OTP password flow for Approvals

Introduction

This release focuses on improving the reliability and consistency of the approval experience when users attempt to sign documents inside a record. Approvals typically require users to authenticate using their password. However, certain users were unexpectedly being prompted for OTP instead of their password, and some were not receiving OTP emails when requested.

This update strengthens the logic that determines whether a user should see the Password-Based Approval flow or the OTP-Based Approval flow, to ensure a predictable and secure signing experience.

What’s included in this Release

• Users with a password set always see the Password-Based Approval modal.

• Only SSO users without a password set are shown the OTP flow.

• SSO users who have previously set a password, whether from a new invite, prior org access, or by using “Change Password”, correctly receive the password-based modal.

• Non-SSO users continue to receive password prompts as expected.

• Users entering incorrect username/password combinations receive correct error messaging.

• Users providing correct credentials are able to successfully approve or reject the document without OTP interruptions.

• SSO users who are not part of any non-SSO org but have no password set remain eligible for OTP-based approval.

• The “Generate OTP” behaviour is validated to ensure the correct issuance of OTP only for eligible users.

These improvements ensure that password and OTP routing behave consistently across user types and org configurations, preventing unexpected OTP prompts during approvals.

Before vs After