Cyber Security Month: Authentication options for digital signatures

Posted by John Harris

Here we are in the third week of National Cyber Security Awareness Month…feeling more secure yet? It’s difficult, right? Security on the internet is a constantly running battle…just as software advances to meet threats from hackers, new threats emerge. Vigilance is the best policy, as is understanding your risks.

When it comes to conducting business online and using electronic signatures to execute agreements and initiate those relationships, it’s important to understand who you are doing business with. Face-to-face, you can rely on physical identification methods. But in remote situations, you cannot typically fall back on these tried and true ways of authenticating clients. This is where understanding risks comes into play. There may be some transactions with low risk, and others where the stakes are higher, due to the value of a contract or the type of information being agreed to.

SIGNiX is very aware of the diversity of interactions that our customers have with their clients, and we’ve built a variety of authentication methods into our service so that customers can match risk with an appropriate security model for each transaction.  In fact, customers can assign different authentication methods to each party in the same transaction. (FYI, in this blog entry, ‘customers’ are organizations who are deploying and relying on the SIGNiX service for electronic signatures. ‘End users’ or ‘clients’ are the individuals who are actually signing documents within the service.)

The authentication methods offered by SIGNiX are described below in ascending, relative order of strength.

1) Basic, Email-only authentication  

Description: Proves a user has access to a specific email address.

Use case: Limited situations, when level of risk is very low.

In Operation: A user is sent an email with a link to the transaction, based on the email provided for that party during setup of the transaction. If the user receives the email and clicks on the link, SIGNiX considers the user ‘authenticated,’ and the transaction continues. 

 Email Authentication

 

2) Supplied Questions

Description: Leverages information known by the customer about the end user, including account number or other information not widely known outside the relationship between customer and end user.

Use case: Typically used alongside other authentication models to add additional strength.

In Operation: A user is sent an email with a link to the transaction, based on the email provided for that party during setup of the transaction. After answering other authentication challenges (see others in this blog entry), the user is also asked to present answer(s) to question(s) generated by customer, which could be shared secrets. If the user (1) receives the email and clicks on the link, (2) authenticates via other mechanisms (optionally) and (3) successfully answers the challenge questions, SIGNiX considers the user ‘authenticated,’ and the transaction continues.

 

3) Sponsored / Pass-thru

Description: Leverages authentication provided by an integrated partner’s system.

Use case: Typical for integrated models where customer/partner already has trusted authentication models in place and prefers to rely on them based on desired user experience.

In Operation: A user may or may not be sent an email with a link to the transaction, depending on the integration. Instead the client/partner of SIGNiX authenticates the user within their own system, according to their own best practices, and then, if successful, requests a link from SIGNiX for access to the transaction. In this model, the client/partner assumes responsibility for the authentication of the user.

  

4) SMS / Text Message

Description: Sends a text message with a one-time password to a user’s mobile.  Proves a user has access to an email address and a specific mobile device.

Use case: For customers desiring inexpensive, multifactor authentication (what you have – phone and what you know – password to access your email) with a low burden on the end user.

In Operation: A user is first sent an email with a link to the transaction, based on the email provided for that party during setup of the transaction. Once the user consents to the use of e-signatures, an SMS text message containing a random, one-time password is delivered to the user’s mobile device, based on the mobile phone number provided for that party during setup of the transaction. If the user is (1) able to access the email and click on the link, and (2) receive and enter the text message from their mobile device into the website, SIGNiX considers the user ‘authenticated,’ and the transaction continues.

  SMS AuthenticationText Message Authentication

 

5) Identity Vetting / Know Your Customer (KYC)

Description: Confirms specific information about a user, such as social security number (SSN), date of birth (DOB), etc.  Proves that a user not only has an email address but also possesses more privileged information.

Use case: Transactions with higher risk may prefer to rely on this, based on information about the end user already supplied to or known by the customer. Typically used in coordination with other questions to the user. (See Supplied Questions above.)

In Operation: A user is first sent an email with a link to the transaction, based on the email provided for that party during setup of the transaction. Once the user consents to the use of e-signatures, users are prompted for their SSN and DOB.  If the user is (1) able to access the email and click on the link, and (2) successfully answer the questions as outlined above, SIGNiX considers the user ‘authenticated,’ and the transaction continues.

 

6) Knowledge-Based Authentication (KBA) 

Description: Asks the user very specific questions about past residences, possessions, and transactions based on 30 years of public databases. Proves that a user not only has access to an email address, but also possesses significantly privileged information.

Use case: This is the highest form of authentication currently offered by SIGNiX, and is best used in transactions where the identity of the signer must be abundantly clear; for example, loan documents, high value trades, or real estate closings.

In Operation: A user is first sent an email with a link to the transaction, based on the email provided for that party during setup of the transaction. Once the user consents to the use of e-signatures, users are first prompted for their SSN/DOB and if they successfully answer, a set of 4 questions are generated. All questions are multiple choice. If the user is (1) able to access the email and click on the link, and (2) successfully answer the questions as outlined above, SIGNiX considers the user ‘authenticated,’ and the transaction continues.

 KBA Authentication

 

As you can see, SIGNiX is fully committed to customer requirements to offer authentication that can ramp up to meet varying transaction risk profiles. SIGNiX is also open to customer requests to support other authentication methods. 

 

What makes a digital signature legal?

Get a Digital Signature Quote Now

GET A QUOTE

Posts by Topic

see all

Subscribe for updates