The ultimate eSignature security checklist

Sameer Hajarnis,

No organization wants security scars. That’s why IT and Information Security departments generally conduct extensive due diligence on their cloud software providers to protect against data breaches, identity fraud, phishing, malware, viruses, and other security threats.

To help defend your organization, customers, and workflows, we’ve compiled an eSignature security checklist specifically for evaluating electronic signature services.

This blog goes in-depth on each item in our checklist to provide you with a deeper understanding of why consider each item. We recommend looking at not only the service's security but also how signers are authenticated, the vendor’s approach to digital document and signature security, the use of white labeling to protect against phishing attacks, and the eSignature audit trail associated with the digital transaction.

Identity verification & authentication

eSignature laws, such as the ESIGN Act and UETA in the United States or the eIDAS regulation in the European Union, outline the types of secure eSignatures that can be used to sign digital documents. While these laws don’t say much about specific security techniques and technology, the legal definition of an eSignature always includes language around signer identity. This puts identity security at the top of your eSignature security priorities since there is a legal requirement to connect each signature to the individual who applied it.

Throughout the entire digital agreement process, you will engage with either unknown or known signers. Robust measures are required to verify unknown signers the first time you conduct a transaction with them. With known signers, you already set them up with credentials, which are authenticated prior to giving them access to the signing ceremony and electronic documents.

Identity verification

As an alternative to cumbersome in-person identity validation measures, today’s organizations are using technology to run identity checks remotely and in real-time. Not only does this reduce the number of steps compared to paper-based processes, but it also removes touchpoints where customers have traditionally struggled and dropped off.

The best approaches to digital identity verification combine ID document verification technology and facial recognition to deliver a fast, online customer experience while also establishing trust. These technologies make it possible to digitally verify the signer’s identity using a government-issued ID, such as:

  • Driver’s license
  • Passport
  • National ID

User authentication

To enable better customer experiences, an eSignature solution should easily integrate with a wide range of authentication options throughout the eSign workflow. While there are many secure and user-friendly options for authenticating signers online, the key point here is to do so without diminishing their experience. As such, look for eSignature solutions that offer options to best fit your signers’ needs across your digital channels.

What to look for:

1. A solution that supports a complete range of ID proofing & authentication options to protect your clients and assets. This includes methods such as:

  • Remote identity verification with functionality like facial biometric data and AI algorithms to detect fraudulent ID documents
  • Remote user authentication through user a one-time passcode (OTP) via SMS, secret Q&A (i.e., challenge-response), or software/hardware authenticators
  • Email address verification through eSign session invitation
  • Dynamic KBA through third-party databases (e.g., LexisNexis)
  • Support for smart cards, such as the PIV and CAC smart cards used by the US government
  • Support for digital certificates such as those issued by a Trust Service Provider (note that support for all types of electronic signatures, especially qualified electronic signatures, is especially important for organizations doing business in Europe)

2. The ability to configure different authentication methods for different signers within the same transaction.

3. Flexibility to adapt the authentication methods to the risk profile of your business processes as you automate (e.g., ability to customize the challenge-response questions and the number of questions).

User identification & authentication white paper
White paper

User Identification & authentication

Learn how to create a trusted digital transaction with the right identity security methods.

Get informed

Document and signature security

Look for an eSignature solution that packages and secures the final eSigned document using digital signature technology. The digital signature should be built using public key infrastructure (PKI).

The eSignature solution should apply the digital signature at two levels:

  1. 1. At the signature level to prevent tampering with the signature itself
  2. 2. At the document level to prevent tampering with the document’s contents

The use of a digital signature ties together signing intent with the information agreed to at the time of signing. It also locks down and tamper-proofs the eSigned document, so unauthorized changes can’t slip by unnoticed. This is a vast improvement over wet signatures or handwritten signatures on paper documents.

While some vendors apply a digital signature as an envelope to a document (once all signatures have been captured), this is not a recommended practice for document signing. This approach leaves the document and signatures unprotected while the process is being completed and results in the wrong date and time stamp being placed on individual signatures.

If a signer and a co-signer eSign on two separate days, you want that history reflected in the audit trail. The best practice is to apply a digital signature as each eSignature is added to the document. This builds a comprehensive audit log with the date and time that each signature was applied.

What to look for:

  • Each signature must be secured with a digital signature which can resist to current and future security attacks
  • A comprehensive audit trail should include the date and time of each signature
  • The audit trail must be securely embedded in the document 
  • The audit trail must be linked to each signature 
  • Ability to verify the validity of the signed record offline, without going to a website
  • One-click signature and document verification 
  • Ability to download a verifiable copy of the signed record with the audit trail 
  • The document must be accessible to all parties

After evaluating the document and signature security functionality, the next step is to verify that the eSignature service captures everything in a single audit trail and embeds the trail into the signed document.

Audit trail

When regulated companies undergo a compliance audit, they are often asked to prove the exact business process they followed. As part of this, auditors also look for a record of every time key documents were touched, when, and by whom.

We recommend capturing a comprehensive audit trail of the signing process because it enables you to demonstrate exactly how a customer completed a transaction on the web or through a mobile device or mobile app.  

