Skip to main content

Digital signature - There is no such thing as THE digital signature


In the current digital world, we are continuously digitally transacting with companies all over the world. Each transaction leaves a digital trace, allowing the company (in case of litigation) to prove you, as the user, have explicitly accepted the transaction.
However, as you have probably noticed while surfing on the internet, confirming a transaction can go from a single mouse-click up to a lengthy process flow, requiring actions like a complex authentication, delivery of one or more proof documents, one or more physical (non-digital) steps…​ This difference is almost always resulting from a conscious decision in a compromise between usability and operational risk (i.e. risk for litigations, fraud risk, reputation risk…​). Ideally a company would like to achieve the best possible user experience, combined with the lowest possible operational risk, but that is unfortunately not possible.
An electronic signature, which is accepted by law as a binding contract, ensures non-repudiation, which means a user cannot deny (repudiate) having performed the transaction. This is ensured via the combination of authentication and integrity:
  • Authentication: authentication ensures that the transaction is performed by a known user, i.e. the platform has authenticated the user performing the transaction.
  • Integrity: integrity ensures that the message (i.e. the content being signed) was not altered in transit
For both aspects, various methods exist, each setting a different compromise between usability and operational risk.
When looking at "Authentication", we need to make a distinction between "authentication", "identification" and "ensuring the capability to sign":
  • Authentication: authentication only tries to ensure that the person signing the transaction is the same as the person who registered the user. If the identity was not verified during the registration process, there is no guarantee on the identity of the user.
    A user can be digitally authenticated in 5 different ways. Typically, a 1-factor authentication is not enough to properly and securely authenticate someone. Instead 2 or multiple factors are applied (often with risk-based authentication requiring extra authentication methods, when the authentication risk exceeds a threshold).
    • Something you know: the user needs to provide information, only he can know (usually provided to the platform at moment of user registration). The most common method is username/password.
    • Something you have: authentication is done by something the user has in his possession, e.g. receive a code via SMS on user’s phone (user needs to have the phone) or access to a building via a smart card (user needs to have the card). This can also be achieved via address-based authentication (MAC address) or via an authentication cookie, as they identify your PC.
    • Something you are: typically, a biometric characteristic (e.g. fingerprint, iris, voice, face…​) allowing to authenticate the user.
    • Somewhere you are: the user’s location (e.g. IP address or GPS coordinate). As user’s location is usually not very distinctive, it is normally not used as a single authentication method, but in combination with another authentication method.
    • Something you do: authenticate a user through his user’s behavior (e.g. the way a person holds his phone, key stroke gesture, mouse movements…​)
  • Identification: as indicated above, it’s not because you are authenticated, that you are who you say you are. If the user’s identity was not verified at the moment of registration, an authenticated user is not an identified user. E.g. Google or Facebook allow someone to create an account under a different name, without any problem. In order to ensure also the user’s identity, identification is needed. This can also be achieved in different ways, with different levels of security, e.g.
    • Uploading a copy of the user’s ID-card or passport (issue is that an ID-card/passport can be stolen, especially a digital image of it).
    • Uploading one or more copies of invoices of utilities companies or other documents containing a verified identity.
    • A real-time video feed in which the user holds his ID-card next to his face (often combined with the request to blink your eyes, to avoid counterfeit).
    • Usage of a digital identity provider (e.g. in Belgium usage of eID or Itsme).
    • Make a link with another company which has already verified the user’s identity. E.g. banks have a verified digital identity of their customers, as they are forced to do a KYC (= Know Your Customer) verification in the onboarding process.
    • Note: many systems (e.g. banks) require an identification at onboarding, but afterwards only require authentication. This means that if the authentication tokens get stolen/hacked or if someone shares his credentials (e.g. someone doing a transaction with the credentials of his partner), there is no guarantee of identity. This could be solved by enforcing that every transaction is signed with a biometric authentication, but it would not always be appreciated by many users. Usually the lack of an easy digital process to (temporarily) grant access (giving mandate/consent) to another person, to act on your behalf, results in the sharing of credentials, which should of course be avoided.
  • Ensuring capability to sign: in order to get an electronic signature accepted before court, it is also important to proof that the user was in good health (i.e. good mental condition) to sign. As this is difficult to verify digitally, the law dictates that certain important legal documents still need a physical signature, in the presence of a sworn person (e.g. a notary or a public servant). With techniques for user behavior analysis improving (e.g. check if user behavior pattern is different from usual pattern), this might also become digitally possible soon.
The second aspect, namely the verification of "Integrity", also encompasses multiple aspects, like ensuring the user has read the content, the actual signing technique and the storage of the signature as future proof.
