Electronic signatures are a step that many companies have taken to enter into the digital transformation, but there are always concerns about the security of electronic signatures. This post tells you about the necessary security checks to ensure no security breaches that could lead to data loss or fraudulent use of information when signing electronically.
Electronic signature security considerations
Several aspects determine the security aspects of electronic signatures. They are listed below:
- Signatory authentication. The eIDAS Regulation defines authentication as the electronic process that enables the electronic identification of a natural or legal person or the origin and integrity of data in electronic form. Therefore, verification of the signatory’s identity is essential for a secure electronic signature. The verification of the signatory’s identity is performed in several ways:
- It consists of matching the signatory’s unique physical features such as fingerprints, iris or voice. In this regard, a mobile app could also identify the person who signs by face or fingerprint recognition. You have probably observed, for example, that many mobile phones are unlocked with the owner’s fingerprint or cars that identify the voice of their driver to follow driving commands.
- One Time Password (OTP) One-Time Password (OTP) is sent to the signatory’s mobile phone or email to identify the signatory.
- Questions and Answers. Alternatively, the signatory can be identified by questions and answers known only to the signatory, e.g. personal details such as the name of the signatory’s father or a specific date.
- Loading identity document. The signatory’s identity can be verified by uploading an identity document (ID card, passport or driving licence) and matching the photo with the real-time video image of the signatory.
These methods can be used in combination, thereby increasing the security of the electronic signature.
- Traceability and time stamping. For an electronic signature to be secure, it is imperative to have a means of verifying the entire signature process and the data that has been collected during that process. With Lleida.net’s electronic signature solution, digital documentary evidence is created that collects all the data of the signature process: emails, IPs involved, signed documents, attachments etc. All this data is used to create documentary evidence that the user can download. A timestamp is also stamped on the document to ensure that it has not been tampered with after signing.
- Type of signature. eIDAS Regulation sets out three types of electronic signature, differentiated by the level of security they have: simple, advanced and qualified electronic signature. Depending on the level of security required for the document to be signed, you will have to choose one or the other.
- Security level of the provider. The electronic signature service provider must provide security in storing documents in the cloud and the lack of security breaches. In this sense, eIDAS Regulation sets out that a trusted service is an electronic service provided for a fee and consists, inter alia, of creating, verifying, and validating electronic signatures.
For an electronic signature provider to be secure, it is necessary to take the following measures:
- The existence of a system to detect attacks against stored data.
- Protection against malware.
- Security systems for electronic signatures work without interruption.
- Data encryption system is implemented.
- Use of multiple user authentication systems.
Is it possible to forge an electronic signature?
As long as the security systems we have discussed are applied, and they are robust, it is virtually impossible to forge an electronic signature since the person who wants to forge another person’s signature electronically must have access to many of the actual signatory’s data, such as their telephone number, email address or relevant information about their private life, as well as their physical appearance.
On the other hand, if the electronically signed document is used as evidence in a trial, the other party might challenge it and fails to recognise its authenticity. A forensic handwriting expert must be requested to verify that the electronic signature meets all the requirements to be considered secure and that it has not been tampered with from the time it was signed.
In short, the search for a secure electronic signature provider requires effort, not only because it is not enough to compare prices but also because it is necessary to compare the level of security provided and have a clear understanding of how the data of each signature will be protected.