Free trial

Authentication options for eSignature: Strike the right balance with secure, user friendly authentication

eSignature
OneSpan Team,
authentication electronic signature

Businesses are evolving to stay competitive in an increasingly digital world. With a heavy reliance on smartphones and tablets, customers expect nothing less than a convenient, secure, and seamless experience when transacting remotely. As a result, more companies in the EU, United States, Canada, and around the world are implementing eSignatures with digital signature technology as part of their digital transformation strategy, because of the improvements to customer experience that electronic signatures provide.

There are many benefits to offering customers and partners eSignatures, and the legality around their use has been clear for some time. However, ensuring the appropriate level of security is still a focus. Organizations initiating eSignature transactions must know who they are doing business with across online and mobile channels.

As an organization, you need to strike the right balance between customer experience and security when implementing user authentication. This will increase completion rates and minimize customer abandonment from cumbersome authentication. Depending on your use case and authentication needs, the best approach is to look for electronic signature software that supports a wide array of authentication methods to ensure the best user experience and mitigate risks of fraud. Additionally, you want to ensure that the authentication options can be configured to meet the requirements of your eSignature processes and channels. As an example, an electronic signing process that occurs face-to-face in a bank branch or with an insurance agent will often use different authentication methods than a remote transaction through your website.

The difference between identification and authentication

The terms “user identification” and “user authentication” may sound similar, but they have different meanings.

User identification is the process of presenting and making a claim to an identity. This is the first step in determining who you are doing business with. Naturally, it takes place the first time two parties conduct a transaction. A good example is a new applicant who goes to the bank to open an account for the first time. The applicant will be asked to prove their identity using their driver’s license, passport, or national ID card. To verify a new applicant’s identity remotely through your digital channels requires digital identity verification. The digital identity verification feature in an electronic signature solution makes it possible to quickly and securely confirm that an “unknown user” is who they say they are – directly through their mobile device.

Once the individual’s identity is confirmed, they become a customer or “known user” and are given credentials to facilitate future transactions. User authentication is the process of verifying those credentials prior to giving access to a system – in this case, the eSign ceremony.

Learn how to authenticate signers with OneSpan Sign

 

eSignature authentication methods

Unlike a handwritten signature, OneSpan Sign offers a number of authentication methods to ensure that only the correct signers access your electronic signature transactions. These authentication methods can be used alone or in combination to verify a person’s identity and create a trusted transaction.

  • Email authentication: The signer is sent an email with an embedded link inviting them to access the signing ceremony. After clicking the link, the signer is authenticated. Email authentication establishes a connection to the signer due to the uniqueness of their email address.

  • Login credentials (including single sign-on or SSO): Access to documents can be granted to signers upon logging into an online portal with a valid user ID and password. Using the online banking portal example, the customer logs in to their account and is presented with the documents to eSign from within the portal.

  • One-time passcode sent by text message: A unique PIN is automatically generated and sent to the signer’s phone by SMS. The signer enters it into a login page and gains access to the documents that require signature.

  • Secret question challenge (static KBA or Q&A): Challenge questions are presented to the signer to authenticate before they can view the electronic document(s). These questions are referred to as shared secrets because the sender needs to know something about the signer to create the questions. The questions and answers are known by both parties and pre-selected ahead of time. Common questions include the last four digits of a Social Security Number or an application ID number. The customer must correctly answer one or more questions before being granted access to the electronic signature transaction.

  • Dynamic KBA: OneSpan Sign can integrate with third-party ID verification services like Equifax. The signer is presented with out-of-wallet questions generated on the fly to authenticate their identity before signing the document(s). These out-of-wallet questions are generated in real time, making it difficult for anyone other than the actual user to answer correctly.

  • Digital certificates: OneSpan Sign leverages digital certificates issued by third-party Trust Service Providers (TSP) and certificate authorities (CA). When using a personal digital certificate to eSign a document, the certificate status is verified and signers must pass authentication requirements by combining the certificate with a PIN or password. When using a digital certificate issued by a qualified trust service provider, this creates a qualified electronic signature (QES) per the requirements of the European Union’s eIDAS regulation.

  • Smart cards & derived credentials: Government employees and contractors require a smart card or mobile-derived credentials when eSigning. Digital certificates are stored on smart cards, such as Common Access Cards (CAC) and Personal Identity Verification (PIV) cards. This is a form of multi-factor authentication because it consists of something the user knows (the PIN for their smart card), something the user has (the smart card), and sometimes a biometric identifier (something the user is).

  • ID verification: Verify unknown individuals remotely using government-issued IDs (e.g., driver’s license, passport, etc.). OneSpan Sign leverages digital identity verification to capture, extract, and analyze ID data in order to authenticate government-issued identity documents. 

  • Digipass®: Multi-factor authentication (MFA) provides an element of layered security by requiring two or more verification methods before a signer can access and complete the transaction. OneSpan Sign integrates with OneSpan’s MFA solutions like Digipass to support strong authentication with one-time passwords (OTP) and/or visual cryptograms.

  • Biometrics: Biometrics are typically used for high-risk, high-value transactions with existing customers. Signers can use their mobile device to take a selfie, which will be compared against the photo on their government-issued ID document. During active liveness detection, the system presents the user with specific challenges or tasks that require a live response such as blinking, speaking, or head tilting, to ensure the photo captured is from a real human. In addition, passive liveness detection works invisibly in the background without interrupting the user experience, analyzing additional biometric elements provided during the authentication process. Signers can be verified in real time within seconds.   

  • FIDO passkeys: This innovative method, which enables a smooth and easy authentication process, creates a secure channel between sender and signer, increases sign-in success rates, and reduces operational costs. Passkeys offer near-instant authentication directly on the user’s device by leveraging device biometrics. It can also work offline after initial setup, removing dependency on network availability. Passkeys are supported across a wide range of platforms, browsers, and devices and provide cross-device sync. Suitable for repeat signers.

OneSpan Sign is an eSignature solution that provides the flexibility to support your authentication requirements for a variety of signing scenarios. Read our User Identification and Authentication white paper for best practices on how to select the right authentication methods for your e-signature use case.

User Identity Verification and Authentication
White Paper

User Authentication for E‑Signatures

Learn how to create a trusted digital transaction by implementing the right user identification and authentication method.

Download Now
OneSpan Team
OneSpan Team

The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.

Contents
Share