging, and login attempts. **Two-factor Authentication (2FA)** emSigner's native authentication allows two-factor authentication for users through email/SMS based OTP's or through Google/Microsoft/emSigner Authenticator app. **Credential Security** We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash. ### Additional Product Security **Role Based Access Controls (RBAC)** Access to workflows and documents within emSigner is governed by Role Based Access Controls (RBAC) and can be configured at the granular level. emSigner supports various permission levels - at the user level and department level for initiators, signatories/reviewers, administrators, etc. Restrictions can also be imposed on the document level for pre-defined workflows and ad-hoc level workflows, including the document uploaded for signing, attachments (if any), and completion certificates. **Audit Logs** emSigner offers Audit Logs for accounts, with details related to account changes, user changes, actions performed, etc. The Audit Log is available in Administrator settings and can be exported in excel/pdf formats for further analysis. To know more about Audit logs and see what information is captured within the logs. [View Audit Logs](https://support.emsigner.com/legal-evidence/verifying-digitally-signed-documents/activity-log). **Document Log** emSigner captures various actions performed by the users on a document, which includes the Sent, Viewed, and Signed/Reviewed data along with the timestamp. It also captures the Operating System, browser, and IP address used by the user while performing the action (s) assigned to the participant. [View Document Log](https://support.emsigner.com/legal-evidence/verifying-digitally-signed-documents/document-log). **Rate Limiting and Abuse Prevention**\ emSigner implements rate limiting at the API gateway level to prevent misuse and ensure fair usage of API resources. The system monitors API requests at the IP level and applies a pre-defined threshold for permissible request volumes within a specific time window. When this threshold is exceeded, further requests are automatically blocked and an error is returned to the client. **Attachment Authentication (2FA)** emSigner allows the user to configure attachment visibility from the administrator module. Administrators can define whether or not the participants can view the attachment (s) on a workflow level. **Credential Security** We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.