Electronic signatures

September 2011 Access Control & Identity Management

Electronic signature capture is a technology for signing electronic document files with a handwritten signature. The use of this technology allows for the complete elimination of the mailing, storage, filing, copying and retrieval of paper documents. As businesses continue to replace paper documents, contracts, and forms with more efficient and cost-effective electronic substitutes, electronic signature technology becomes an increasingly important investment. The cost and time savings of doing business electronically are evident across many sectors and industries, yet many companies are still choosing which technology or method is best suited to their needs. Creating, signing, transmitting, and storing any and all documents electronically and in such a way as to be legally binding can seem like a daunting task.

What is an electronic signature?

Electronic signature means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. With the correct validated software you can produce legal ‘advanced electronic signatures’ in accordance with the Electronic Communications and Transactions (ECT) Act.

To meet these requirements an electronic signature must meet the following criteria:

a) It can be uniquely linked to the signatory.

b) It is capable of identifying the signatory.

c) It is created using means that the signatory can maintain under his sole control.

d) It is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

Several different methods and technologies exist for attaching electronic signatures to documents according to these stipulations. Two common types of signature technology that are widely available yet differ greatly in substance are PIN/password signature stamps, PKI and digitised handwritten signatures.

A PIN/password stamp inserts a single fixed signature image into each signed document when a user types a password or PIN. Digitised handwritten signatures are captured with special pen-and-tablet systems that convert a user’s signature accurately into pen events or a summary image. These methods have different ramifications for security and authentication.

Why to avoid PIN/password and PKI signatures

While companies that provide PIN signature stamps may claim that their technology is legally compliant because it qualifies as an electronic sound, symbol, or process, it falls far short of the holistic requirements enumerated above. As a practical point, each one of these signatures is identical in form and composition, as if they were made with a single rubber stamp.

The appearance of the signature on a document is not a record of a person’s signature, but rather a result of a particular password being typed. A forensic examiner viewing the signature image cannot determine its point of origin since any person could have typed the PIN or password. As such, PIN signature stamps fall short of the authentication requirements of criterion (d) listed above. Should a password become compromised, each document a person had ever signed with the PIN method would be questionable, since each signature appears identical and it cannot be proven which are authentic and which are fraudulent.

For these reasons, businesses are advised to invest in an electronic signature technology that creates a unique electronic record for each signing instance, and not to rely on a rubber stamp technology. PKI digital signatures and certificates are simply a more complex version of rubber stamp technology, except that a larger (often 128-bit) encryption number is used, meaning it is too large to be remembered and typed. Portability is also limited because the key is permanently linked to a host computer, or a secure smartcard that can be lost, stolen, or hacked.

Signature security

For the sake of privacy and legal enforceability, an electronic signature must remain under the sole control of the signer to be valid under law. To satisfy this requirement, a signature must be placed or linked into the relevant document directly, with no interlopers or copies, and then bound to the document in such a way as to render document tampering detectable. Without these critical features, it would not be possible to prove that a signatory did indeed assent to the terms of the written agreement, or that the language in the document was identical in form to the state in which it was initially signed.

There is no substitute for an effective security policy which prevents viruses, worms and data sniffers from residing on a client or server computer. Encryption gimmicks in a signature pad connected to a PC provide a false sense of security if a rogue program or keyboard, printer, screen, memory or USB data sniffer is also on the PC. Matters can be made worse if overly powerful and unnecessary processors and operating systems are employed in electronic signature devices, due to latent bugs and viruses or internal data storage and encryption; as these techniques further jeopardise and remove security monitoring and update capability from the hands of IT personnel.

On the other hand, there is value in monitoring and evaluating the integrity of data received from a signature pad, such as the point sampling rate, and detection of unusual time-related activity in signing which may indicate an attempt to trace or forge a signature (slow-signing effect).

Document security and signature binding are also important. If the signature is not linked to the contents of the written agreement, it has no real value since there would be no evidence of tampering or changes made to the terms post signing. In the paper-based universe, forensic examiners can perform a series of sophisticated test using infrared, ultraviolet, and microscopic inspection to determine whether ink has been added or subtracted. In the electronic realm, this is accomplished using a cryptographic hash and binding system, rendering a signature essentially lost if the contents of the agreement are changed.

Signature authentication

An important characteristic of ink-on-paper signatures is that they can be individually studied and analysed by forensic handwriting experts, then compared to other existing samples for authentication. Perhaps the most significant challenge to the validity of an electronic signature is the issue of authentication, since few technology providers support their technology with verification tools. If a signature cannot be attributed to the purported signatory, it is worthless. Electronic signatures are no exception to this and must be capable of authentication to be valid and binding. When considering an electronic signature solution, clients should insist that the technology provider have authentication tools and training in-place before selecting their solution.

Systems that embed a signature image into an electronic document (whether via PIN or biometric input) have less legal weight than faxed or photocopied signatures. Like rubber-stamp signatures, the object representing the signature is a superficial representation with no data linking the image to a biometric performance and unlike a fax transaction, there is no third-party record of the transmission.