  • User has read the content: notaries in Belgium are obliged to read out loud the key points of the deed. This to ensure that user has at least heard all important elements of the deed. Regulators try to enforce digitally also that the user reads what he is signing. In many websites this is handled by:
    • A checkbox, stating you have read and understood the content, which you need to check in order to continue the process
    • A mechanism to enforce that the full documents needs to be scrolled-through, before user can continue
    • The need to type over a characteristic of what you are signing in the signature process. E.g. for certain banks when signing a payment, you need to input the amount as challenge on your Digipass, in order to sign the payment.
  • Actual signing technique: the actual electronic signature, aims to digitally proof that a transaction was signed by a user. Also here multiple techniques exist, with
    • Different levels of security: a good measure for security of the "Integrity Security" is if any change in the signed transaction invalidates the signature.
      • A checkbox asking the user to confirm the transaction. The only proof at that moment are the audit log indicating that the user checked the box. Legally this type is quite poor.
      • Scan of a physical signature
      • An electronic signing, which is independent of the actual content. Even though this method ensures the authentication (signee can be authenticated and signatures is uniquely linked to user), the integrity can only be verified through a code audit.
      • An electronic signing based on some key characteristics of the transaction (e.g. a unique reference of the document, the amount…​). When a signature is made, the signing hash will include these characteristics. Any change to these characteristics afterwards, will invalidate the signature.
      • Digital signature: use a certificate-based digital ID issued by an accredited Certificate Authority (CA) or Trust Service Provider (TSP) so when you digitally sign a document, your identity is uniquely linked to you, the signature is bound to the document with encryption (i.e. the digital signature and the electronic document you sign are binded and encrypted together).
    • Signing orchestration: in many cases, the signing process can require a complex orchestration process. This is usually the case when multiple people need to sign. In this orchestration, several specifics need to be considered, like:
      • Automatic derival of which persons should be signed. This can be a fixed set of names, but can also be X persons from a group of persons (anyone in the group can sign) or even more complex configurations. For example, based on the risk of the transaction (determined by amount, counterpart…​), more people might need to sign or people higher up in the hierarchy might need to sign.
        It could even be that the derival needs to be dynamically adapted. E.g. a policy could be that 2 persons from different departments should sign. At that moment, once one person has signed, all people of same department as first signer, should not be allowed to sign anymore.
      • The order in which people should sign. In some processes, it is required that first the requestor signs, following by a manager/director. The manager/director can however only sign when requestor has already signed. In other setups all identified signers can sign all in parallel.
  • Storing of signature: a third important aspect in the "Integrity" is the way the electronic signature, which is generated during the signature process is stored. This includes if only the signing key is stored or the full signed message and the way signing information is stored. If the signing information is stored in a standard database, it could still be possible to tamper with the signature after transaction was performed. Common techniques to avoid this type of fraud are storing the signing info in a non-repudiation store (i.e. a database, in which stored information can no longer be modified) or by replicating the signing info to the signing user(s) or to a trusted (by both parties), neutral third-party.
  • Note: All the above methods are only as good as the code has implemented them. Therefore, in case of a litigation, it is possible that a software code audit is performed, ensuring that all claimed aspects are properly implemented. Proper logging of which version was in production at which time and a proper source code management system can help in retrieving the software code applicable at the moment of the signing, resulting in the litigation.
Hope to have showed in this blog that there is no such thing as THE digital signature. When implementing a digital signature, a firm can make dozens of choices, which vary in usability, cost of implementation and level of security and repudiation risk. While the choices in usability will remain, the other choices should normally evolve to the best level of security and repudiation risk, as the technologies become more commoditized and therefore less costly to implement.
But in order to once and for all solve this problem, a true global, digital identity, backed by all countries in the world, should become a reality. The UN has a mandate to create a global identity scheme by 2030 for everyone on earth, so maybe in 10 years time we will be there. This identity would allow to onboard at any website with a few clicks (providing consent to share certain data) and allow to authenticate and identify yourself in a secure and consistent way on every possible website. Concretely the identity would store the setup of different authentication methods and contain also your behavior profile. After authenticated yourself in the browser, you can automatically onboard on any website (by agreeing to share your credentials) and automatically login to websites (which you gave consent to) via SSO. The browser authentication system automatically requests additional authentication or logs me out, if it detects abnormal behavior (i.e. behavior not in line with my regular behavior). Thanks to this, all transactions can have perfect authentication/identification without hindering the user experience.
All technological components are available, it’s just a matter of governments and companies worldwide coming to an arrangement.
Labels:
Locatie: Onbekende locatie.

