By activating the E-Signature functionality in your platform, your learners will be required to electronically sign that they have completed certain courses. The E-Signature feature is available for both the desktop version of your platform and the Go.Learn mobile app and the functionality can be applied to all types of courses (e-learning, ILT-classroom and webinar) in the desktop platform and to e-learning courses in your mobile app, both to newly created and existing courses. For further info about E-Signature for your mobile app, please refer to this article.
When signing a course with an electronic signature, users are able to prove their identity in the system, thus reducing the risk of forgery in your platform. With this feature, your courses in Docebo can be compliant with the Title 21 Part 11 Code of Federal Regulation of the United States.
The Electronic Signature used in your platform is a unique alphanumeric code created by a Hash function. Docebo’s E-Signature is generated based on a user’s data, a course’s training material and the date on which the user completed the course. The algorithm used to create the hash is compliant with the user authentication requirements set in the Title 21 Part 11 CFR of the US and thus the platform’s E-Signature is legally comparable to a user’s handwritten signature.
Because of this, the Audit Trail App also tracks data relating to courses that use the E-Signature functionality. Through the Audit Trail, the platform stores all data relating to the course and the users taking the course (such as user data, the training material needed to complete the course, and the changes made to training material).
To prove their identities, users will complete an additional authentication process (the first authentication is the login or a single sign-on authentication into the platform) after having completed all of the mandatory training material included in a course that requires an E-Signature.
This secondary factor authentication is performed using a 6-digit verification code (One Time Password, or OTP) that is shown on the learner’s device by an authenticator app that generates verification codes or is sent to the learner’s email by using the email authentication method. Users will enter this code in the One Time Password field on the course player page, then validate it to verify their accounts and complete the course.
To learn how to manage this authentication process, refer to the following sections of this article. For further information about what your learners must do to complete this authentication process, refer to this article.
Best Practices & Important Notes
Please keep in mind the following important information:
– The courses in which you as the Superadmin enabled the E-Signature feature are referred to as E-Signature courses in your platform and in this article.
– The E-Signature app is strictly related to the use of the Audit Trail app, therefore the Audit Trail app is automatically activated when the E-Signature app is activated to avoid losing the data required to be compliant with Title 21 CFR Part 11. Both the E-Signature and the Audit Trail app are free for all plans.
– The E-Signature feature works with the Extended Enterprise feature, so each of your subdomains can have E-Signature courses.
– The E-Signature option cannot be disabled for a course once you activate it. If you enable the E-Signature option when you create a new course or edit an existing one, the option will be permanently activated for the course and you won’t have the possibility to change it in the future.
– If your learners use the email authentication method to authenticate via One Time Password, they need to have an email address associated with their user profiles in the platform. In case your users don’t have an email address associated with their profiles, during the email authentication process they will be asked to go to their My Profile page to perform the association (they will have to insert their email in the corresponding field of the My Profile section).
– If you change the training material of an E-Signature course in any way, you will lose the electronic signature’s legal validity. Therefore, whenever possible, we advise you against adding, editing or removing the training material of an E-Signature course. Refer to the list below to know in which cases and under which conditions the One Time Password authentication process cannot be completed by the user or the electronic signature will lose legal validity when making changes to the content of an E-Signature course.
– When you as a Superadmin log in as one of the users in your platform and impersonate one of your users, for security reasons, you cannot access E-Signature courses into which the user that you are impersonating is enrolled. When a user is enrolled in an E-Signature course, he or she has to go through a secondary authentication process in order to prove his or her identity. Accessing an E-Signature course of another user would mean having access to personal One Time Passwords (OTP) needed for E-Signature authentication. As a consequence, the electronic signature will lose its legal validity (of course, in order for the learner’s E-Signature to have legal validity, the course must be completed by the user who signs it and in his or her own account). Please refer to this article for more information about the User Impersonation functionality.
– The E-Signature App works only with the new Course Management. If the E-Signature App is activated in your platform, please note that you cannot roll back to the old Course Management.
Please be aware of the following cases and conditions:
– If a user has completed the training material of an E-Signature course but he/she hasn’t completed the One Time Password authentication process yet, if you (as the Superadmin) then add new training material to the E-Signature course unblocking the Training Material tab of the course, the user will be able to complete the OTP authentication process anyway without having to complete the new training material.
– If you manually change the status of a learner in an E-Signature course to Completed before a user has completed the One Time Password authentication process, the OTP authentication process will be blocked and the electronic signature process cannot be performed (this happens because the hash hasn’t been created). In this case, if the user clicks on training material included in an E-Signature course, he or she will see a message warning that the authentication via One Time Password is not required.
