Authentication Options for E‑Signature: Strike the Right Balance with Secure, User Friendly Authentication
Today’s organizations are evolving to stay competitive in an increasingly digital world. With a heavy reliance on smartphones and tablets, customers expect nothing less than a convenient, secure, and seamless experience when transacting with businesses remotely. As a result, more companies in the EU, United States, Canada, and around the world are considering e-signatures as part of their digital transformation strategy, because of the improvements to customer experience that electronic signatures provide.
There are many benefits to offering customers, vendors, and partners the ability to use e-signatures, but security must still be a focus. Organizations initiating e-signature transactions must know who they are doing business with across online and mobile channels.
According to Forrester Research, "Authentication issues are moving front and center. Ramping adoption and the increased value of transactions settled electronically have led to a sharper focus on fraud, legal challenges, and authentication validity." In an e-signature transaction, the authentication step contributes to the enforceability of the signed document and validates that a company is transacting with the correct person in the signing process.
As an organization, you need to strike the right balance between customer experience and security when implementing user authentication. This will ensure high transaction completion rates and minimize customer frustration and abandonment due to cumbersome authentication processes. Depending on your use case and authentication needs, the best approach is to look for electronic signature software that supports a wide array of authentication methods to ensure the best user experience and mitigate risk of fraud. Additionally, you want to ensure that the authentication options can be configured to meet the requirements of your e-signature process and channel. As an example, an electronic signing process that occurs face-to-face in a bank branch or with an insurance agent will often use different authentication methods than a remote transaction.
The Difference between Identification and Authentication
The terms “user identification” and “user authentication” may sound similar, but they actually have different meanings.
User identification is the process of presenting and making a claim to an identity. This is the first step in determining who you are doing business with, so naturally it takes place the first time two parties conduct a transaction. A good example is a new applicant who goes to the bank to open an account for the first time. The applicant will be asked to prove their identity using their driver’s license, passport, or national ID card. To verify a new applicant’s identity remotely through your digital channels requires digital identity verification. A digital identity verification service makes it possible to quickly and securely confirm that an “unknown user” is who they say they are – directly through their mobile device.
Once the individual’s identity is confirmed, they become a customer or “known user” and are typically given credentials to facilitate future transactions. User authentication is the process of verifying those credentials prior to giving access to a system – in this case, the e-signing ceremony.
E-Signature Authentication Methods
Unlike a handwritten signature, OneSpan Sign offers a number of authentication methods to ensure that only the correct signers are accessing your electronic signature transactions. These authentication methods can be used alone or in combination to verify a person’s identity and create a trusted transaction.
The E-Signature Workflow
- Email authentication: The signer is sent an email with an embedded link inviting them to access the signing ceremony. After clicking the link, the signer is authenticated. Email authentication establishes a connection to the signer due to the uniqueness of their email address.
- Login credentials (including Single-Sign On (SSO)): Access to documents can be granted to signers upon logging into an online portal or government services portal with a valid user ID and password. Using the online banking portal example, the customer logs in to their account and is presented with the documents to e-sign from within the portal.
- OTP over SMS: A unique PIN is automatically generated and sent to the signer’s phone. The signer enters it into a login page and gains access to the documents that require signature.
- Secret question challenge (static KBA): Challenge questions are presented to the signer to authenticate before they can view the electronic document(s). These questions are referred to as shared secrets because the sender needs to know something about the signer to create the questions. The questions and answers are known by both parties and pre-selected ahead of time. Common questions include the last four digits of a Social Security Number or an application ID number. The customer must correctly answer one or more questions before being granted access to the electronic signature transaction.
- Dynamic KBA: OneSpan Sign can integrate with third-party ID verification services like Equifax. The signer is presented with out-of-wallet questions generated on the fly to authenticate their identity before signing the document(s). These out-of-wallet questions are generated in real-time, making it difficult for anyone other than the actual user to answer correctly.
- Digital certificates: OneSpan Sign leverages digital certificates issued by third-party Trust Service Providers (TSP) and certificate authorities (CA). When using a personal digital certificate to e-sign a document, the certificate status is verified and signers must pass authentication requirements by combining the certificate with a PIN or password. When using a digital certificate issued by a qualified trust service provider, this creates a Qualified Electronic Signature (QES) in accordance with the requirements of the European Union’s eIDAS regulation.
- Smart cards & derived credentials: Government employees and contractors require a smart card or mobile derived credentials when e-signing. Digital certificates are stored on smart cards, such as Common Access Cards (CAC) and Personal Identity Verification (PIV) cards. This is a form of multi-factor authentication, because it consists of something the user knows (the PIN for their smartcard), something the user has (the smart card), and sometimes even biometric identifier (something the user is).
- Digipass®: Multi-factor authentication (MFA) provides an element of layered security by requiring two or more verification methods before a signer can access and complete the transaction. OneSpan Sign integrates with OneSpan’s MFA solutions like Digipass to support strong authentication with one-time passwords (OTP) and/or visual cryptograms during the upfront user authentication step and/or at the time of signing (not available out of the box).
- Biometrics: Biometrics are typically used for high risk, high value transactions with existing customers. OneSpan Sign can be combined with OneSpan’s Mobile Security Suite to leverage fingerprint and face “selfie” authentication methods to authenticate prior to accessing the documents that require their signature (not available out of the box).
OneSpan Sign is an e-signature solution that provides the flexibility to support your authentication requirements for a variety of signing scenarios. Read our User Identification and Authentication white paper for best practices on how to select the right authentication methods for your e-signature use case.