Did you know there are 3 types of digital signatures?
Three levels of electronic signature security explained
If you do business internationally, you may already know that different transactions require different types of signatures. Simple electronic signatures are fine for basic agreements that don’t call for authentication or additional ID. But there are instances in more highly regulated sectors where tighter security is needed, like government-level approvals.
There’s a difference between electronic and digital signatures
Electronic signatures are a category of methods for signing a document. DocuSign eSignature is a classic example here. Fast to set up and extremely simple for signers to use, e-signatures are found in everything from business contracts to offers of employment, from invoices to purchase orders.
A digital signature is a type of electronic signature that uses a specific technical implementation to meet the more stringent security needs of highly regulated industries. The use of digital signatures is regulated in legal texts, such as the European eIDAS regulation and the UK’s Electronic Identification and Trust Services for Electronic Transactions Regulations.
Digital signatures become easier to understand after a few key elements are explained.
What is a digital signature?
A digital signature is a specific type of e-signature that complies with strict legal regulations securely associating an individual signer with a document that provides the highest level of assurance of a signer’s identity. When you “click to sign”, it’s the digital signature technology that securely links the signer with the document in a recorded transaction.
Digital signatures use a standard, accepted format called Public Key Infrastructure (PKI) to provide the highest levels of security and universal acceptance. They are a specific signature technology implementation of electronic signature.
Let’s take a look at the three kinds of digital signatures, from least to most stringent.
1. Simple electronic signature (SES): For everyday transactions
This is the most basic digital signature available. It does not require strong signer authentication or ID verification, as it is considered the same as ticking a box giving your consent to a declaration. For transactions that can use this type of signature, it is enough to know the signer’s email or IP address, or that they received a unique access code before signing.
An example of a simple electronic signature could be an internal approval process document for an engineering team, signed off by the manager using an e-signature platform.
2. Advanced electronic signature (AES): For high-value transactions
The AES signature includes additional user authentication steps. A signer will be asked to produce a valid document to confirm their identity, as well as use a unique access code to complete the signing process. Advanced signatures also require a digital certificate to be generated and attached to the envelope as part of the transaction.
These additional security features allow AES to accomplish three important things:
- Reliably identify the signer
- Establish a unique link between the signature and the signer
- Provide tamper evidence of any changes made to the document after it was signed
Employment offer letters are an example of a use case for AES. A job candidate is selected to fill a role; the HR team then prepares a formal offer letter for their future employee who can sign it electronically after receiving a PIN via text message. The candidate is also required to upload a photograph of their valid government-issued ID (eg: drivers license) to confirm their identity.
3. Qualified electronic signature (QES): For legally regulated transactions
A QES offers the highest level of trust through a face-to-face ID verification process by a qualified Trust Service Provider. The process is regulated by a government office where a digital certificate is created with an electronic signature device.
This process unquestionably establishes the validity of the signature process. A QES in Europe is considered the legal equivalent of a wet signature witnessed by a notary in Canada. There are many QES examples in Europe; for instance, in Germany, QES is required for any consumer loan application.
Depending on your needs and location, you may require a trusted third-party partner to handle the ID verification and issue the digital certificate for the QES. There is also QES support for “signer-held” digital certificates issued by a trusted Certificate Authority, installed in devices such as smart cards, USB drives, or on a personal computer.