Activating the E-Signature App
To use the E-Signature feature in your courses, you first need to activate the corresponding app. To activate the E-Signature app, log into your platform as the Superadmin, then select the Admin Menu from the gear icon in the top right corner of your homepage. Then, press the Add New Apps button.
Once you’re on the Apps and Features page, select the Docebo Additional Features tab from the tab menu on the left side of the page. Then, find the E-Signature app in the list of apps in the tab, and press the Try it for Free button in the app’s row. In the pop-up box, read more information about the app. When ready, press Try it for Free. The app is now activated in your platform.
Please note: When the E-Signature app is activated, the Audit Trail app is automatically activated for your platform as well. Both the E-Signature and the Audit Trail app are free for all plans.
Once activated the app, you need to activate the E-Signature functionality. To activate it, access the Admin Menu from the gear icon in the top right corner of your platform. Here, select the Manage option in the E-Signature section. On the E-Signature page, switch on the Enable E-Signature for this domain toggle in the Activation section in order to activate E-Signature in your platform.
When you switch the toggle on, the One Time Password Authentication Method section will appear below the Activation section. Here, you can select the authentication method(s) (Authenticator App or Email) that your users will use to verify their identity when completing the course.
Both authentication methods are enabled by default, but you can decide to deactivate one of them and use only one authentication method, or to select again both options (Authenticator App and Email). However, we suggest that you use the Authenticator App as authentication method.
The authentication methods that you select in the Manage menu are the methods that your learners can use to complete the One Time Password authentication process.
Please Note: If you disable the E-Signature functionality by switching off the toggle, remember that you will have to manage manually every E-Signature course not yet completed (as the Superadmin, you will need to force the completion of the course for the users enrolled into the course).
Managing the Authenticator App Pairing for Your Users
If you selected the Authenticator App option in the Manage menu, your users can authenticate using an authenticator app (this authentication method is the one that users will see by default when electronically signing the course, but they can also choose to use the email authentication method, if you also activated this authentication method).
Remember that if your learners use the authenticator app authentication method, they need to configure the app and associate it with their profiles in the platform. If your users’ profiles are not yet associated with the app, when they login and, in case they skip the pop-up box that opens at login, when they open an E-Signature course’s overview or player page, they will be asked to go to their My Profile page to perform the association and configure the authenticator app, in order to be able to access E-Signature courses.
As a Superadmin, you are able to remove the association between a user and the authenticator app. To do so, access the Admin Menu from the gear icon in the top right corner of your platform. In the E-Learning section, select the Users item. In the list of users, you can check if the authenticator app is paired to their profiles in the corresponding column of the users’ list. If you want to remove the association between a user and the authenticator app he or she uses to prove his or her identity, select the ellipsis icon at the end of the user row and choose the Unpair Authenticator App option from the dropdown menu. If you confirm your action in the pop-up box that will open, the association will be reset for the user you selected.
Email Authentication Method
Remember that if your learners use the email authentication method to authenticate via One Time Password, they need to have a valid email address associated with their user profiles in the platform. In case your users don’t have an email address associated with their profiles, at login and, if they skip the pop-up box that opens at login, when they open an E-Signature course’s overview or player page, they will be asked to go to their My Profile page to perform the association (they will have to insert their email in the corresponding field of the My Profile section).
Also, remember to check on the Advanced Settings page of the platform if the options you set allow your users to insert their email. To do so, reach the Users tab on the Advanced Settings page and make sure that the “Hide the My Profile section in the user personal area” option is not selected. If you need to activate this option and your users don’t have an email address associated with their profiles, they’ll have to use the Authenticator App authentication method instead of the Email one.
Enabling the E-Signature Feature for Courses
To activate the E-Signature feature for a newly created or already existing course, reach the Properties tab of the course on the Course Management page and flag the E-Signature option in the Course Info section of the tab. Once you flag this option, the Title and Description fields will appear under the E-Signature checkbox. These fields are pre-filled, and you can edit the text inside of them if necessary, but remember that you cannot delete the text and leave them blank. When taking an E-Signature course, your users will see the title and description you configured for the E-Signature item of that course in the training material box on the right side of the course player page.
By enabling the E-Signature option, your users will need to authenticate via One Time Password (OTP) to complete the course. When finished, press the Save Changes button in the bottom right corner of the page.
Please note: The E-Signature option cannot be disabled for a course once you activate it. If you enable the E-Signature option when you create a new course or edit an existing one, the option will be permanently activated for the course and you won’t have the possibility to change it in the future.
Viewing E-Signature Courses from the Course Management Menu
In the E-Signature column in the list of courses on the Course Management page in your platform, you can see which courses in your platform are E-Signature courses.
