Are Electronic Signatures Safe?
E-signatures are more secure than physical ones. Every signature has tamper-proof, built-in privacy and security features that are captured in an audit trail.
Yes, electronic signatures are safe. In this post, we’ll cover why an e-signature is more secure than a wet signature, how e-signatures work, and the features that help keep them safe.
Why an e-signature is more secure than a wet signature
A common question people have is “Can my digital signature be forged, misused or copied?” The reality is, wet signatures can easily be forged and tampered with, while electronic signatures have many layers of security and authentication built into them, along with court-admissible proof of transaction.
Electronic record
Unlike physical signatures, e-signatures come with an electronic record that serves as an audit trail and proof of the transaction. The audit trail includes the history of all actions taken with the document like details of when it was opened, how long it was viewed, when it was signed. Depending on the service provider, and if the signer agrees to allow access to their location, the record will also show the geolocation where the document was signed.
If any signer disputes their signature, or if there is any question about the transaction, the audit data is available to all participants in the transaction who can then resolve the objections.
Certificates of completion
A certificate of completion includes each signer’s signature image, key event timestamps and each signer's IP address, and other identifying information. More detailed certificates of completion also include a consumer disclosure indicating that the signer agreed to use e-signature. The consumer disclosure is sometimes provided as a separate document but should always be included.
Tamper-evident seal
Once the signing process is complete, all documents are digitally sealed using Public Key Infrastructure (PKI), an industry-standard technology. This seal indicates the electronic signature is valid and that the document hasn’t been tampered with or altered since the date of signing.
How electronic signatures work
The exact signing process varies depending on the e-signature provider that you use, but the underlying workflows of more robust solutions are similar.
Sending:
Upload the document you need signed (eg: Word or Google doc, PDF file)
Tag the sections that require initials, signatures, phone numbers, etc.
Select the methods of signer authentication you want to use
Send the file via the service to your designated recipient’s email
Signing:
Receive an email notification to review and sign a document (clickable link)
Verify your identity before signing (if the sender selects that option)
Read the disclosure documents and agree to use the electronic process
Review the document and complete any necessary fields, including attaching any required documents
Adopt the signature style you want to use (the first time you use a service)
Sign the document
Documents are automatically routed back or to the next signer
Once all recipients have signed a document, they’re notified, and the document is stored electronically where it can be viewed and downloaded. All of this is done with tamper-proof, built-in privacy and security features that e-signature platforms must provide.
Methods of verifying signer identity
E-signature technology offers multiple options for verifying a signer’s identity before they can access the document and sign, including:
Email address: signers enter their own email address, which is compared to the email addressed used in the invitation
Access code: the sender supplies a one-time passcode that signers must enter
Phone call: signers must call a phone number and enter their name and access code
SMS: signers must enter a one-time passcode sent via SMS text message
Knowledge-based: signers are asked questions about information, such as past addresses or vehicles owned
ID verification: signers ae verified using their government-issued photo IDs or European eID schemes
For situations where additional levels of signature validity are necessary, as is sometimes the case in regulated industries and often the case in Europe, some providers offer two more rigourous types of e-signature that comply with the EU’s eIDAS requirements:
Advanced E-signature: Requires a higher level of security, identity verification and authentication to establish a link to the signer; and includes a certificate-based digital ID (X.509 PKI) issued by a trusted service provider
Qualified E-signature: An even more secure version of an advanced e-signature that utilizes a “secure signature creation device” and is deemed legally identical to a wet signature in the EU
The importance of a security-first approach to e-signatures
The level of e-signature security varies by provider, so it’s important to choose an e-signature provider that has robust security and protection weaved into every area of their business. Security-conscious organizations implement these three types of security measures:
Physical security: protects the systems and buildings where the systems reside
Platform security: safeguards the data and processes that are stored in the systems
Security certifications/processes: help ensure the provider’s employees and partners follow security and privacy best practices
Physical security
Geo-dispersed data centers with active and redundant systems and physical and logically separated networks
Commercial-grade firewalls and border routers to detect IP-based and denial-of-service attacks
Malware protection
Secure, near real-time data replication
Around-the-clock onsite security
Strict physical access control with monitored video surveillance
Platform security
Data encryption in transit and at rest with TLS connections and AES 256-bit encryption
Data access and transfer via HTTPS
Use of Security Assertion Markup Language (SAML), giving users the latest capabilities for web-based authentication and authorization
PKI tamper-evident seal
Certificate of completion
Signature verification and unalterable capture of signing actions and completion status
Multiple authentication options for signers
Security certifications/processes
Compliance with applicable laws, regulations and industry standards, governing digital transactions and electronic signatures, including:
ISO 27001:2013: the highest level of global information security assurance available today
SOC 1 Type 2 and SOC 2 Type 2: both reports evaluate internal controls, policies and procedures, with the SOC 2 report focusing on those directly related to security, availability, processing integrity, confidentiality and privacy at a service organization
Payment Card Industry Data Security Standard (PCI DSS): ensures safe and secure handling of credit card holder information
Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program: comprises key principles of transparency, rigorous auditing and harmonization of standards
Ability to comply with specialized industry regulations, such as PHIPA, HIPAA, 21 CFR Part 11 and specified rules from the FTC, FHA, IRS and FINRA
Security management processes and development practices, including business continuity and disaster recovery planning, employee training, secure coding practices, formal code reviews and regular code-base security audits
So, to answer the question, are electronic signatures safe? Yes, they most certainly are.
Learn more on the safety and security of Docusign eSignature at Docusign Trust Center.
Ready to see how easy it is to safely send and sign documents?
Related posts