Resources  

The Role of User Authentication in E-Signing

You type your name at the bottom of a letter in Microsoft Word. That’s an electronic signature, right?

It is, according to the legal definition, because you have proven your intent to sign. What makes this a risky approach to e-signing (at best) is the fact that you have not proven that you are really the one signing.

Another, equally risky, case: You log onto your workstation using a Smart Card, and your digital certificate automatically ‘signs’ all outgoing e-mail. The authentication is almost indisputable; the Smart Card ensures e-mails came from you. But did you really intend to sign that e-mail and be bound by its contents?

The point is that, while e-signing and user authentication (UA) are two completely different things, they are both equally important pieces of a secure, legally enforceable electronic signature. Clicking an “I Agree” button on a Web site will meet the legal definition of an electronic signature, but in no way proves you were the one who signed it. Without UA, there is no link between the signature, the intent to sign and the identity of the person signing.

It's All About The Process

Whether in the paper or electronic world, it is the entire signing process that helps establish the authentication of the signer. For example, an insurance customer may dispute having signed an initial health assessment, but because that customer has been paying premiums towards an insurance plan for years, and because standard operating procedure requires every applicant to sign an assessment before becoming a customer, there isn’t much hope of that customer proving his/her case. The process itself has strengthened the insurance company’s legal position.

Even traditional, wet-ink signatures often have built-in safeguards that reinforce parties’ claims of who they say they are. These include using more than one signer, notarization, ID checks, online user databases and transaction authorization programs.

“We tend to think of authentication as a single event, a single technology, or a single something that happens,” said Michael Laurie, vice-president and co-founder, Silanis. “But in reality, it’s the combination of all of those that makes the process, and that gives us reliable authentication.”

Choosing The Right Approach

When adding e-signatures to your online processes, a common question is what kind of user authentication you should use.

“There’s really no magic bullet for this very vital process,” said Mr. Laurie, “but I think that if you’re looking for the best solution, the answer is closer than you think.

“It’s not about choosing the latest technology, but choosing an approach that’s going to meet the requirements for your particular process.”

First of all, the method you choose should depend on the level of risk to your organization, should a party deny having made a transaction. What is at stake if someone fraudulently signs a transfer of funds request, for example, and what is the likelihood of that happening?

There is also the question of cost, because higher levels of user authentication are typically more expensive. Obviously, budget will factor in the decision.

Finally – and this is the aspect most often neglected – is your method easy to use? Security and usability are opposing forces. For example, while authenticating applicants online for a loan may represent a risk to any bank, the alternative of customers appearing in person at a branch to have a digital certificate issued is not feasible – they might as well complete the entire process at the branch. The bank must balance its own security with making the process easier for its customers, or face zero adoption – and not realizing the many benefits of a Web-based channel.

Levels of risk, cost and usability will always affect each other. Your choice of the right UA will depend on a judicious balance of all three.

Authentication Requires Two Steps

A consumer comes to your Web site and logs in with a user ID and password. User authentication has been established, right? Not necessarily.

In order to assess the worthiness of the UA, you need to know the process used to identify the user in the first place, before assigning the user ID and password – making UA a two-step process of identity authentication and credential authentication.

Identity Authentication

Also known as personal information verification (PIV)

There are a number of ways to ascertain the identity of an individual online, and each provides various levels of assurance.

For low-risk transactions, such as agreeing to the terms and conditions of a Web site or issuing free e-mail accounts, self-authentication is a feasible option. A user declares his/her identity, and there is no verification of that identity – making ease of use a given. It requires little expense, and is easy to implement.

Logical authentication offers more assurance than self-authentication, and involves checking different types of personal information to ensure it is logically consistent: for example, making sure the area code of a phone number matches an address. It may incur more cost, but is still relatively economical and requires little infrastructure.

Negative authentication, usually used in addition to another method, helps to eliminate potential users you would not want to do business with. A user provides personal information, which is then checked for any association with fraudulent transactions or identity theft.

Third-party authentication requires users to enter information that is then checked against a trusted third-party source. Financial services often use this method over the phone, asking a series of questions that only the user should know the answers to. Some companies are now using access to credit, auto insurance information and other databases to develop online identification services. Despite the higher cost, third-party authentication provides the highest level of assurance of all the online identity authentication methods, and for that reason, is the most frequent approach used.

Once you have established the identity of a user, you will probably want to leverage having gone through that process, by issuing him/her a credential for future transactions.

Credential Authentication

There are three types of online credentials - something you know (user ID, password, PIN); something you have (digital certificate, Smart Card, hardware token); or something you are (voice, fingerprints, eyes, handwritten signature).

The most common authentication method by far involves the combination of a user ID and password, or PIN. This “something you know” method of authentication is common because a user ID and password are easy to issue, acceptable to most users, easy to manage if lost, 100 per cent accurate, have adjustable levels of security and work with nearly all applications. Drawbacks include user ID and password being easily compromised; and users may feel frustrated with the system if they forget one or the other.

The main costs associated with “something you know” authentication are low in general, and mainly involve registration and support. Infrastructure and integration costs are minimal. The low cost and ease of acceptance make user ID and password the most popular method for all kinds of documents, from loan applications and insurance claims to employment agreements.

For higher-risk processes, digital certificates, Smart Cards and hardware tokens – “something you have” – are highly secure, easy to use and very accurate. They are not without their drawbacks, however: they still require a password, and can be shared with others. More difficult to integrate than the methods previously mentioned, they also require specialized hardware and software.

“Something you have” methods are a midpoint between “something you know” and “something you are,” cost-wise and security-wise. Their higher cost, combined with the logistics of distributing software and/or hardware to users, makes them a feasible option only for internal processes, or processes with repeat, long-term external users, such as business partners.

Finally, authentication by biometrics – “something you are” – can involve voice, fingerprint, retinal patterns and handwritten signatures. Although biometrics can provide a high level of assurance of a user’s identity, adoption has not been widespread.

Biometric technologies are extremely complex, and that can limit them to specialized core applications. More importantly, in the context of e-signatures, they set a higher security standard than for paper. Biometrics’ specialized hardware, registration and support, integration resources and infrastructure are all more costly than for any other method. For all of these reasons, biometrics is usually reserved for physical access control in highly secure environments, rather than for business applications such as electronic signing.

Organizations should be aware that no authentication method is foolproof. Even biometrics is based on a statistical processing of a person’s physical or behavioral traits, which are then compared against existing examples. And even if there were a foolproof method of authenticating users, as mentioned earlier, it wouldn’t remove the need for a secure, enforceable process.

The stronger your process is, the less you will need to spend on authentication; in other words, it can serve as your back-up, if you ever go to court.

Which is Best?

The goal of your organization is to choose an authentication method that is appropriate to the risk involved and as easy to use as possible – without spending beyond your means. As this article has demonstrated, applying too low a level of security may compromise the integrity of your process; applying too high a level for a low-risk process means the process will be too difficult and face low adoption rates.

Forrester Research correctly stated that “the key criteria when evaluating such solutions are ease of use, portability, cost, security, manageability, and cross-channel utility . . . organizations will pick different options for different reasons.”

Bottom line: Start with a rock-solid process, and then choose the authentication method that will best protect you while keeping your customers happy.

1. In some cases, there may not be a need to go through the expense or effort of issuing a credential, as the transaction is not likely to occur again.
2. “What To Look For In Consumer Strong Authentication Solutions.” Jonathan Penn. Forrester Research.: March 31, 2005.