The most accurate, reliable, and secure method of capturing a signature is in the form of raw pen events. A file of this type contains no images or analysis of the signature, just the pen events and position converted at high speed. This data has the additional advantage of being stored in a database or bound to the contents of a document very securely since it does not exist as a common image file format. It cannot be easily copied or viewed and used as a reference for forgers since there is no embedded image. Furthermore, since all original captured pen events are present in the e-signature itself, a forensic expert can later examine it point-by-point using specialised signature analysis software.

Understanding biometrics and authentication

Another issue to consider with handwritten digitised signatures is the type of biometric data, if any, that is captured and stored in the signature file. Beware of pen pressure measurement. Pressure is an unreliable biometric measurement because of the high degree of uncertainty inherent from one signing instance to another. The level of pressure a signature pad senses for a single person will vary widely based on height and orientation of the signatory to the sensor, the person’s mood, time of day, angle of the pad, size of the pen or stylus, calibration of the software, sensor age and wear, etc. As a result, a pressure-oriented primary biometric is susceptible to unnaturally high false-negative responses when automated or independent validation is attempted. In other words, when pressure is used to determine the validity of one or more signatures, it is far more likely to be a cause for rejection than for authentication, even if the signatures were created by the same user. Drastic variance makes signatures difficult to authenticate, even if they are valid.

Be sure that the technology provider offers software for signature authentication or signed records will not have an enforcement mechanism should legal challenge arise. Several software providers offer automated template-based validation, but this technique is often not a viable option for post-signature back-end authentication. Examiners cannot independently verify the signature. It also requires each user to offer enough signatures to create a sample template, which is unwieldy, especially in a one-time customer interaction in a bank, pharmacy, or mortgage lender’s office. While automated validation software has many useful applications, be sure to choose a technology which is supported by independent forensic authentication tools. Many technology providers promise true biometric signatures, but lack the authentication tools.

For more information contact Brand New Technologies, +27 (0)11 450 3088, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Unlock data insights and integration
Gallagher Access Control & Identity Management Products & Solutions
Gallagher Security announced the release of its security site management software, Command Centre v9.20, which enables integration with Microsoft Entra ID, a cloud-based identity and access management system that provides seamless synchronisation of cardholders across systems.

Read more...
Gallagher Security opens Cape Town office
Gallagher News & Events Access Control & Identity Management
Acknowledging a significant period of growth for the company in South Africa, opening a second office will enable Gallagher to increase its presence across the region with staff based in Johannesburg and Cape Town.

Read more...
Securing access against unwanted visitors
Intelliguard Access Control & Identity Management Residential Estate (Industry) Products & Solutions
In today's residential estates and complexes, one of the biggest concerns is preventing unauthorised access, while ensuring a smooth and convenient experience for residents and approved visitors.

Read more...
Smart access for a safer community
neaMetrics Suprema Access Control & Identity Management Residential Estate (Industry) Products & Solutions
Suprema's BioEntry W3 integrates AI-powered facial authentication into a sleek design that prioritises security, privacy and user experience, and even allows users to store their facial templates on their mobiles instead of external devices.

Read more...
Effortless and secure visitor management
Secutel Technologies Access Control & Identity Management Residential Estate (Industry)
Secutel Ventures has introduced SecuVisit, an access control solution designed to simplify visitor management while enhancing security. With two innovative components onboard, SecuVisit ensures seamless visitor check-ins anytime, anywhere.

Read more...
Glovent’s SOS Suite triple protects estate residents
News & Events Access Control & Identity Management Residential Estate (Industry)
One hundred and fifty-three years since the world’s first panic button was introduced in New York City, Glovent offers estate residents three different ways of summoning emergency assistance at the touch of a button.

Read more...
Security professionals gather at Integrate 360
Gallagher Access Control & Identity Management News & Events
Gallagher Security’s Integrate 360 brought together some of the best minds in security, innovation, and technology for two days full of insights, demonstrations, and future-focused discussions.

Read more...
Suprema showcases enterprise security at Integrate 360
Suprema News & Events Access Control & Identity Management
Since 2006, neaMetrics, Suprema’s distributor in Africa, has worked closely with Gallagher, building a robust partnership resulting in seamless integration between Suprema’s advanced biometric readers and Gallagher’s security management platform.

Read more...
New ASSA ABLOY facility opens in South Africa
ASSA ABLOY South Africa iDSystems Impro Technologies Access Control & Identity Management News & Events
ASSA ABLOY announced the opening of its new facility in Durban, South Africa. This new site unites IDS and Impro operations, bringing both manufacturing plants under one roof to create a hub for innovative access solutions.

Read more...
iProov achieves FIDO Remote Identity Verification certification
News & Events Access Control & Identity Management
iProov, iiDENTIFii’s technology partner in Africa, is the first to achieve the new, global certification in face biometric identity verification from the FIDO Alliance, an open industry association whose mission is to reduce the world’s reliance on passwords.

Read more...