The ultimate eSignature security checklist
No organization wants security scars. That’s why IT and Information Security departments generally conduct extensive due diligence on their cloud software providers to protect against data breaches, identity fraud, phishing, malware, viruses, and other security threats.
To help defend your organization, customers, and workflows, we’ve compiled an
e-signature security checklist specifically for evaluating e-signature services. This checklist takes a holistic approach to understanding levels of security. We recommend not only looking at the security of the service, but also how signers are authenticated, the vendor’s approach to digital document and signature security, the use of white labeling to protect against phishing attacks, and the audit trail associated with the digital transaction.
Identity verification & authentication
E-Signature laws, such as the ESIGN Act and UETA in the United States or the eIDAS regulation in the European Union, outline the types of electronic signatures that can be used to sign digital documents. While these laws don’t say much about specific security techniques and technology, the legal definition of an electronic signature always includes language around signer identity. This puts identity security at the top of your e-signature security priorities, since there is a legal requirement to connect each signature to the individual who applied it.
Over the course of any digital agreement, you will be engaging with either unknown or known signers. In the case of the former, robust measures are required to determine who you are doing business with the first time you conduct a transaction with them. In the case of the latter, known signers are provided with credentials and these credentials are authenticated prior to giving them access to the signing ceremony and electronic documents.
As an alternative to cumbersome in-person identity validation measures, today’s organizations are using technology to run identity checks remotely and in real time. Not only does this reduce the number of steps compared to paper-based processes, it also removes touchpoints where customers have traditionally struggled and dropped off.
To deliver a fast, online customer experience while also establishing trust, best approaches to digital identity verification combine ID document verification technology and facial recognition. These technologies make it possible to digitally verify the signer’s identity using their government-issued ID such as their driver’s license, passport, or national ID.
Once a signatory’s identity is verified, organizations often issue electronic credentials to facilitate future digital transactions. In the case of existing customers, we recommend you leverage credentials your organization already issued. Not only are such credentials generally reliable if they have been used over time, but this saves the customer the hassle of having to create and remember yet another set of credentials.
Look for an e-signature solution that can easily integrate with a wide range of authentication options throughout the e-sign workflow. While there are many secure and user-friendly options for authenticating signers online, the key point here is to do so without diminishing their experience. As such, look for e-signature solutions that offer options to best fit your signers’ needs across your digital channels – and as a result, enable better experiences.
What to look for:
1. A solution that supports a complete range of ID proofing & authentication options, to protect your clients and assets. This includes methods such as:
- Remote identity verification with functionality like facial biometric data and AI algorithms to detect fraudulent ID documents
- Remote user authentication through user ID / password, a one-time passcode (OTP) via SMS, or secret Q&A (i.e., challenge-response)
- Email address verification through e-sign session invitation
- Dynamic KBA through third-party databases (e.g., LexisNexis)
- Support for smart cards, such as the PIV and CAC smart cards used by the US government
- Support for digital certificates such as those issued by a Trust Service Provider (note that support for all types of electronic signatures, especially qualified electronic signatures, is especially important for organizations doing business in Europe)
2. The ability to configure different authentication methods for different signers within the same transaction.
3. Flexibility to adapt the authentication methods to the risk profile of your business processes as you automate (e.g., ability to customize the challenge-response questions and the number of questions).
Document and signature security
Look for an e-signature solution that packages and secures the final e-signed document using digital signature technology. The digital signature should be built using public key infrastructure (PKI). The e-signature solution should apply the digital signature at two levels:
1. At the signature level to prevent tampering with the signature itself
2. At the document level to prevent tampering with the document’s contents
The use of digital signature security features ties together signing intent with the information that was agreed to at the time of signing. It also locks down and tamper proofs the e-signed document, so unauthorized changes can’t slip by unnoticed. This is a vast improvement over wet signatures or handwritten signatures on paper.
While some vendors apply a digital signature as an envelope to a document (once all signatures have been captured), this is not a recommended practice for document signing. This approach leaves the document and signatures unprotected while the process is being completed and results in the wrong date and time stamp being placed on individual signatures. If a signer and a co-signer e-sign a record on two separate days, you want that history reflected in the audit trail. The best practice is to apply digital signature as each e-signature is added to the document. This builds a comprehensive audit trail with the date and time that each signature was applied.
What to look for:
- Each signature must be secured with a digital signature
- A comprehensive audit trail should include the date and time of each signature
- The audit trail must be securely embedded in the document
- The audit trail must be linked to each signature
- Ability to verify the validity of the signed record offline, without going to a website
- One-click signature and document verification
- Ability to download a verifiable copy of the signed record with the audit trail
- The document must be accessible to all parties
After evaluating document and signature security functionality, the next step will be to verify that the e-signature service captures everything in a single audit trail and embeds the audit trail into the signed document.
When regulated companies undergo a compliance audit, they are often asked to prove the exact business process they followed. As part of this, auditors also look for a record of every time key documents were touched, when, and by whom.
We recommend capturing a comprehensive audit trail of the signing process, because it enables you to demonstrate exactly how a customer completed a transaction on the web or through a mobile device or mobile app.
