Products - Digital-signature
Leveraging digital signatures to guarantee the integrity of e-signed documents
Electronic signatures are widely accepted as a legally binding and secure method of signing documents. Around the world, organizations are embracing e-signatures as an underpinning technology to drive their digital transformation projects forward. In some geographies and industries, digital signature is the preferred technology for e-signing documents – whether that’s for internal, B2B or B2C signing workflows.
OneSpan Sign is a leading e-signature solution built on digital signature technology that can help you to meet geographic requirements, such as those outlined in the EU’s eIDAS regulation, as well as industry-specific requirements in regulated industries such as Financial Services, Government and Healthcare.
Understanding Digital Signatures
“Electronic signatures” and “digital signatures” are often used interchangeably but each term carries a distinct set of defining features and functions. The broader category of e-signatures often includes digital signatures, which is a specific type of technology used to implement electronic signatures.
More specifically, an electronic signature is, like its paper equivalent, a legal concept. Its purpose is to capture a person’s intent to be legally bound to an agreement or contract.
A digital signature on the other hand refers to encryption/decryption technology and a subset of an electronic signature. Based on public-key cryptography, digital signatures secure signed documents and allow one to verify the authenticity of a signed record. A digital signature alone however is not an e-signature and therefore cannot capture a person’s intent to sign a document. When used with an e-signing application, digital signature technology secures the e-signed data.
A solution that simply digitally signs documents often lacks feature sets commonly found in best-in-class eSignature solutions, including an out-of-the-box user interface (UI), as well as transaction management and advanced workflow customization capabilities used in more complex transactions that touch the customer.
The bottom line is that when looking for a solution to manage your signing processes, it’s important to ensure that it is built on digital signature technology to guarantee the integrity of the document and underlying signatures. Without digital signatures, your document-based transactions may not be legally binding, putting you and your organization at risk in the event of a compliance or legal case.
When evaluating e-signature solutions in the market, it’s important to do your due diligence to ensure that the solution you select meets your organization’s needs both today and as you scale, as well as any geographic- and industry-specific requirements that may apply.
Understanding your workflow and the key criteria necessary to execute it, is essential in effectively using e-signatures for your intended use cases. In working with organizations around the world for over 20 years, we have developed a list of 5 “must-have” criteria to keep in mind when evaluating e-signature solutions:
- Built on Digital Signature Technology
Signatures on your documents should be protected using standard digital signature algorithms. This creates a digital fingerprint of the document (also called a hash) that can be used at a later point to verify the integrity of the electronic record. If the document is tampered with even in the slightest, the e-signature will be visibly invalidated.
However, not all e-signature solutions are created equal. Watch out for e-signature solutions that simply add an image of a handwritten signature on the document, without anything to protect the integrity of the signed document or evidence to support it in the event of a consumer dispute.
If the e-signature solution does not leverage digital signature technology, the e-signed documents it produces should be considered unsecure. Because the document can be easily tampered with, its authenticity cannot be verified and the process may be exposed to fraudulent behavior that puts the entire transaction at risk. Digital signatures, therefore, are the foundation of any reliable electronic signature and a core requirement for a trustworthy solution.
- Digital Signature for EACH Signature
Not all e-signature solutions leverage digital signature technology to its fullest. The best practice is to create a digital signature for each e-signature as it is added to the document. This not only builds a comprehensive audit trail as each signature is applied, but also tamper-seals documents after each and every person signs.
Make sure to check the “Signature Panel” on the left-hand panel of your e-signed PDF; if there isn’t a distinct tamper-seal for each signer, the eSignature solution may simply be applying a tamper seal at the end of the signing process. This exposes your transactions to risk because without a digital signature for each signature, the document that can be easily modified in between signers – with no way of detecting whether or not it was tampered with. This is a risk that most organizations would not be willing to take for important transactions such as contracts, agreements and onboarding documents.
- Multiple Digital Certificate Options
Depending on your geography, industry and overall risk profile, you may have different requirements for how digital signatures and certificates are managed. There are three fundamental ways in which signing can take place and this largely relates to where the certificates are stored:
- eSignLive-signing Certificate: Signer is securely authenticated and document is digitally signed with eSignLive’s trusted certificate in the cloud.
- Local-signing Certificate: Signer’s identity is attached to a personal certificate locally stored on a PIN-protected smart card, USB token or computer that digitally signs the document.
- Server-signing Certificate: Signer’s identity is attached to a personal certificate stored on a server that digitally signs the document.
Look for a solution that can support multiple certificate types. In some cases, your organization may utilize one or more options depending on the use case. Make sure to capture requirements from relevant stakeholders in the organization and ensure that you are balancing ease of use, cost and the level of security needed for the transaction at hand
- Meet Local Regulations Out-of-the-Box
While most countries recognize the legal validity of e-signatures and digital signatures, there remain some restrictions in the types of signatures supported by local laws.
When evaluating solutions in the market, ensure that the provider can meet the e-signature laws where you do business, such as the ESIGN Act and UETA in the US, eIDAS (Regulation 910/2014) in the EU and the Electronic Transactions Act in Australia. For example, the eIDAS is a regulation that applies to all 28 EU member states and defines e-signatures in three ways: Basic, Advanced and Qualified E-Signatures. Not all solutions, however, can support all three types of electronic signature directly out-of-the-box. The Qualified E-Signature (QES), for example, is based on signing with qualified certificates issued by a Trust Service Provider (TSP) that has been accredited and meet the QES requirements under eIDAS.
