The Security Behind E-Signatures

By Tim Bedard, Director of Security Product Marketing, OneSpan

E-signatures have been helping enterprises transform their operations for 25 years. Companies in both the public and private sectors deploy e-signatures for customer onboarding, consumer loan applications, employee performance reviews, contract negotiations, recruiting and much more.

The benefits of e-signatures continue to be quantified, including 99% customer adoption rates at over 1,700 OneMain Financial branches; $8 million paper savings annually at Royal Bank of Canada; and 70% reduction in the processing time for employee performance reviews at the U.S. Census Bureau. Yet with the increasing incidents of data breaches and hacks worldwide, it’s worth revisiting exactly how e-signatures provide the security so critically needed today.

To ensure a trusted experience between an organization, its employees and customers, e-signature solutions should meet these top three requirements:

• Use digital signatures to protect documents from tampering
• Embed detailed audit trails for regulatory compliance
• Verify the signer’s identity through appropriate levels of authentication and attribution

Digital vs. Electronic Signatures

Document and signature security are at the heart of any electronically signed document. The way to achieve the highest level of trust and security is to require the document and each signature to be secured with a digital signature. Digital signatures ensure the document is rendered tamper-proof and that signatures cannot be copied and pasted.

The term “digital signature” is often confused with “electronic signature.” An electronic signature, like its paper equivalent, is a legal concept. Its purpose is to capture a person’s intent to be legally bound to an agreement or contract.

A digital signature, on the other hand, is security technology. Based on public/private key cryptography, digital signatures are used in a variety of security, e-business and e-commerce applications.

When used within an electronic signing application, digital signature encryption secures the e-signed data. If an e-signed document is modified or tampered with in any way, digital signature technology will detect it and invalidate the document. Unlike paper-based contracts and signatures that require careful attention to detail and that rely on the human eye for verification, e-signed contracts with digital signatures will automatically flag any errors or alterations.

Digital signatures are the foundation of any reliable electronic signature and a core requirement for a trustworthy solution.

Comprehensive Audit Trails

Audit trails play a key role in documenting each step of the transaction, ensuring compliance with state and federal regulations and helping foster consumer confidence. A comprehensive audit trail should include the date and time of each signature in the document, and the audit trail should be securely embedded in the document and linked to each signature. By embedding this information in the document, the authenticity can be verified independently in the future, no matter which e-signature solution you use. In addition, the record can securely travel through any email, storage or archiving system without being compromised or requiring additional programming.

Identification and Authentication

E-Signature laws don’t say much when it comes to security techniques and technology, but the legal definition of an electronic signature always includes language around signer identity. This means organizations need to take steps to identify and/or authenticate users prior to e-signing, and they need to tie that authentication to the e-signature and e-signed record.

Authenticating users and transactions are top priorities for banks and other organizations conducting business online and via the mobile channel. When evaluating how to identify new customers over the web, consider how this is accomplished in other remote channels, such as call centers and by mail. These processes often identify first-time applicants using two types of personal information – personally identifiable information (PII), and non-public personal information.

The customer’s information is typically verified through a third-party identification service (e.g. Experian, Trans Union, Equifax). Financial service providers, for example, frequently use third-party services, since they are often already accessing credit databases as part of loan applications and other processes. In this case, look for an e-signature solution that integrates with third-party identity verification services.

Once a signer’s identity is verified, organizations often issue electronic credentials to facilitate future digital transactions. In the case of existing customers, it is highly recommended to leverage credentials you may have already issued (e.g. logins for online banking). Not only are such credentials generally reliable if they have been used over time, but it also saves the customer the hassle of having to create and remember yet another password.

In addition, organizations in certain geographies or in sectors that deal with high-value, high-risk transactions often use strong, multi-factor authentication services at any point during the process. This reinforces trust in the transaction and creates a secure environment so that identities, data and digital lives remain protected. In this case, look for an e-signature solution that can easily integrate with authentication services throughout the e-sign workflow.

Attribution

Signature attribution is the process of proving who actually clicked to apply an e-signature. Questions of attribution often come up when looking at processes where staff interacts with customers in a face-to-face environment using the click-to-sign method on a shared device.

Consider the use case where a signer is asked to click a button to e-sign on an agent’s laptop. The challenge becomes how to prove who was holding the mouse when the e-signature was applied. There are two proven approaches for establishing attribution in these circumstances: affidavits and the use of SMS passcodes sent to personal mobile phones.

Affidavits are the most cost-effective and easiest way to establish attribution. Just before handing over control of a laptop or tablet to the customer for signing, your employee or representative would be presented with affidavit text affirming they are handing control over to the signer. This transfer of control would be captured as part of the audit trail.

Another option is to use the signer’s personal smartphone. Signers can be sent a one-time passcode via SMS text that they would use in order to gain access to the e-sign session.

While there are many secure and user- friendly options for identifying signers online, ultimately the choice of authentication method depends on the risk profile of the process being automated and the underlying digital transaction. The key point here is to authenticate users without diminishing their experience.

Trust and Security Are the Foundation of E-Signatures

Providing a secure digital experience is a top priority for any e-signature deployment. Not only should it be easy to use, but it should also assure the user that the underlying integrity of the signature and the security behind the technology is solid. The most trusted e-signature solutions should utilize a digital signature, embed comprehensive audit trails and properly identify and attribute each user. With these key security features, your organization is on track to successfully digitize its business processes, while providing customers with a trusted and secure experience, no matter the use case, channel or geography.

About the Author

Tim Bedard is responsible for OneSpan’s Trusted Identity Platform security solutions for financial services. With more than twenty years of IT security experience, Tim has successfully launched multiple cloud-based security, compliance and identity and access management (IAM) offerings with responsibilities for strategic planning to go-to-market execution. Previously, he has held leadership positions in product strategy, product management and marketing at SailPoint Technologies, RSA Security and CA Technologies. Tim is active security evangelist at industry leading tradeshows and events.