At a basic level, users can use any mark on an electronic document to capture the signer’s intent to approve or accept the contents. The form of the “mark” or how it was created is not important. What is important is proving who made the mark and that no one made any changes subsequently.
This series will discuss the different types of e-signatures: click-to-sign signatures, biometric e-signatures, basic electronic signatures, Advanced Electronic Signatures (AES), EU Qualified Electronic Signatures (QES) and cloud signatures for remote signing.
What is a Click-to-Sign signature?
A Click-to-Sign e-signature can be any mark placed on a document to indicate the signer’s consent. This could be a mouse squiggle, a signature drawn on a touch screen, an uploaded image, a tick box, a signature typed in a special script font, a typed name or even an email address.
These electronic marks can be easily copied from one document to another. They don’t provide cryptographic protection, allowing anyone to change the document once a mark has been applied. Click-to-sign signatures can also be easily repudiated, as a signer can claim, “that’s not my signature”.
Although most jurisdictions will admit a ‘click-to-sign’ e-signature in a court of law as evidence, they don’t provide any conclusive evidence and can be easily disputed.
What is a biometric electronic signature?
A biometric e-signature is created using biometric information unique to the user and attaching it to the document. This can include fingerprints and iris scans or the most common example is to measure the physical aspects of a user’s signature drawing process using a specialist tablet and stylus. Measurements include the speed, pressure, pen incline, shape and size of the signature.
Biometric e-signatures are susceptible to spoofing through replay attacks and the signing devices themselves can also be hacked.
The issue is that biometric e-signatures are effectively complex passwords that are difficult to reset. There are also challenges with verifying and storing biometric data and there are often false-positive and false-negative results from the mechanism.
Like ‘click-to-sign’ signatures, biometric e-signatures are accepted in court, but weak security and interoperability mean they do not provide convincing evidential proof.
What is a basic electronic signature?
Basic electronic signatures are defined under the eIDAS regulation as:
- Immediate signing, no user registration or login required
- Document signed and protected with server held signing key or e-seal only
- May or may not include a trusted timestamp
- The signer’s identity is not verifiable directly from the signed document
A cryptographic digital signature is created using a server-held signing key or an e-seal for organisations. The key belongs to the trusted service provider’s (TSP) organisation.
When the user applies the e-signature mark, a digital signature is attached. This cryptographically binds the mark to the document, protecting the document from any subsequent changes to ensure data integrity. E-signature software can add a timestamp to record the date and time the user signed.
Basic e-signatures cannot identify a signer as the digital signature by itself doesn’t authenticate the user. This is because basic e-signatures rely on the service provider’s logs. In some cases, access to signature logs isn’t possible once the user is no longer a customer of the service provider or the organisation goes out of business.
Is an electronic signature as legal as a paper signature?
Basic signatures are accepted in court. Logs will need to be provided as evidence, but as mentioned, it’s not always possible to access these from the service provider. If a timestamp has been used, its integrity will depend on how it was generated – timestamps taken from a computer clock can be manipulated.
Basic e-signatures protected with a standard digital signature such as PAdES are recognised and implemented in many third-party PDF document readers such as Adobe® Acrobat Reader DC.
Users can set up the basic e-signature to protect the document for years. A PAdES LTA signature type (for the digital signature/seal component) can protect the document from any unauthorised changes.
However, since the signature doesn’t contain robust user authentication information, the basic e-signature loses its advantage in interoperability.
We recommend the basic e-signature as an entry-level e-signature scheme. It provides reasonable levels of assurance as long as the service provider’s processes and procedures around authenticating users and managing associated logs are secure. Security is strengthened when the user is authenticated using single or multi-factor authentication, identified in the ‘reason for signing field’, and when a long-term digital signature from the service provider is used to provide long term validation (LTV).
In this series’ next blog, we’ll discuss the difference between Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES).
Want to learn more about the different types of e-signatures and which one is suitable for your business needs? Download our eBook, Choosing the Right Type of E-signature.