There is a great new AIIM whitepaper on use of digital signatures that provides a nice primer on available technologies. You can find it here.
There is still a lot of hope for removing the “wet signature” from transactions for obvious reasons:
- Current methods require a lot of printing, signing, and faxing/emailing the documents around
- There is no real established practice around ensuring that the signer is who he or she is, and
- Ensuring changes in the content of documents during the signing process is not easy using paper-based workflows.
Enter on premise and, more-recently, SaaS offerings for taking the typical cumbersome and time-consuming workflow into a faster, more controllable route. But one thing that is still both a drawback and a risk is the technologies used to implement signing documents. The best solutions use PKI to ensure that the signer is verified and that the document integrity is ensured. Using PKI, when a person signs a document, the software providing the capability will use the signer’s “private key” to apply a digital signature to the document that can be verified by other parties using the signer’s “public key”. In these cases, digital certificates, which are essentially files that contain the signer’s data, are the typical means to sign a doc document. Signing a document essentially attaches or embeds a digital certificate to the document. Most solutions also timestamp the document as well as run analysis on the document to ensure that no tampering occurs to the document during the signing process. Going even further, certificates that are provided to users through some formal process during with the user is verified to be who they are. This verification process can involve answering questions that only the user would know all the way to phone-based verification where the user would also provide more specific identification.
So where do biometric signatures come into play?
The answer is during the signing process itself. In order to establish the identity of the user during a document signing process, the user must “present” their certificate and the ability to present the certificate is typically controlled by a PIN (or other identity verification such as a password). This is to prevent (hopefully) theft of a user’s certificate.
But it is well-known that PINs and ID/PW combinations can be hacked and people often choose to use simple passwords because they are easy to remember.
With biometric signatures, it is possible to add yet another layer of protection and also make it very simple to the end user. The user no longer has to remember her password or PIN and because signatures are biometric, they are very hard to counterfeit or steal. In fact, recent news reveals research that a scribble is more secure and harder to counterfeit than a password. When signing a document, the user actually signs on a tablet, smart phone, or other device capable of receiving this type of input and, when the biometric signature is verified, they can apply their certificate.
Going even further, the data collected during the signing process can also be used when generating the digital signature as another layer of protection. This means that signing a document can use a simple signature acquisition workflow which obviates the need for the user to remember a PIN and is more secure. Simple to use, everyone has one, and very secure. Biometric signatures combined with existing electronic signature technology is a perfect combination.
The next blog on this topic will review a real-world application of biometric signatures to sign and secure a document.