Are Electronic Signatures Safe?
Yes, electronic signatures are safe, and in this post, we’ll cover why an e-signature is more secure than a wet signature, how e-signatures work and the features that help keep them safe.
Why an e-signature is more secure than a wet signature
A common question people have is “Can my digital signature be forged, misused or copied?” The reality is, wet signatures can easily be forged and tampered with, while electronic signatures have many layers of security and authentication built into them, along with court-admissible proof of transaction.
Electronic record
Unlike wet signatures, e-signature providers may offer an electronic record that serves as an audit trail and proof of the transaction. For example, the audit trail may include the history of signature-related actions taken with the document, such as details on when it was opened, viewed and signed. Depending on the provider, and if the signer agreed to allow access to their location, the record will also show the geolocation where it was signed. If one of the signers disputes their signature, or if there’s any question about the transaction, this audit trail is available to all participants in the transaction and can resolve such objections.
Certificates of completion
More detailed certificates of completion can include specific details about each signer on the document, such as the consumer disclosure indicating the signer agreed to use e-signature, the signature image, key event timestamps and the signer's IP address and other identifying information.
Tamper-evident seal
Once the signing process is complete, some providers may digitally seal the documents using Public Key Infrastructure (PKI), an industry-standard technology. This seal indicates the electronic signature is valid and that the document hasn’t been tampered with or altered since the date of signing.
How electronic signatures work
The exact signing process varies depending on the e-signature provider that you use, but the underlying workflows of more robust solutions are similar.
Sending a document for e-signature:
- Upload the document you need signed, such as a Word document or a PDF file
- Tag the sections that require initials, signatures, phone numbers, etc.
- Select the methods of signer authentication you want to use
- Send the file via the service to your designated recipient’s email
Signing a document:
- Receive an email notification to review and sign a document
- Verify your identity before signing (if the sender selects that option)
- Read the disclosure documents and agree to use the electronic process
- Review the document and complete any necessary fields, including attaching any required documents
- Sign the document by clicking the signature button or applying an e-signature mark
Once all recipients have signed a document, they’re notified, and the document is stored electronically where it can be viewed and downloaded. All of this is done safely due to the built-in security features and the processes that e-signature providers follow.
Methods of verifying signer identity
E-signature technology offers multiple options for verifying a signer’s identity before they can access the document and sign, including:
- Email address: signers enter their own email address, which is compared to the email address used in the invitation
- Phone call: signers must call a phone number and enter their name and access code
- SMS: signers must enter a one-time passcode sent via SMS text message
- Knowledge-based questions: signers are asked personal questions gathered from commercially available databases, such as past addresses or vehicles owned
- Photo ID upload: signers are verified using their government-issued photo IDs such as passport, driver license or residence permit
- Electronic or bank-based IDs: signers can submit their login credentials for existing bank accounts or government accounts to prove their identity
For situations where additional levels of signature validity are necessary, some providers offer two additional levels of e-signature that comply with the European Union’s (EU) eIDAS requirements:
- Advanced: requires a higher level of security, identity verification and authentication to establish a link to the signatory; and includes a certificate-based digital ID (X.509 PKI) issued by a trusted service provider
- Qualified: an even more secure version of an advanced e-signature that utilizes a “secure signature creation device” and is deemed a legal equivalent to a wet signature in the EU
The importance of a security-first approach to e-signatures
The level of e-signature security varies by provider, so it’s important to choose a provider that has robust security and protection weaved into every area of their business. Those security measures should include:
- Physical security: protects the systems and buildings where the systems reside
- Platform security: safeguards the data and processes that are stored in the systems
- Security certifications/processes: help ensure the provider’s employees and partners follow security and privacy best practices
Physical security
- Geo-dispersed data centers with active and redundant systems and physical and logically separated networks
- Commercial-grade firewalls and border routers to detect IP-based and denial-of -service attacks
- Malware protection
- Secure, near real-time data replication
- Around-the-clock onsite security
- Strict physical access control with monitored video surveillance
Platform security
- Data encryption in transit and at rest with TLS connections and AES 256-bit encryption
- Data access and transfer via HTTPS
- Use of Security Assertion Markup Language (SAML), giving users the latest capabilities for Web-based authentication and authorization
- PKI tamper-evident seal
- Certificate of completion
- Signature verification and unalterable capture of signing actions and completion status
- Multiple authentication options for signers
Security certifications/processes
- Compliance with applicable laws, regulations and industry standards, governing digital transactions and electronic signatures, including:
- ISO 27001:2013: the highest level of global information security assurance available today
- SOC 1 Type 2 and SOC 2 Type 2: both reports evaluate internal controls, policies and procedures, with the SOC 2 report focusing on those directly related to security, availability, processing integrity, confidentiality and privacy at a service organization
- Payment Card Industry Data Security Standard (PCI DSS): ensures safe and secure handling of credit card holder information
- Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program: comprises key principles of transparency, rigorous auditing and harmonization of standards
- Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processor (PRP) System: comprises Cross-Border Privacy Rules (CBPR) and Framework to protect the privacy and security of personal information at rest and in transit
- Ability to help support compliance obligations with specialized industry regulations, such as HIPAA, 21 CFR Part 11 and specified rules from the FTC, FHA, IRS and FINRA
- Security management processes and development practices, including business continuity and disaster recovery planning, employee training, secure coding practices, formal code reviews and regular, code-base security audits
For more information on the safety and security of DocuSign eSignature specifically, please Click Here.