Frequently Asked Questions

Does the law require a minimum level of user authentication?

In a word, no. The federal ESIGN law does not specify the type of user authentication to be used with e-signatures. The definition of an e-signature under ESIGN refers to user authentication in the phrase "a contract or other record . . . adopted by a person"; however, it does not specify how the signer should “adopt” the contract or record.

Ideally, the choice of a user authentication method should depend on the risk profile of the organization and the process it is automating. Smart cards with digital certificates may make sense when signing highly sensitive military requisitions, but are clearly not feasible, or even necessary, for consumers applying for a loan online.

What is the best way to authenticate an unknown user over the web?

Because most Web-based consumer-facing processes are one-time or infrequent transactions, it is not practical or cost-effective to issue digital certificates or hardware-based authentication devices to end users. One option is to leverage electronic credentials that have already been issued, such as a PIN for online banking.

Another option is to leverage the method of user authentication used in other remote channels, such as doing business through call centers and by mail. These processes identify and authenticate using out-of-wallet information, or personal information from third-party verification services, such as Equifax.

What is the difference between user authentication and data authentication?

User authentication is the process of identifying an individual and ensuring that the person is who he or she claims to be. Data authentication, on the other hand, is the process of verifying the information contained in a signed document to ensure that it hasn’t changed since it was signed.

In traditional business processes, user authentication entails verifying the person’s unique credentials, such as passport, driver’s license or social security number. In the electronic world, this entails verifying the person’s username and password, digital certificate or biometrics.

Data authentication in the pen and paper world involves reading or scanning the document. In the electronic world, this is often done automatically upon opening the document. Some solutions, such as Silanis Approve-It® will visibly invalidate the electronic signature(s) contained within the document if an unauthorized change to the content or the signer’s credentials is detected.

Can someone remove an e-signature from a document, or modify an e-signed document?

The security features of Silanis’ ApproveIt software ensure that any change to an e-signed document, even a change in font color or size, will invalidate the associated signatures. Also, any attempt to copy e-signatures from one document to another will automatically invalidate them.

Does e-signing increase exposure to risk?

This is a common question. In fact, bringing processes online does not increase risk of fraud, non-compliance or errors. When implemented properly, e-signatures can even reduce risk exposure. An organization with electronic processes is better able to maintain control, thanks to automated workflow rules that ensure the right steps are followed in the right sequence. Electronic processes also offer real-time visibility into a process, making it quicker and easier to spot anomalies, inconsistencies or suspicious activities.