Are electronic signatures secure enough?
Two factor authentication
Electronic signatures is becoming the leading method to sign documents. And as our society becomes further digital the manual processes is adapting to keep up, as is the rules of how data can be processed and used.
Today companies rely on single factor authentication, which normally consists of entering your username & password, before signing anything. The username is generally your email and the password a personal string of characters (sometimes incl. numbers and special characters).
To explain the two factor authentication method better, we can compare it with a transaction at your local shop. You scan the items you want to purchase, pay it with your card and enter your pin to confirm the transition of money. Which is a perfectly fine way of confirming your identity and giving consent.
But when it comes to electronically signing contracts and legal documents for example, the security bar needs to be raised and carefully thought through to make sure it’s the correct person receiving and signing them.
Common challenges
Before sending a internal or external document for review/approval you have probably logged into a system or computer that required your username and password. In addition you may also require to authenticate via a third party app or your mobile device, i.e. two/multi factor authentication. As the current method of only inputting a username and password is standardized, you will continue to see and use it in various systems. But there are two potential problems to deal with:
The email address is public
Anyone could get their hands on your company email address. Maybe it’s on display on the companies website, or the persons LinkedIn account.
The password is too weak
Users often chose a password of their own, and to remember the password they choose something short and related to them. Which makes it easy for hackers to discover and utilize if desired. Your users may also use the same password as for other services which may be subject to data leaks.
So is it secure enough to only input your email and a password to electronically sign documents?
By adding Multi-Factor-Authentication you decrease the chances of your identity being wrongfully used.
Large companies such as Google and Microsoft are using temporary codes sent to the users phone or email instead, which then needs to be input for the electronical signature to go through, it makes it harder to hack or misuse.
Interpretating rules from 20 years ago
Another potential problem is third party systems handling your electronic signatures.
They all have the same rules to apply to according to EU’s eIDAS-regulations and FDA’s 21 CFR Pt. 11, but then it’s up to each and everyone of these systems to interpretate these rules as they like, originally outlined in 2014 and 1997. Meaning that a electronic signature can vary from system to system, and your documents can end up with mismatching signatures if you switch to another system.
For example:
The timestamp is not in UTC format
This means that documents could be missing the exact time of the signature, or the day/year could be reverse depending on which country the developer of this system resides.
There is no requirement for title of the person signing
If you don’t have the title of the person signing the document, how will you know the person has the correct level of authority?
(In addition the person signing might sign under several different roles depending on the context)
These relatively small but valuable changes would increase the validity of your electronical signatures by knowing exactly when they were signed, in which time zone by whom and under which authority.
Final words
If you’re aware of the issues above, you can make a more conscious decision about which type of electronic signature system you should choose or switch to. Many Document Management Systems today, such as Office365 and Beyond Information Protection 365, have built in functionality for electronically signing documents with internal and external contacts with previously mentioned security measures and detailed audit logs.