Comments

  1. saivenkat23 October 2020 at 09:23

    This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.
    eSignature

    ReplyDelete
    Replies
    1. Joris Lochy5 November 2020 at 12:04

      Many thanks for your kind words. Much appreciated.
      If you are interested in this topic, you can also have a look at my blogs:

      * Securing your doors is not enough. Go for a multi-layered security strategy. (https://bankloch.blogspot.com/2020/02/securing-your-doors-is-not-enough-go.html)

      * Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry(https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html)

      Delete
  2. Zohurul Alam28 April 2021 at 06:15

    i am very happy to read this blog. that is nice
    for more information Office 365 Email Signature

    ReplyDelete
  3. john29 April 2022 at 18:38

    ReplyDelete

Post a Comment

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excellent example of this
45 comments
Read more

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a number of cons
6 comments
Read more

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval and searching
26 comments
Read more

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the center of the connected devi
16 comments
Read more

Neobanks should find their niche to improve their profitability

The last 5 years dozens of so-called   neo- or challenger banks  (according to Exton Consulting 256 neobanks are in circulation today) have disrupted the banking landscape, by offering a fully digitized (cfr. "tech companies with a banking license"), very customer-centric, simple and fluent (e.g. possibility to become client and open an account in a few clicks) and low-cost product and service offering. While several of them are already valued at billions of euros (like Revolut, Monzo, Chime, N26, NuBank…​), very few of them are expected to be profitable in the coming years and even less are already profitable today (Accenture research shows that the average UK neobank loses $11 per user yearly). These challenger banks are typically confronted with increasing costs, while the margins generated per customer remain low (e.g. due to the offering of free products and services or above market-level saving account interest rates). While it’s obvious that disrupting the financial ma
7 comments
Read more

PFM, BFM, Financial Butler, Financial Cockpit, Account Aggregator…​ - Will the cumbersome administrative tasks on your financials finally be taken over by your financial institution?

1. Introduction Personal Financial Management   (PFM) refers to the software that helps users manage their money (budget, save and spend money). Therefore, it is often also called   Digital Money Management . In other words, PFM tools   help customers make sense of their money , i.e. they help customers follow, classify, remain informed and manage their Personal Finances. Personal Finance   used to be (or still is) a time-consuming effort , where people would manually input all their income and expenses in a self-developed spreadsheet, which would gradually be extended with additional calculations. Already for more than 20 years,   several software vendors aim to give a solution to this , by providing applications, websites and/or apps. These tools were never massively adopted, since they still required a lot of manual interventions (manual input of income and expense transaction, manual mapping transactions to categories…​) and lacked an integration in the day-to-da
5 comments
Read more

Can Augmented Reality make daily banking a more pleasant experience?

With the   increased competition in the financial services landscape (between banks/insurers, but also of new entrants like FinTechs and Telcos), customers are demanding and expecting a more innovative and fluent digital user experience. Unfortunately, most banks and insurers, with their product-oriented online and mobile platforms, are not known for their pleasant and fluent user experience. The   trend towards customer oriented services , like personal financial management (with functions like budget management, expense categorization, saving goals…​) and robo-advise, is already a big step in the right direction, but even then, managing financials is still considered to be a boring intangible and complex task for most people. Virtual (VR) and augmented reality (AR)   could bring a solution. These technologies provide a user experience which is   more intuitive, personalised and pleasant , as they introduce an element of   gamification   to the experience. Both VR and AR
9 comments
Read more

Low- and No-code platforms - Will IT developers soon be out of a job?

“ The future of coding is no coding at all ” - Chris Wanstrath (CEO at GitHub). Mid May I posted a blog on RPA (Robotic Process Automation -   https://bankloch.blogspot.com/2020/05/rpa-miracle-solution-for-incumbent.html ) on how this technology, promises the world to companies. A very similar story is found with low- and no-code platforms, which also promise that business people, with limited to no knowledge of IT, can create complex business applications. These   platforms originate , just as RPA tools,   from the growing demand for IT developments , while IT cannot keep up with the available capacity. As a result, an enormous gap between IT teams and business demands is created, which is often filled by shadow-IT departments, which extend the IT workforce and create business tools in Excel, Access, WordPress…​ Unfortunately these tools built in shadow-IT departments arrive very soon at their limits, as they don’t support the required non-functional requirements (like high availabili
15 comments
Read more

Beyond Imagination: The Rise and Evolution of Generative AI Tools

Generative AI   has revolutionized the way we create and interact with digital content. Since the launch of Dall-E in July 2022 and ChatGPT in November 2022, the field has seen unprecedented growth. This technology, initially popularized by OpenAI’s ChatGPT, has now been embraced by major tech players like Microsoft and Google, as well as a plethora of innovative startups. These advancements offer solutions for generating a diverse range of outputs including text, images, video, audio, and other media from simple prompts. The consumer now has a vast array of options based on their specific   output needs and use cases . From generic, large-scale, multi-modal models like OpenAI’s ChatGPT and Google’s Bard to specialized solutions tailored for specific use cases and sectors like finance and legal advice, the choices are vast and varied. For instance, in the financial sector, tools like BloombergGPT ( https://www.bloomberg.com/ ), FinGPT ( https://fin-gpt.org/ ), StockGPT ( https://www.as
1 comment
Read more

From app to super-app to personal assistant

In July of this year,   KBC bank   (the 2nd largest bank in Belgium) surprised many people, including many of us working in the banking industry, with their announcement that they bought the rights to   broadcast the highlights of soccer matches   in Belgium via their mobile app (a service called "Goal alert"). The days following this announcement the news was filled with experts, some of them categorizing it as a brilliant move, others claiming that KBC should better focus on its core mission. Independent of whether it is a good or bad strategic decision (the future will tell), it is clearly part of a much larger strategy of KBC to   convert their banking app into a super-app (all-in-one app) . Today you can already buy mobility tickets and cinema tickets and use other third-party services (like Monizze, eBox, PayPal…​) within the KBC app. Furthermore, end of last year, KBC announced opening up their app also to non-customers allowing them to also use these third-party servi
9 comments
Read more