When selecting a signature option that your organization will use, several major issues will need to be considered. We generally consider this decision to be a part of the overall forms management strategy that the organization will deploy. While many departments will need to provide input, forms management is generally the department that must lead the discussions, as the extent to which forms automation can be achieved will depend, in part, on the signature solutions selected.
The major issues to be considered include determining when a signature is needed, the level of security required regarding the signature, the associated costs, the risks involved, whether the organization will support more than one signature technology and how are signatures to be performed (the signing process). Once these issues have been properly addressed, the specific technologies to be supported can be considered.
In our previous discussion, we addressed the most common signing method for inside-the-firewall signing–login and passwords. This method is understood by most users, is easy to use and provides adequate security for most low-risk, low-volume transactions. Its disadvantages include the need to set up and manage the password system, including providing for forgotten passwords. Such passwords can be compromised and there is no guarantee that the person entering the password is who they say they are; therefore, such signatures do not provide for non-repudiation of the transaction.
"The signature processes selected require careful review of the related workflows, an assessment of the risks involved and enterprise agreement on the solutions to be supported."
Another common signing method for inside-the-firewall signing is through the use of digital certificates. This process requires the user to pre-register with one or more certificate authorities (CA). The CA issues an encrypted digital certificate containing the person’s public key and a variety of other identification information. The CA also makes its own public key readily available to all its customers. When signing a form, the signer uses the CA’s public key to decode the digital certificate attached to the form. This verifies it as having been issued by the CA. Combined with the organization's own public key and other information contained in the certificate, the signer can securely encode and sign the form.
The benefits of certificates and CAs occur when both parties trust the same CA. This allows them to learn each other’s public key by exchanging certificates signed by that CA. Once they know each other’s public key, they can use them to encrypt data and verify the signatures on the document. Use of certificates both authenticates the user and provides evidence of user intent, since the certificate is encrypted and made a part of that transaction.
Disadvantages include the need to pre-register a user who will sign the form, the fact that the process can be confusing to casual users and can be very expensive to acquire and maintain (revocation, stolen computers, changes in user status, etc.). These issues make the use of digital certificates impractical for anonymous users outside the firewall.
Another common signature method is the use of signature pads. The pads are hardware devices connected to the computer that capture a replica of the user’s wet signature and affixes that signature to the form. There are many competing signature pads, with a variety of features available. Selection of the appropriate pad is dependent upon the process to be employed and the specific requirements of the workflow. Advantages include ease of use (most users are familiar with the signature capture process) and user comfort. However, signature pads can be expensive to acquire, replace and maintain, and they are not practical for most Internet solutions (outside the firewall) where most users do not have access to such devices.
Other electronic signature solutions employ biometrics to sign a form. These include fingerprint capture, retina scans and voice signatures. Fingerprint and retina scans can make the signature difficult to counterfeit, but they generally do not provide for non-repudiation of the transaction and are not practical for most transactions. They also can be very expensive to implement.
Voice signatures represent a low-cost and highly practical method for signing forms. In this process, when a user tabs or clicks into the signature field, a dialog box appears, asking the signer to call a toll-free number and read a defined message into the phone. A .wav file is created, recording the signer’s voice as they read the message. A signing certificate is created, encrypted and incorporated into the transaction file. This provides for both validation of the signer and for non-repudiation of the transaction. The signing process can take several minutes to complete.
Voice signatures can be relatively inexpensive to implement, and they provide a secure method that meets legal requirements. However, they can be perceived as cumbersome by many users, and they are inefficient if the user must sign many documents. Their primary advantage is for high-volume and high-risk transactions with anonymous users outside the firewall.
Because there are so many variables involved, no one solution will meet all requirements. The signature processes selected require careful review of the related workflows, an assessment of the risks involved and enterprise agreement on the solutions to be supported. The solutions require sign-off by legal and auditing authorities within the organization, support from information technology (IT) and user acceptance. The decision process used to select the proper technologies should be led by forms management.