Are Electronic Signatures Safe?
E-signatures are safer and more secure than wet signatures
Yes, electronic signatures are safe. In this post, we’ll cover why an e-signature is more secure than a wet signature, how e-signatures work, and the features that help keep them safe.
Why an e-signature is more secure than a wet signature
A common question people have is “Can my digital signature be forged, misused or copied?” The reality is, wet signatures can easily be forged and tampered with, while electronic signatures have many layers of security and authentication built into them, along with court-admissible proof of transaction.
Unlike physical signatures, e-signatures come with an electronic record that serves as an audit trail and proof of the transaction. The audit trail includes the history of all actions taken with the document like details of when it was opened, how long it was viewed, when it was signed. Depending on the service provider, and if the signer agrees to allow access to their location, the record will also show the geolocation where the document was signed.
If any signer disputes their signature, or if there is any question about the transaction, the audit data is available to all participants in the transaction who can then resolve the objections.
Certificates of completion
A certificate of completion includes each signer’s signature image, key event timestamps and each signer's IP address, and other identifying information. More detailed certificates of completion also include a consumer disclosure indicating that the signer agreed to use e-signature. The consumer disclosure is sometimes provided as a separate document but should always be included.
Once the signing process is complete, all documents are digitally sealed using Public Key Infrastructure (PKI), an industry-standard technology. This seal indicates the electronic signature is valid and that the document hasn’t been tampered with or altered since the date of signing.
How electronic signatures work
The exact signing process varies depending on the e-signature provider that you use, but the underlying workflows of more robust solutions are similar.
- Upload the document you need signed (eg: Word or Google doc, PDF file)
- Tag the sections that require initials, signatures, phone numbers, etc.
- Select the methods of signer authentication you want to use
- Send the file via the service to your designated recipient’s email
- Receive an email notification to review and sign a document (clickable link)
- Verify your identity before signing (if the sender selects that option)
- Read the disclosure documents and agree to use the electronic process
- Review the document and complete any necessary fields, including attaching any required documents
- Adopt the signature style you want to use (the first time you use a service)
- Sign the document
- Documents are automatically routed back or to the next signer
Once all recipients have signed a document, they’re notified, and the document is stored electronically where it can be viewed and downloaded. All of this is done with tamper-proof, built-in privacy and security features that e-signature platforms must provide.
Methods of verifying signer identity
E-signature technology offers multiple options for verifying a signer’s identity before they can access the document and sign, including:
- Email address: signers enter their own email address, which is compared to the email addressed used in the invitation
- Access code: the sender supplies a one-time passcode that signers must enter
- Phone call: signers must call a phone number and enter their name and access code
- SMS: signers must enter a one-time passcode sent via SMS text message
- Knowledge-based: signers are asked questions about information, such as past addresses or vehicles owned
- ID verification: signers ae verified using their government-issued photo IDs or European eID schemes
For situations where additional levels of signature validity are necessary, as is sometimes the case in regulated industries and often the case in Europe, some providers offer two more rigourous types of e-signature that comply with the EU’s eIDAS requirements:
- Advanced E-signature: Requires a higher level of security, identity verification and authentication to establish a link to the signer; and includes a certificate-based digital ID (X.509 PKI) issued by a trusted service provider
- Qualified E-signature: An even more secure version of an advanced e-signature that utilizes a “secure signature creation device” and is deemed legally identical to a wet signature in the EU
The importance of a security-first approach to e-signatures
The level of e-signature security varies by provider, so it’s important to choose an e-signature provider that has robust security and protection weaved into every area of their business. Security-conscious organizations implement these three types of security measures:
- Physical security: protects the systems and buildings where the systems reside
- Platform security: safeguards the data and processes that are stored in the systems
- Security certifications/processes: help ensure the provider’s employees and partners follow security and privacy best practices
- Geo-dispersed data centers with active and redundant systems and physical and logically separated networks
- Commercial-grade firewalls and border routers to detect IP-based and denial-of-service attacks
- Malware protection
- Secure, near real-time data replication
- Around-the-clock onsite security
- Strict physical access control with monitored video surveillance
- Data encryption in transit and at rest with TLS connections and AES 256-bit encryption
- Data access and transfer via HTTPS
- Use of Security Assertion Markup Language (SAML), giving users the latest capabilities for web-based authentication and authorization
- PKI tamper-evident seal
- Certificate of completion
- Signature verification and unalterable capture of signing actions and completion status
- Multiple authentication options for signers
- Compliance with applicable laws, regulations and industry standards, governing digital transactions and electronic signatures, including:
- ISO 27001:2013: the highest level of global information security assurance available today
- SOC 1 Type 2 and SOC 2 Type 2: both reports evaluate internal controls, policies and procedures, with the SOC 2 report focusing on those directly related to security, availability, processing integrity, confidentiality and privacy at a service organization
- Payment Card Industry Data Security Standard (PCI DSS): ensures safe and secure handling of credit card holder information
- Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program: comprises key principles of transparency, rigorous auditing and harmonization of standards
- Ability to comply with specialized industry regulations, such as PHIPA, HIPAA, 21 CFR Part 11 and specified rules from the FTC, FHA, IRS and FINRA
- Security management processes and development practices, including business continuity and disaster recovery planning, employee training, secure coding practices, formal code reviews and regular code-base security audits
So, to answer the question, are electronic signatures safe? Yes, they most certainly are.
Learn more on the safety and security of DocuSign eSignature at DocuSign Trust Center.