Are Electronic Signatures Safe?
Yes, electronic signatures are safe, and in this post, we’ll cover why an e-signature is more secure than a wet signature, how e-signatures work and the features that help keep them safe.
Why an e-signature is more secure than a wet signature
A common question people have is “Can my digital signature be forged, misused or copied?” The reality is, wet signatures can easily be forged and tampered with, while electronic signatures have many layers of security and authentication built into them, along with court-admissible proof of transaction.
Unlike wet signatures, e-signatures also come with an electronic record that serves as an audit trail and proof of the transaction. The audit trail includes the history of actions taken with the document, including the details of when it was opened, viewed and signed. Depending on the provider, and if the signer agreed to allow access to their location, the record will also show the geolocation where it was signed. If one of the signers disputes their signature, or if there’s any question about the transaction, this audit trail is available to all participants in the transaction and can resolve such objections.
Certificates of completion
More detailed certificates of completion can include specific details about each signer on the document, including the consumer disclosure indicating the signer agreed to use e-signature, the signature image, key event timestamps and the signer’s IP address and other identifying information.
Once the signing process is complete, all documents are digital sealed using Public Key Infrastructure (PKI), an industry-standard technology. This seal indicates the electronic signature is valid and that the document hasn’t been tampered with or altered since the date of signing.
How electronic signatures work
The exact signing process varies depending on the e-signature provider that you use, but the underlying workflows of more robust solutions are similar.
- Upload the document you need signed, such as a Word document or a PDF file
- Tag the sections that require initials, signatures, phone numbers, etc.
- Select the methods of signer authentication you want to use
- Send the file via the service to your designated recipient’s email
- Receive an email notification to review and sign a document
- Verify your identity before signing (if the sender selects that option)
- Read the disclosure documents and agree to use the electronic process
- Review the document and complete any necessary fields, including attaching any required documents
- Adopt the signature style you want to use (the first time you use a service)
- Sign the document
Once all recipients have signed a document, they’re notified, and the document is stored electronically where it can be viewed and downloaded. All of this is done safely due to the built-in security features and the processes that e-signature providers follow.
Methods of verifying signer identity
E-signature technology offers multiple options for verifying a signer’s identity before they can access the document and sign, including:
- Email address: signers enter their own email address, which is compared to the email addressed used in the invitation
- Access code: the sender supplies a one-time passcode that signers must enter
- Phone call: signers must call a phone number and enter their name and access code
- SMS: signers must enter a one-time passcode sent via SMS text message
- Knowledge-based: signers are asked questions about information, such as past addresses or vehicles owned
- ID verification: signers ae verified using their government-issued photo IDs or European eID schemes
For situations where additional levels of signature validity are necessary, some providers offer two additional levels of e-signature that comply with the EU’s eIDAS requirements:
- Advanced: Requires a higher level of security, identity verification and authentication to establish a link to the signatory; and includes a certificate-based digital ID (X.509 PKI) issued by a trusted service provider
- Qualified: An even more secure version of an advanced e-signature that utilises a “secure signature creation device” and is deemed legally identical to a wet signature in the EU
The importance of a security-first approach to e-signatures
The level of e-signature security varies by provider, so it’s important to choose an e-signature provider that has robust security and protection weaved into every area of their business. Those security measures should include:
- Physical security: protects the systems and buildings where the systems reside
- Platform security: safeguards the data and processes that are stored in the systems
- Security certifications/processes: help ensure the provider’s employees and partners follow security and privacy best practices
- Geo-dispersed data centers with active and redundant systems and physical and logically separated networks
- Commercial-grade firewalls and border routers to detect IP-based and denial-of -service attacks
- Malware protection
- Secure, near real-time data replication
- Around-the-clock onsite security
- Strict physical access control with monitored video surveillance
- Data encryption in transit and at rest with TLS connections and AES 256-bit encryption
- Data access and transfer via HTTPS
- Use of Security Assertion Markup Language (SAML), giving users the latest capabilities for Web-based authentication and authorisation
- PKI tamper-evident seal
- Certificate of completion
- Signature verification and unalterable capture of signing actions and completion status
- Multiple authentication options for signers
- Compliance with applicable laws, regulations and industry standards, governing digital transactions and electronic signatures, including:
- ISO 27001:2013: the highest level of global information security assurance available today
- SOC 1 Type 2 and SOC 2 Type 2: both reports evaluate internal controls, policies and procedures, with the SOC 2 report focusing on those directly related to security, availability, processing integrity, confidentiality and privacy at a service organisation
- Payment Card Industry Data Security Standard (PCI DSS): ensures safe and secure handling of credit card holder information
- Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program: comprises key principles of transparency, rigorous auditing and harmonisation of standards
- Ability to comply with specialised industry regulations, such as HIPAA, 21 CFR Part 11 and specified rules from the FTC, FHA, IRS and FINRA
- Security management processes and development practices, including business continuity and disaster recovery planning, employee training, secure coding practices, formal code reviews and regular code-base security audits
So, to answer the question, are electronic signatures safe? Yes, they are. For more information on the safety and security of DocuSign eSignature specifically, visit the DocuSign Trust Center.