I needed to send internal documents to team members — regulations, policy updates — and collect traceable proof that each person had read and accepted them. The classic proposal: Firebase Authentication with SMS OTP, Firestore, PDF certificate. Let me tell you what I actually built instead, and every real problem I hit along the way.

First: it's not a "digital signature"

Before writing a line of code, terminology matters. In Italy (and more broadly under eIDAS), "firma digitale" (digital signature) is a precise legal concept: a qualified electronic signature, issued by an accredited certification authority (think Aruba, InfoCert) with a hardware token or remote signing service.

What we're building is a simple electronic signature with audit trail: name, timestamp, IP, document hash, OTP verified. Perfectly valid for internal use, but calling it "firma digitale" in the UI creates legal expectations the system cannot meet. I used "acknowledgement confirmation with OTP code verification" instead.

Why not Firebase Authentication for OTP