The pandemic has accelerated the corporate shift towards digitisation. With the spread of remote working and reduced travel, the ability to sign documents remotely has shown its full potential, enabling organisations to continue to operate despite the circumstances. For example, 70% of companies have accelerated the adoption of electronic signatures because of the pandemic (Archimag). Thinking of getting into electronic signatures? Has your company implemented a remote signing solution, and do you want to become proficient with it? We have compiled a glossary of essential terms to help you learn what need to know about electronic signatures.
Let’s start at the beginning: the electronic signature is an online process that uses encryption to affix signatures on digital documents. It is not simply a question of scanning handwritten signatures. The eIDAS regulation defines this type of signature as “data in an electronic format, which are attached to or logically associated with other data in an electronic format, and which the signatory uses to sign”.
Associated with the use of remote signatures for distinct levels of security, the electronic certificate is a file containing information relating to the identity of its holder, as well as all the data that guarantee the authenticity and integrity of the affixed signatures. In short, it forms the link between the electronic signature and the signatory. The certificate is generally given to a natural person acting on behalf of the company. It is issued by a trusted third party, e.g. a certification authority. In the case of France, that certifying authority is supervised by the French National Cybersecurity Agency (ANSSI).
Authentication refers to the process by which a user proves their identity in order to access a service. It can be done in different ways: by means of a password, a one-time code received by SMS or email, facial or voice recognition, personal questions, and so on. The more layers of authentication there are, the more secure the electronic signature is, and the less likely it is to be subject to legal challenge, which is why two-factor authentication (2FA) is used for the most advanced signature levels.
The eIDAS regulation is a European law that applies to electronic identification, trust services, and digital documents. It establishes a common framework for EU member states with the aim of fostering the emergence of a “digital trust market”. Among other things, the eIDAS regulation sets out the different levels of electronic signature available, as well as the means to be used to employ them.
The eIDAS regulation recognises three levels of electronic signature:
- simple electronic signature
- advanced electronic signature
- qualified electronic signature
These levels refer to separate processes for verifying the identity of the signatory, which become more advanced as the level of security increases. A qualified electronic signature—the highest level of security—requires a digital certificate with face-to-face verification of the applicant’s identity. As for the “simple” signature, it actually refers to all signature procedures that are neither advanced nor qualified.
In some cases (qualified signature or advanced signature with qualified certificate), obtaining a certificate prior to the electronic signature requires a thorough identity check, referred to as “face-to-face”. That verification can be done physically or remotely, but the manner of doing so also affects how the identity is verified. During a physical meeting, the trusted third party gives the signatory a token to use for authentication. During a remote verification, the signatory must make one or more videos to show their face and ID.
The SMS dialogue is a process that allows the signatory of a document to confirm their consent. In this process, two SMS messages are sent to the signatory’s mobile phone: the first to request approval, the second for authentication (by means of a one-time six-digit code).
Encryption is the process of transforming data into a cipher in order to protect it by making it unintelligible to unauthorised persons. To encrypt data, an asymmetric algorithm and two decryption codes, called “keys”, are used, one public (accessible to all) and the other private (held only by the user). Cryptography is used to guarantee the integrity, authenticity, and confidentiality of a document.
A token is a hardware device (USB key, smart card, etc.) used to encrypt or decrypt content, respectively via a public or private key. Used in the context of a qualified electronic signature, the hardware device is given to a natural person after face-to-face verification of their identity. They can then use the token to authenticate their identity when using the electronic signature software.
An electronic signature API makes it possible to create a gateway between the signature software and the company’s other business software. It provides access to the electronic signature software so that the company can set up the validation workflows it needs. Using an API helps to streamline the electronic signature process, shorten the sales cycle, and improve the user experience, along with customer satisfaction!