On the Course Management page, you can also apply filters to see only E-Signature courses in the courses list. Press the filters icon in the top left corner of the page, then select the Show E-Signature courses only filter in the E-Signature section of the slideout panel. Now, you’ll only see E-Signature courses in the list.
Managing & Unlocking Training Material in E-Signature Courses
When training material is used in an E-Signature course, you should pay careful attention to the management of the training material within the course.
All learners enrolled in an E-Signature course have to complete it under the exact same conditions to maintain the learners’ E-Signature legal validity. For this reason, when a user completes all of the mandatory training material included in the E-Signature course and thus the One Time Password authentication process is available for users, a message at the top of the Training Material tab of the Course Management page will inform you that training material for the E-Signature course is locked.
As a Superadmin, you can decide to select Unlock on the right side of the message in the Training Material tab in order to be able to add, edit or remove the course’s training material.
Please note: If you unlock and then make changes to the E-signature course’s training material, you cannot prove the validity of electronic signatures of users who have completed the course. When you select Unlock, the Unlocking pop up box informs you that the platform will record, in the Audit Trail, all of the changes that you made (if you have added, edited or removed training material). For more information about the Audit Trail, refer to the Audit Trail article and to the following section of this article.
Likewise, before editing or deleting the training material from within the Central Repository (CLOR), a warning message informs you that the electronic signatures of the users who have completed the E-Signature course will lose legal validity.
Whenever possible, we advise you against adding, editing or removing the training material of an E-Signature course, because if you change it in any way, you will lose the electronic signature’s legal validity. Refer to the Best Practices section above in this article to know in which cases and under which conditions the One Time Password authentication process cannot be completed by the user or the electronic signature will lose legal validity when making changes to the content of an E-Signature course.
Editing, Deleting or Adding Training Material in E-Signature Courses
If you can’t avoid making changes to E-Signature course’s training material, we recommend creating a new version of the training material. By uploading a new version of the training material that you edited, you’ll be able to find all data recorded in the Audit Trail, where you can check in which conditions users completed the course. If you need further information about how to upload a new version of training material, refer to the Creating Multiple Versions of the Same Learning Object section of this article.
If you decide that you want to unlock content listed in the course’s training material tab, after having selected the Confirm button in the Unlocking pop up box at the top of the Training Material tab of the Course Management page, you will be able to edit or delete the training material by selecting the menu icon at the end of its row in the list of training material and then choosing the corresponding option from the dropdown menu. You’ll also be able to add new training material to the course by selecting the Add Training Material button above the training material list.
Recording E-Signature Data in the Audit Trail App and Compliance with Title 21 Part 11 CFR
In order to be compliant with the Title 21 Part 11 code of Federal Regulation of the United States, Docebo creates an electronic signature based upon cryptographic methods of authentication, which is a unique hash based on user data, course name, training material, training material version, test score, timestamp of course completion and One Time Password authentication method. This data is available in the Audit Trail App.
The Audit Trail app keeps track of the administrative actions performed in the system. Relating to E-Signature courses, the Audit Trail records admin and learner data and activities such as user data, the training material completed by learners, and the changes made to training material associated with an E-Signature course.
Please note: Because the E-Signature app is strictly related to the use of the Audit Trail app, the Audit Trail app is automatically activated when the E-Signature app is activated to avoid losing the data required to be compliant with Title 21 CFR Part 11.
Viewing E-Signature Info in Reports
As all the E-Signature data and activities are recorded in the Audit Trail, E-Signature data can be seen in some reports in the platform as well: Course Summary Report, Courses Dashboard, and some custom reports (Users – Courses, Users – Course Enrollment Time, Courses – Users, and Groups – Courses).
If you want to immediately know when your users electronically sign the course they’ve completed through the E-signature authentication, make sure that the Notifications feature is active in your platform, and that you have correctly created and configured the User performed the E-signature course’s authentication notification.
By doing so, when your users complete the E-signature authentication, you as the Superadmin will receive a notification informing you that your user performed the One Time Password authentication after having completed all of the mandatory training material included in an E-Signature course. This notification can be also sent to managers, power users, instructors, and learners as well.
Please note: You will only receive notifications about E-signature authentication if the Notification feature is active and if you as the Superadmin have properly set up the User performed the E-signature course’s authentication notification. When configuring this notification, you can choose between the email, in-platform, or Slack option, according to your needs.
Also note: The new shortcode [esignature_course] is available for the Learner has yet to complete a course notification and for the Digest: Learner has yet to complete a course notification. These notifications can also be sent to managers and instructors.
Please refer to this article for more information on creating and managing notifications.