This series of posts will help you to understand what a remote online e-signing solution needs to provide. This is post 4/5.
4 Signing methods
First, there is an important difference between methods in which:
- the captured handwritten signature of a person is forensically identifiable (also known as a “biometric signature”),
- the embedded signature data in the signature field (e.g., image of handwritten signature graph) is not sufficient to authenticate the signer, making additional authentication methods and audit trails necessary to be legally binding,
- signatures are used in conjunction with personal digital signing certificates.
Thus, the main question in capturing handwritten signatures is whether the captured signature data is forensically identifiable. One can say that in all scenarios featuring the use of a pen or a stylus and proper implementation of the capturing software, the result will be signatures that are forensically identifiable.
In other scenarios such as signing with a mouse, touchpad or finger—or where the necessary capturing software and/or hardware is not in place—the signature is not forensically identifiable. This second category is what we’ll call an “HTML5 signature.”
Certificate-based signatures, by contrast, require a PKI infrastructure, and while they are a very popular model for e-signing within your own organization (because you can manage the PKI rollout yourself), they can provide only limited penetration in any other scenarios, such as a B2C or B2B contract.
Regardless which of those three signature methods is used, the signed document and its audit trails should always be sealed with a valid digital signature to ensure their validity.
4.1 HTML5 signatures
The big advantage of HTML5 signatures is that they do not require the signer to install anything. They are simply formatted to work on any HTML5-enabled web device. Depending on the authentication method (see Section 3), they also do not require complex sign-up procedures, so they are perfectly suited to online B2C and B2B scenarios.
However, the whole process is fully dependent on the proper authentication of the recipient (see Section 3) and the logging of all user interactions. If this is securely documented in an audit trail, then the HTML5 signature provides reliable evidential weight. Depending on the chosen method it may even fulfill  the EU’s advanced electronic signature standard and thus be fully equivalent to a forensically identifiable (biometric) signature, which is described in Section 0.
Furthermore, a proper audit trail that is sufficiently easy to be read and understood by a judge and involved lawyers—and that doesn’t force a judge to go for an expert opinion—places the burden of proof immediately on the signer in most cases, which even offers an advantage over biometric signatures, which are not verified in real time.
The question of how this signature is displayed on the document is more a question of convenience for the signer and isn’t primarily a legal question. Maybe one can argue that if the signer selected or constructed the signature image themself—by, for example, typing the name—it has more legal weight compared with methods where that’s not the case, because it better demonstrates the signatory’s intent to sign the document, but that may be a minor point compared with other proof points.
This is somewhat the equivalent of the stamp imprint in the old paper world. Proper e-signature software will allow you to define the elements of the stamp imprint. Depending on the use case, you might only want to include the name of the signer, or also the IP-address, geolocation, and other information. You may even want to add a text that states this is an electronic signature and not a real one.
4.1.2 Typing the name (Type-2-Sign)
This method gives the option of entering the name and using various handwritten fonts to convert the name into a placeholder that looks like a handwritten signature. Users may choose the font and the screen size they prefer.
Similar to the Click-2-Sign, the Type-2-Sign signature also may include additional informatioan in the imprint, like the signer’s name, email, IP address, and signing date & time. All in all, this is simply configurable.
4.1.3 Drawing with a finger, mouse, or stylus (Draw-2-Sign)
The final method allows signers to draw their signature as they are used to doing on paper. This is similar to methods where you try to capture the real signature, but typically people are not able to draw their signature with a finger and most people definitely cannot do so with a mouse. Also, even if a stylus is used, the signature image is not forensically identifiable as pure web-based solutions cannot capture any reliable biometric data, only an image*. Therefore, the separate authentication step is still necessary.
4.2 Certificate-based personal signatures
Some industries and a number of countries demand certificate-based personal digital signatures. In this case, senders need to be able to require signers to apply digital signatures with third-party signing certificates that are issued to them “personally.”
The process is very similar to the standard process, thus:
- A new envelope is created and documents are added to the envelope as normal.
- Recipients are added as normal, but the sender requires to apply a digital certificate for some recipients.
- Any other authentication options for the recipient are added as normal.
- The design of the envelope is completed and it is sent as normal.
- The recipient opens the envelope and adds information in all the required fields as with all other methods. When the signer is ready to complete the signing process, he/she digitally signs the document
- The signer is asked to review and confirm the information, maybe including the reason for the signature and his/her company details and location.
After these steps, everyone can inspect the digital signature in a popular PDF interface such as Adobe Reader to review the signature and X.509 standard information for the completed PDF.
As with all technology, criminals and fraudsters will try to find ways of circumventing the intended process. For example, in the case of a personal digital certificate, if the device that the real user owns and uses is compromised by hackers or unauthorized access, the possibility of misuse remains.
