Blog

What different kinds of electronic signatures can be used under the eIDAS regulation?

There is a common mistake regarding digital signatures and it’s to think that the only valid electronic signatures are the so-called qualified electronic signatures. In fact, there are other kinds of e-signatures legally binding, too, and easier to use. The key is to recognize them and to be well informed in order to balance its usability and security.

Learn more about eIDAS

The terminology used in the current Regulation UE 910/2014 (better known as eIDAS) has not improved the perception that many still have about the validity of electronic signatures (or eSignatures). In any case, the current eIDAS Regulation contains a very clear paragraph on this matter:

An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

This should settle any discussion about whether a non-qualified signature is valid or not, because, as we have repeatedly stated other times, all electronic signatures are in theory valid.

Gather final proof in the digital signing processes

Qualified eSignatures are ranked by law to be at the highest level of legal security and have very clear requirements:

  • Advanced electronic signature + qualified digital certificate + secure signature creation device = qualified electronic signature

The remaining non-qualified signatures, however, depend on an “ocean of electronic evidences”, which isn’t necessarily a bad thing. This is what happens in most markets, where the client has to browse through the existing solutions and decide which one best meets its needs in terms of reliability.

Among the many non-qualified eSignature solutions, the client will find products or services that are difficult to defend in a court and therefore of very little legal value. But he will also find legally sound solutions thanks to their reliance on a trustworthy service provider and their provision of a good number of quality proofs of the signature’s authorship – data that turn these electronic signatures into more procedurally valuable solutions than the qualified signatures themselves.

unqualified electronic signatures are legally valid solutions

How can we reach high-assurance requirements for an eSignature?

The answer is straightforward: it is simply based on the quantity and quality of the provided electronic evidence. Thus, it is not the same if a trusted third party intervenes in the signature process or otherwise; guaranteeing that the signer is signing what he sees (WYSIWYS) or not; depending on single-use cryptographic keys rather than on one alone or none; meeting high technical standards or not; using time stamps or not; generating long-lasting signatures that are justifiable over time or not; if notaries intervene in the process or not; if electronic signatures are combinable with qualified electronic signatures or not, and so on and so forth.

Choosing between one solution or another will make the difference between living in uncertainty or embracing legal security, which can offer the required guarantees.

Choose the electronic signature that works best for your team

You could say – and in fact, this is the case in many legal departments – that you only consider qualified signatures to be valid. However, as we have seen, this would mean ignoring the truth since, at least in Europe, qualified electronic signatures aren’t the only valid ones. Therefore, it would be more honest to say: “I am not willing to analyze the legal guarantees offered by this non-qualified signature”.

The fact is that refusing to use non-qualified signatures means, realistically speaking, condemning yourself to continue using paperwork in most scenarios. That is because qualified electronic signatures have persistent age-old problems – almost 20 years after it was first legally regulated – making it difficult to apply in the majority of cases. Let us see some examples:

  • A patient goes to hospital for an operation: he/she does not have a digital certificate or a safe device he/she can use at that moment. In the best case scenario, he/she will have a national electronic identity card, but it is very likely that he/she will not remember the password, that the certificates will have expired or that the hospital does not have an electronic ID reader.
  • An insurance company sells online policies. The client cannot (or does not want to) go to the the insurance company office, does not have a digital certificate and a secure signature creation device. This case applies to any type of online procedure that requires the signing of a contract.

The new eIDAS Regulation has taken a giant step forward by allowing the provider – instead of the user – to store eSignature keys and certificates. This solves many technical problems, especially those linked to the secure signature creation device. Still, it does not solve the main issue that envisages qualified electronic signatures becoming an agile tool: in order for a qualified signature to become just this, a qualified certificate is required, and to obtain this certificate, the citizen needs to present him/herself before the registration authority.

qualified electronic signatures enrollment process

This enrollment process is precisely what hinders the spontaneity that the internet requires. In an ideal world, every citizen would have a digital certificate kept by a trusted third party and accessible only to the signatory. But we are far away from that – and I sincerely doubt that it will ever happen or even that this is the best solution. Therefore, we have no choice but to seek alternatives.

