How Digital Signatures Work: A Step-by-Step Look at a Digital Signature Transaction

There are a lot of reasons digital signatures are great for business. They’re fast. They save money. They improve document accuracy. They boost security. They’re easy to use.

But unless you’re a true techie, or you live and breathe e-signatures the way we do at SIGNiX, it’s a bit more challenging to wrap your mind around how digital signatures work and why digital signatures are the most secure, reliable, legally defensible type of electronic signature.  This is especially true if you’re trying to compare an electronic signature to a digital signature. Terms like “public key infrastructure,” “digital certificate” and “certification authority” can muddy the water if you’re not already familiar with the detailed digital landscape.

Here’s a brief refresher: Digital signatures, also known as Independent E-Signatures™, are a type of standards-based electronic signature that permanently embed the legal evidence of a signature into a signed PDF document. Users never have to rely on a vendor for access to the proof that shows a signature is legal and valid. 

To the signer, a digital signature transaction via SIGNiX happens instantaneously and seamlessly. All it takes is a few clicks of the mouse for a document to be signed digitally. But behind the scenes, there is a complex series of events that occur that makes the digital signature the best type of electronic signature for companies in highly regulated industries – or any business that cares about security and long term legal validity.

So let’s start from the beginning:

1. A document is uploaded into browser-based wizard. (This can also be accomplished via code with the SIGNiX API, but we’ll keep it simple for now.)
2.  Signature fields are dragged and dropped onto the document.
3. The system emails a link to the signer(s)and requests their review and signature. 
4. The signer must authenticate his identity. This may be done by simply logging into his email account to get access to the signed documents, or it could be more involved than that, depending on the level of security the sender selects. Signers may also need to answer detailed questions about themselves or provide a one-time passcode sent to them via a text message. 

1. The signer creates a Signing Password and chooses a font or free-hands his signature with a mouse, and digitally signs the document. 
2. Behind the scenes, SIGNiX generates a public/private key pair—two digital keys that are bound together– for the signer, in turn creating a digital certificate, giving an individual a secure digital identity in the SIGNiX system. (This process happens almost instantly behind the scenes of every digital signing process.) 
3. At signing, the user is authenticated against their identity, either implicitly or explicitly by typing their Signing Password again, and then a “fingerprint” is taken of the document. This long and unique string of characters is called a hash, and that hash is then mathematically tied to (encrypted by) the SIGNiX private key used for signing documents.
4. The resulting signed hash is permanently embedded into the document alongside the public-facing digital certificate, IP address of the signer, transaction identification and browser used to sign. That embedded hash of the document becomes the real digital signature, because it provides tamper-evidence (or tamper-proofing) and the evidence that proves the document is valid and unique.
5. Throughout the transaction, the audit trail records everything that happens - the creation of the document, sending of the document, emails that are sent, identity authentication, issuing of the digital certificate, the document’s hash, any changes that are made—everything.
6. To the average eye, you’ll know the digital signature is valid when you see a green checkmark in the PDF when opening it in popular, dedicated PDF applications like Acrobat.
7. Once a signer is finished signing, the signer’s digital certificate continues to work alongside the digital signature. Third parties can use it to verify the signature and the identity of the signer. The signature travels with every copy of the document. If someone changes the contents of the document after it’s been signed, the PDF viewer can detect it immediately. If that happens, you’ll see a yellow exclamation or a red “X” mark in the PDF, indicating that the signature isn’t valid, and the document may have been tampered with. Parties that are relying on this document don’t need to rely on a vendor to display that evidence online — or even an internet connection!
 

This whole process happens in the blink of an eye — and it’s easy for any user. All the hard work is left to the technology. But the impact these processes make is essential if someone claims, “I never signed that,” or if a regulatory authority checks the compliance or validity of e-signed documents.

Looking for more e-signature security tips? We’ve got them for you in this free e-book!