What to look for:
Look for a single, unified audit trail that captures the step-by-step identity verification, authentication, and e-signature events in the transaction. This should include:
- Method used and device used to identify or authenticate each participant
- IP address of each participant
- Date and time stamp of all events
- All web pages, documents, disclosures, and other information presented
- The length of time spent reviewing each document
- What each party acknowledged, agreed to, and signed
- All other actions taken during the transaction, such as failed authentication attempts (if any) and data fields that have been edited
In addition, we recommend looking for e-signature software that embeds the audit trail directly in the signed document for easy verification and storage. E-Signed documents that can be verified and archived independently of the e-signature vendor provide an additional layer of security. Whether or not you maintain an account with the e-signature service in the future, your documents are not affected since you, your customers, and other stakeholders do not have to go online to access or verify the e-signed document.
The only way to achieve vendor independence is to have a solution that embeds the electronic signatures, time stamping, and audit trail directly in the document. This creates a self-contained, portable record.
In addition to making eventual audits much easier, these audit trail records provide additional protection in the event of a dispute. Remember that in that situation, the best evidence wins. It is especially important to record how each signer identified/authenticated before gaining access to the signature process, due to the legal requirement to connect each signature to an individual.
White labeling for e-signature security
White labeling (custom branding) holds significant importance for two reasons.
- It creates a seamless experience for the signer. From the first invite email through the signing process, the signer engages only with your brand – not the e-signature vendor’s brand. This builds trust with your customers and leads to higher completion rates.
- It helps prevent phishing attacks. Phishing is one of the most successful tactics to steal credentials. While organizations add more layers of enterprise security, phishing attacks continue to wreak havoc because the attack surface centers on people instead of systems. As such, the emails generated by well-known e-signature providers have become a target for spoofs designed to trick people into divulging login credentials.
Recently, security researchers at Armorblox identified a phishing scheme that spoofed a common workflow email from a leading e-signature provider. The malicious email bypassed cloud and in-house email security solutions and targeted thousands of users across multiple organizations.
With a white-labeled electronic signature solution, such as OneSpan Sign, your business can put its own brand front and center, limiting the appeal for would-be fraudsters. By customizing the content, colors, logo, and other elements of your emails, you can create a unique style that would require too much individual effort to make it worth the effort for phishers.
What to look for:
An e-signature solution that encourages you to:
- Integrate with your own email servers so the e-sign emails can be sent from your domain (e.g., @yourcompany.com)
- Customize the content and appearance of email notifications
- Customize the colors, logo, headers, navigation bars, footers
- Customize dialog boxes and error messages
Secure storage for e-signed documents
As digitization increases, there are growing concerns about cyberattacks and bad actors harnessing emerging technologies to attack an enterprise’s most valuable files, contracts, and digital agreements. The risks of being hacked could be severe, ranging from data loss and document manipulation to identity theft, asset theft, and even legal consequences.
To protect digital documents, it is important to consider capabilities like blockchain-backed digital storage to enhance security and ensure long-term integrity.
The advantage of vault solutions built on the blockchain is that they use a decentralized and distributed ledger. They store and validate document origin data across multiple locations; by distributing data, decentralized storage solutions eliminate single points of failure and ensure data integrity.
OneSpan Trust Vault utilizes a secure digital vault to protect digitally signed documents. It ensures the security and integrity of digital documents, protecting against internal and external threats such as unauthorized manipulation and falsification.
What to look for in a blockchain-backed digital storage solution:
- Irrefutable proof certificates for document origin date
- Tamper detection and protection to protect against unauthorized manipulation
- Long-term protection that preserves document integrity for the lifetime of the agreement
- Granular access management and control
- Support for multiple languages to ensure global reach
- End-to-end audit trail, tracking all user actions for transparency and regulatory requirements
- Availability via UI and API
- Out-of-the-box fully integrated with your e-signature solution – a single platform to simplify workflows, remove manual work, and reduce human error
In addition to the criteria listed above, look at the protocols an e-signature vendor has in place to identify and prevent data breaches. It’s important to understand the vendor’s security practices, certifications, track record, and the frequency of their security audits.
Performing due diligence around a vendor’s security practices and infrastructure could expose past privacy breaches, incidents of data loss/leakage, or other risks related to data security.
What to look for:
A solution that captures information about the signature process, including:
- Verify that the e-signature platform uses strong data encryption in transit and at rest, and stores data within an encrypted database volume using strong cryptography to ensure a secure channel for all communications.
- A vendor that partners with world-class cloud infrastructure service providers such as Amazon Web Services, IBM Cloud, or Microsoft Azure. These providers are designed and managed according to security best practices and comply with a variety of regulatory, industry, and IT standards for security and data protection, including: ISO 27001, SOC 2, SOC 3, HIPAA, FIPS 140-2, FISMA, and much more.
- In addition to the data center level, look for a vendor that meets additional security control and compliance requirements at the application layer. This ensures that the e-signature solution is secure and customer data is protected.
- Global data centers to satisfy in-country data residency requirements.
E-signature security for trusted digital agreements
At OneSpan, we have 30 years of cybersecurity experience delivering e-signature and authentication solutions to ensure a transparently secure experience across all digital and mobile channels. This security is seamlessly embedded in modern digital workflows to ensure the best possible customer experiences and the highest completion rates.
We can guide you in securing your digital agreements, while providing your customers with a trusted and delightful experience, no matter your use case, channel, or geography – today and into the future.
Ready to choose the ideal eSignature software solution for your business? Experience the power of security and versatility with OneSpan Sign — sign up for a free trial.