Let us see another practical example:

  • A potential buyer goes through the whole buying process on the web and, when he/she comes to the part where he/she has to sign the contract, the system asks:
    • “Do you have a certificate?”
    • “No”
    • “Can you go to a certifying authority, request a certificate and continue tomorrow?”
    • “No”
  • End of the operation.

What other e-signatures exist for signing documents online?

The range is wide, but we could sum it up in main three options, depending on several factors:

  1. Avanced electronic signature based on a qualified certificate. If the only problem is a secure device (cryptographic card or HSM) – and the user’s enrollment process isn’t an issue – one could use a certificate without a secure signature creation device kept by the provider. It isn’t a qualified e-signature, but an advanced electronic one based on a qualified certificate, and it offers many guarantees.
  1. Face-to-face biometric electronic signature. If the procedure is face-to-face, the ideal solution is a biometric e-signature solution, which brings the ease and routine of the handwritten signature to the digital world. For the eSignature to be legally effective, many factors have to be taken into account: the gathering and encryption of biometric data (especially the stylus pressure when signing), the guarantee that the user is signing what he sees, that signature keys are single-use, time stamps, long-term signatures, etc.

The main drawback of this kind of eSignatures – which makes them usable only in face-to-face environments – is that, for the signature to be examined in a legal trial, its data must be of high quality and include accurate information such as the pressure applied by the user when signing. This kind of requirement limits its availability to just a few numbers of devices that are not normally available to the signer in his/her own home.

  1. Remote biometric electronic signature. When we cannot have the signer in person, nor he/she can go through an enrollment process, we need to shift towards a system that allows sufficient evidence to be gathered in order to prove – if needed – that the specific person in question saw the document he/she signed and that it was he/she who gave his/her consent. Traditionally, systems such as email notifications are used in this kind of eSignature: the signer opens the email, clicks on a link that takes him/her to the provider’s page which shows the document and collects all the evidence (access IP, email address, etc.). The process usually ends with a signer’s click accepting the signature process.

These systems are very easy to use, but the evidence provided is difficult to defend in court. This is chiefly due to the difficulties in proving that it was the person in question who signed and not someone else who accessed the email account and signed on his/her behalf. This system’s security improves noticeably by sending an SMS to the signer’s mobile phone as a “two-factor authentication”. In other cases, such as ViDSigner‘s, the signature process is legally completed by adding – on top of the email and SMS – a handwritten signature on the user device. In this case, the biometric signature is not of such high quality as the mentioned in the previous case, nor would it be valid per se in court, but it is the merger of evidence – email + sms + handwritten signature – which makes this solution such strong evidence.

legally valid remote biometric electronic signature solution - ViDSigner

A trust service provider for electronic signatures

If there is something that stands out in the new eIDAS eSignature regulation, it is the value placed in the figure of the trust service provider (qualified or not). If we talk about building electronic evidence, that the use of third-party services unrelated to the transaction brings trust (hence its name) and evidence is clearly indisputable.

The use of third-party services for the finalisation of legally relevant transactions is not new, notaries have been assuming this role for hundreds of years as a trust service provider. The role of notaries, attestors (both public and private) and modern electronic trust service providers is the same: providing legal security, guaranteeing neutrality and the parties’ accountability.

Leaving aside the technical advantages that are increasingly taking individuals and companies to consume cloud-based services instead of purchasing products, from the legal point of view, it is an undeniable truth that the use of trust providers is becoming a “must”.

Conclusion

Everyday processes and procedures demand signature solutions that are able to provide appropriate answers in order to meet the requirements of each individual case, including those situations where a qualified electronic signature – due to its special features – does not have an easy fit.

Electronic signature regulations envisage the use of other types of non-qualified eSignatures in these processes, but we must be cautious and select the right tools that are capable of more efficiently combining the requirements of usability and legal security, constantly taking into account that signatures, today amassed, must be ready for the court evaluation.

Our eSignature solution ViDSigner has always offered our customers usable and practical solutions, totally reliable from a legal standpoint. This allows us to provide a wide range of signature possibilities that adapt to each transaction’s peculiar needs.

¿What’s the difference between the various eSignature types? Different types of electronic signatures, dispelling myths

Leave a Reply