Moreover, the electronic signatures provided by eSignLive can include a qualified timestamp generated by a trusted third-party for each signing event, linking the data and the signature at a given point in time.
Look for a solution that can meet the requirements in the jurisdictions in which you do business with no additional development work needed so that you can begin using the solution immediately. Learn more about e-signature laws around the world.
- Embedded Audit Trails
Detailed audit trails are important components of any best-in-class e-signature solution. While most solutions in the market provide some level of audit information associated with the transaction in the system, many do not offer the level of detail needed to effectively support most common compliance and legal cases.
We recommend looking for audit trails with information about who signed, in what order, when and where. This comprehensive audit trail should be embedded directly within the document rather than stored separately in the cloud or logically associated in a value or proprietary database. In addition to being more secure and easier to manage, there are two very pragmatic reasons for this:
- Document Authenticity: Verify authenticity offline and independent of the e-signature software, meaning you do not need to worry if a verification link back to a server will be valid years from now. Look for “Signature is LTV enabled” in the signature panel of the e-signed PDF to ensure that the solution offers a Long-term Validation (LTV) capability.
- Document & Records Management: You do not have to store the e-signed record in the e-signature service. The record can securely travel through any email, storage or archiving system, enabling you to manage e-signed records in a manner that meets your long-term records retention policies.
The OneSpan Sign Difference
OneSpan Sign is a leading e-signature solution that leverages the full spectrum of digital signature capabilities to ensure your organization can deliver the level of trust and security that your employees, partners and customers want in a signing solution. We help you meet your geographic- and industry-specific requirements with a single e-signature platform that is built on secure digital signature technology.
Key Benefits of OneSpan Sign
25 years of electronic and digital signature experience and innovation to ensure you can achieve the highest completion rates for your signing processes.
supports a broad range of local- and server-side signing certificates that adhere to global standards; instant interoperability with X.509 certificates issued by any TSP in Europe; support for signing with certificates stored on U.S. government Common Access Cards (CAC) and PIV (Personal Identity Verification) cards.
Global e-sign laws and regulations
out-of-the-box support for requirements in the U.S. ESIGN Act, the EU’s eIDAS regulation, Australia’s Electronic Transactions Act and many more.
Wide range of deployment options
An enterprise-grade solution that scales with your needs
the only solution to provide a unified platform and integration framework that maintains high security, compliance and performance everywhere in the world.
Security & trust are at the heart of our business
OneSpan is a global leader in digital security and e-signature solutions. We believe that our 25+ years of experience in the IT security segment is a real asset to our employees, partners and customers – who can transact digitally using our solutions with trust and confidence.
The E-Signature Process
Signer consents for use of e‑signatures and e‑documents
Click, type or draw action to sign at specified location
Multi-factor authentication verifies signer and identity to access signing
Binds certificate, user identity and audit trail to signed data
Audit trails are stored and digitally signed, PDF locked
Verify document, identity, time/date, audit trails with PDF reader
Embedded audit trail and patented visual audit trail
Documents stored in local data centers, on-premises or in the customer's desired system of record
What makes up a digital signature?
A digital signature possesses the following three characteristics when used in conjunction with an eSigning solution:
- Unique: the signature must identify and be uniquely linked to each signer in the transaction; the person who signed the document can be determined with a high degree of trust
- Data integrity: ability to detect changes to the document or data after the signature is applied; this creates tamper-evident document and signatures
- Non-repudiation: ability to trace who signed the document, and in the event of a dispute or compliance case, easily prove that the person in fact signed the document
Why would I use a digital signature?
Many industries and geographies that follow e-signature standards require digital signatures to ensure that records are enforceable, compliant and secure. Digital signatures use a standards-based technology that guarantees document and signature integrity.
What happens to the document if it is tampered with?
If a document signed with OneSpan Sign is modified or tampered with in any way, the underlying digital signature technology will detect it and the PDF reader will visibly invalidate the document. The e-signed PDF will display a red “X” indicating that the document is unsecure and should not be trusted. Look for a solution with a “Long-term Validation (LTV)” capability and 1-click offline signature verification process.
What is a digital certificate?
A digital certificate is prepared and delivered by a trusted issuer (such as a Trust Service Provider or TSP) who follows a specific process to verify the identity of the requestor. The digital certificate attaches a specific identity to a signing key. Like a passport, it allows third parties to verify the identity of its holder. eSignLive enables users to sign with digital certificates that reside on a smart card, USB token or on their computer.
What is a qualified certificate?
A qualified certificate under eIDAS is a digital certificate that has been issued by a qualified Trust Service Provider (TSP) in Europe.
How does signing with a smart card work?
Watch our “How to E-Sign Documents with Smart Cards” video to see how this works. OneSpan Sign supports signing with Common Access Cards (CAC), PIV (Personal Identity Verification) cards, as well as smart cards and tokens issued by TSPs in Europe.
Does OneSpan Sign support the requirements in the EU Directive / eIDAS regulation?
Yes. OneSpan Sign meets the eIDAS requirements for the Basic, Advanced and Qualified E-Signature out-of-the-box with no additional development required. To learn how OneSpan Sign complies with the regulation and supports signing with certificates issued by TSPs in Europe, download the white paper, eIDAS & E-Signatures: A Legal Perspective.
Does OneSpan Sign support time-stamping?
Yes. For EU customers that want the ability to leverage a “qualified” timestamp, OneSpan Sign bind’s data with trusted timestamp to independently prove when a particular transaction took place. The resulting timestamp further strengthens the integrity of the electronic signature. Contact us for more details.