What to look for:

Look for a single, unified audit trail that captures the step-by-step identity verification, authentication, and eSignature events in the transaction. This should include:

  • Method used and device used to identify or authenticate each participant 
  • IP address of each participant 
  • Date and time stamp of all events 
  • All web pages, documents, disclosures, and other information presented 
  • The length of time spent reviewing each document 
  • What each party acknowledged, agreed to, and signed 
  • All other actions taken during the transaction, such as failed authentication attempts (if any) and data fields that have been edited

In addition, we recommend looking for eSignature software that embeds the audit trail directly in the signed document for easy verification and storage. eSigned documents that can be verified and archived independently of the eSignature vendor provide an additional layer of security. Whether or not you maintain an account with the eSignature service in the future, your documents are not affected since you, your customers, and other stakeholders do not have to go online to access or verify the eSigned document.

The best way to achieve vendor independence is to have a solution that embeds eSignatures, time stamping, and audit trail directly in the document. This creates a self-contained, portable record.

In addition to making eventual audits much easier, these audit trail records provide additional protection in the event of a dispute. While being evaluated for compliance, the best evidence wins.

White labeling for eSignature security

White labeling is more than just custom branding. It removes all traces of the eSignature vendor’s brand and holds significant importance for two reasons:

  1. 1. It creates a seamless experience for the signer. From the first invite email through the signing process, the signer engages only with your brand – not the eSignature vendor’s brand. This builds trust with your customers and leads to higher completion rates.
  2. 2. It helps prevent phishing attacks, one of the most successful tactics for stealing credentials. While organizations add more layers of enterprise security, phishing attacks continue to wreak havoc because the attack surface centers on people instead of systems. As such, emails generated by well-known eSignature providers have become a target for spoofs designed to trick people into divulging login credentials.

Amidst the urgency of the COVID pandemic, organizations hastily adopted eSignature solutions to meet the demand for remote transactions. However, numerous entities now find themselves with eSignature solutions that have increased the organization’s vulnerability to security threats.

Security researchers at Armorblox identified a phishing scheme that spoofed a common workflow email from a leading eSignature provider. The malicious email bypassed cloud and in-house email security solutions and targeted thousands of users across multiple organizations.

With a white-labeled electronic signature solution, your business can put its own brand front and center, limiting the appeal for would-be fraudsters. By customizing the content, colors, logo, and other elements of your emails, you can create a unique style that would require too much individual effort to make it worth the effort for phishers.

What to look for:

An eSignature solution that encourages you to:

  • Integrate with your own email servers so the eSign emails can be sent from your domain (e.g.,
  • Customize the content and appearance of email notifications
  • Customize the colors, logo, headers, navigation bars, footers
  • Customize dialog boxes and error messages

Blockchain evidence for eSigned documents

As digitization becomes the norm, there are growing concerns about cyberattacks and bad actors harnessing technology to attack an enterprise’s most valuable files, contracts, and digital agreements. Companies need to build long-term trust into transactions, to maintain their integrity now and in the future. With OneSpan, users and enterprises can rest easy as they can verify the validity of document content, eSignature timestamps, and digital signature timestamps with certificates providing indisputable proof of origin.

To protect digital documents, it is important to consider capabilities like blockchain-backed evidence, which can indisputably prove the authenticity of the transaction, provide long-term evidence resistant to current and future technology risks, and address regulatory requirements.

What to look for:

  • Indisputable proof of origin certificates, which can be used at any time to prove validity of document content, eSignature timestamps, and digital signature timestamps
  • Ability to store the evidence indefinitely on a decentralized network

Cloud and data security

In addition to the criteria listed above, look at the protocols an eSignature vendor has in place to identify and prevent data breaches. It’s important to understand the vendor’s security practices, certifications, track record, and the frequency of their security audits.

Performing due diligence around a vendor’s security practices and infrastructure could expose past privacy breaches, incidents of data loss/leakage, or other risks related to data security.

What to look for:

A solution that captures information about the signature process, including:

  • Verify the eSignature platform uses strong data encryption in transit and at rest, and stores data within an encrypted database volume using strong cryptography to ensure a secure channel for all communications.
  • A vendor that partners with world-class cloud infrastructure service providers such as Amazon Web Services, IBM Cloud, or Microsoft Azure. These providers are designed and managed according to security best practices and comply with a variety of regulatory, industry, and IT standards for security and data protection, including ISO 27001, SOC 2, HIPAA, FIPS 140-2, and more.
  • Look for a vendor that meets additional security control and compliance requirements at the application level, in addition to the data center level. This ensures that the eSignature solution is secure and customer data is protected.
  • Global data centers to satisfy in-country data residency requirements.

OneSpan Solutions: eSignature security for trusted digital agreements

We have 30 years of cybersecurity experience delivering eSignature and authentication solutions to ensure a transparently secure experience across all digital and mobile channels. Security is seamlessly embedded in modern digital workflows to ensure the best possible customer experiences and the highest completion rates.

OneSpan products ensure the security and integrity of digital documents, protecting against internal and external threats such as unauthorized manipulation and falsification. Our key product, OneSpan Sign, comes with advanced eSignature security features.

We can guide you in securing your digital agreements while providing your customers with a trusted and delightful experience, regardless of your use case, channel, or geography – today and into the future.

Missing media item.

Sameer Hajarnis is OneSpan's Senior Vice President & GM of Digital Agreements. Sameer has more than two decades of experience in enterprise software and SaaS companies leading cross-functional teams, including managing business development, sales, strategic alliances, and customer success to improve the customer product and service experience.