However, in some countries the highest legal value of a signature—which is deemed to be equivalent to a “wet ink on paper” signature—can only be realized by using such certificate-based signatures. Often they even require the use of approved chip cards and reading devices, which renders this technology quite expensive. This generally applies to the European Union with its so-called Qualified Electronic Signatures (QES). Some member countries even provide an infrastructure to activate the QES function on their national identity cards (e.g., Germany with its nPA; see also Sections 3.6 and 3.7). However, typically, card owners have to activate and pay for this function separately and also require a card reader to use it, which results in low market penetration, which makes its use problematic in B2C scenarios.
4.3 Forensically identifiable signatures (biometric signatures)
A forensically identifiable signature is much more than merely a digitized image of a handwritten signature. It requires recording the handwritten signature of a person using all available parameters, such as acceleration and speed—i.e. the writing rhythm. These dynamic parameters are unique to every individual and cannot be reproduced by a forger. That’s why the digitized signature is forensically identifiable (and far more reliable than with the signed image alone).
When someone claims “I didn’t sign that,” a forensic expert can always perform a thorough manual signature verification at any time afterwards, using specialized software to achieve an admissible result in the same way as the expert would with a signature on paper. Thus, the biometric signature fulfills  the EU’s advanced electronic signature standard and has been widely adopted as the de-facto industry standard wherever it is applicable.
Some solutions also provide a signature verification that authenticates a signature against a pre-enrolled signature profile database in real time. This allows you to not only secure the execution of certain transactions, but also to provide a ready-to-use audit trail in case of a dispute, thus placing* the burden of proof immediately on the signer.
So, why not use biometric signatures all the time?
However, requiring the signer to install a local signature-capturing component is, in many situations, not a practical approach, which is why HTML5 signatures also have a very wide use case. However, wherever possible, or for high-value or high-risk transactions and commitments, it is best to rely on handwritten biometric signatures.
4.3.1 Capturing devices for biometric signatures
On the one hand, there are the traditional signature pads and pen-enabled screens, while on the other, there is a broad selection of smartphones and tablets that have native pen support. In addition, there are special pens that allow very good signature capturing on devices that have no pen support out-of-the-box, such as the iPad or iPhone. Many of these special pens even deliver pressure values, and some promise palm protection, but in many cases the palm protection and data rate are not as good as with native pens. However, if you do not have a native pen, you still can use a capacitive stylus, as discussed below.
Signing with a capacitive stylus gives you the feeling of signing with a pen. There are still a few shortcomings compared with signing with a native pen, which typically results in larger signatures that are written at a slower speed. However—in contrast to signing with a finger—the captured writing rhythm of signatures by an individual with a stylus is still sufficiently unique and similar to a native-pen signature that a forensic analysis (also called graphology) can be applied.
Native pens typically provide a signing experience that is, compared with a capacitive stylus, even closer to the act of signing in the paper world.
The reason for this is that native pens provide:
- A thin pen tip, like your ink-to-paper pen, that enables you to sign with your regular small letters
- Palm protection so that you can touch the screen while signing without reducing the quality of the captured signature.
Additionally, native pens also provide a better data quality because:
- They provide a higher data rate, allowing you to capture all aspects of even very fast signatures
- Many also capture the pressure information of your writing, which—while not mandatory for capturing a biometric signature—adds extra security and evidence as it provides additional signature data that a forensic expert can analyze.
A fineline stylus aims to bring the advantages of a native pen to devices that do not provide an out-of-the-box stylus, the most prominent example being the iPad. It is still a capacitive stylus, but one that uses electronic technology to allow usage of fine pen tip, and sometimes also for palm protection and pressure recording. While it will not be as good as with a native pen, the writing experience is certainly better than with an ordinary capacitive pen. Also, pen technology is constantly improving, so we will see increasingly better fineline styluses in the future.
4.3.2 Using a smartphone as a signature pad
In this sub-section, we focus on the use case with smartphones, since this is a device that is in use by the majority today and thus does not necessitate a special purchase. For a discussion about signature pads and screens, please refer to the white paper “eSigning at the In-house Point of Sale.”
This scenario is perfect for those instances in business when you want to capture biometric signatures, but do not want to deploy signature pads or pen displays.
The typical process is as follows:
- Review documents or complete form fields and add attachments on any computer in a browser—maybe together with a customer, employee, or business partner—and use a smartphone as a signature-capturing device.
- A native signature capture app turns a smartphone into a signature-capturing device. This app should be available on most iOS, Android, and Windows phones.
- When the signer is ready to sign a document, a secure communication between the smartphone and the host computer is established using a token (which you may read simply by using the smartphone’s built-in camera using a QR-code reader integrated into the native signature capture app).
- The signature capture app shows a signature capture dialogue, with the document background providing a visual document mapping.
- The signature is captured on the smartphone. It’s highly recommended to use smartphones with native pens or a stylus for signing, otherwise you may lose the potential for forensic identification.
- After the signature is captured, it’s transferred via the secured channel and embedded into the document.
 Voithofer, Paul – Gutachterliche Stellungnahme SignAnyhwere 
 Voithofer, Paul – Sachverständigengutachten SIGNificant Produkte  &
Caspart, Wolfgang – Graphologisches Gutachten 
… read more next week.