Security considerations to think about when choosing an electronic signature solution

We’ve talked about how the rapid adoption of electronic signatures is not only enabling organizations to keep their business moving in today’s digital economy, but also driving improvements in efficiency, experience, compliance, and sustainability. In order to realize all these benefits, however, organizations need to make sure the electronic signature solution they choose can adhere to the labyrinth of rules and regulations that guide their business.

The last thing an organization wants to do is add to the complexity. They don’t want to have to deploy one solution that meets the needs of their legal team, another for HR, and yet another for engineering. Yet, that’s what many organizations, when they look out across their environment, find they have done. A recent Deloitte study discovered that workers toggle between different workplace apps 10 times an hour, which translates to 32 days per year of lost workplace productivity.

The time is now, take a step back and evaluate your tools to see if there is an opportunity to consolidate and streamline how work gets done in your organization. I suspect there is – 95% of workers in the 2022 Productivity Report indicated there was room for improvement in how their organizations handled documents. So, what do you need to look for when it comes to electronic signatures? In a nutshell, security.

As hybrid work takes off and organizations transition more of their business to the cloud, they need confidence they can trust the privacy and integrity of all their workflows. They also need to protect their data and operations from increasingly sophisticated (and frequent) cyberattacks - online payment fraud losses alone are set to exceed $206 billion between 2021 and 2025.

When it comes to signatures, authenticity and security are priorities. Each type of electronic signature is already more secure than a manual signature on paper. Technically, it is a mathematical code that ensures the document cannot be changed after signing. This also goes for the elements related to the identity of the person, as it captures a person’s intent to agree to the content of the electronic document, contract, or data set.

Thanks to the encryption of the document, you have the guarantee that the document remained unchanged after signing, whether that is a single page or a whole lot of documents. Plus, you can set up an administration of consents, which obtains explicit permission for the document (in compliance with GDPR and other guidelines). This enables electronic signatures to be legally recognized and enforceable in almost every part of the world.

Depending on the type of security you require, which is typically based on the value of the transaction and/or regulatory guidelines in play, you can adjust the level of security you enforce. Of course, this assumes the solution you are using offers the breadth of capabilities and flexibility to do so. For example, you can determine how far you want to go to confirm the identity of the signer and how you want to transfer the document (e.g., whether or not to encrypt and the strength of the encryption employed). By applying the right level, you can find the right balance between convenience and security.

Different methods of signing offer different levels of assurance. The European Union’s Electronic Identification, Authentication and Trust Services (eIDAS) breaks the methods down into three, which offers a useful way to generally think about the security of different options. There are:

• Simple signatures – These prove general acceptance/approval of the document by the signer. They can be a scanned image of a signature, a signature manually drawn on a desktop screen (and digitally saved), a click on an “I accept” button, etc.

• Advanced signatures – These provide a higher level of signer ID verification, security, and tamper-sealing. The signature needs to be uniquely linked to the signer and created under the sole control of the signer (multi-factor authentication is optional).

• Qualified signatures – These are non-repudiated signatures. They are backed by a certificate issued and certified by a trusted service provider that 100% identifies the signer. An initial face-to-face verification or equivalent process is required, as is multi-factor authentication.

Before a signature can be obtained the user must be verified. Depending on the signing method (delineated above), how a company authenticates someone can vary widely. Obviously, some are more secure (and more involved) than others - the level of authentication can contribute to the enforceability of the signed documents. Look for solutions that can accommodate the different needs of your organization. For instance, you may want/need to use:

• Biometrics
• Smartcard / Tokens
• Login and password combinations (including Single Sign-On)
• One-time passwords (via SMS and email)
• Mobile identities
• Bank authentication
• Government services

Although authentication doesn't necessarily mean a more cumbersome user experience, it is still more complex and demands more from the user than a simple scribble with the finger on a smartphone or desktop. That’s why it’s important to understand your different use cases and then apply the right level of security to meet both your business and compliance needs.

To learn more about the different regulations, signing methods, and security options of electronic signatures, check out “The Ultimate Guide to Electronic Signatures”. It will help you evaluate different electronic signature solutions, so you can choose a single platform for all your needs and start maximizing the security and value of your digitized workflows.