With both “wet” and , processes assures that the person who signed your contract is the person he or she claims to be. How important is in your paper contracts and how important should it be in your electronic contracts? Learn about what your options can do for you and your business in this series on Best Practices. Previously, we discussed the difference between Post and Prior practices. Now, let’s discuss…

Online

Online models typically focus on Prior models, identifying the user before allowing access. The three general categories, or factors of :

1. Something you know: password or token value
2. Something you have: access card, cell phone or key fob
3. Something you are / do: fingerprint, rentinal scan or voice pattern

To raise the level of assurance, companies can require from more than one category, or “two-factor” . One example is a password used with an access card. Using two passwords would not be two-factor , but rather, “multi-factor” . Two-factor is more effective than multi-factor at raising assurance.

The Federal Financial Institutions Examination Council (FFIEC) prescribes an standard, defined as multi-factor , required for many financial transactions. The FFIEC, an interagency body of the U.S. government, works with the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration and many others.

Systems such as installed digital certificates, machine addresses and network adapter card addresses provide system . This identifies a machine, not a person.

Identifying a Person Online

Ideally, online identifies the person, not the equipment. Other methods of are more effective as indicators of identity than relying on the relationship of the equipment to people. It may not be reasonable to (a) expect any person to have a particular piece of equipment; (b) for a particular piece of equipment to be used only by a particular person. Requiring specific software, certificates, or hardware for purposes will hamper the adoption of the underlying solution and the success of for a broad group of people. Several online levels, in order of increasing security:

1. Self-: Lowest level that relies on customers authenticating themselves, such as a simple registration that does not validate anything. Many services that allow a user to “self provision” a certification are self-authenticating. There is no Prior at all; to improve the assurance, validate by an email receipt.

2. Email : Prior that requires a user to prove access to an email address. Because email accounts can be set up without , this is a very light form of . Some email systems reject a list of “free” email service providers such as Gmail, Yahoo, and others and allow only corporate email systems to be used. This increases the security of this method. Email is a weak form of third party or system validation and prior .

3. Shared Secret / Passphrase: Recipients must know or be given information to use for transaction access. The customer should receive the secret “out of band” from other communications methods used to deliver the transactions. For example, if you send the customer a link to a document via email, you should send the shared secret or passphrase by phone or any method BUT email. This method is a Prior mode.

4. Knowledge Based (KBA): A third party data provider can generate a set of questions that only the individual would be able to answer. Common types of questions relate to prior addresses, phone numbers, and relative names. This popular form of works in real time; generates dynamic questions and possible answers; includes questions with more than one, or no, correct answers; and does not require possession of a specific device. These reasons make it difficult for someone to pass another’s knowledge-based questionnaire and makes KBA a very strong Prior mode.

5. Phone Based : This relies on a person being available to use a known wireless phone or wired phone number. When used with a password, a phone based method qualifies as two-factor , via the “what you know” and “what you have” categories. Phone works by requesting the customer enter in a code in a web session provided via phone call to the known phone number, or by sending a code to a wireless phone. Depending on its use, phone may be a Prior or Post mode.

6. : Collecting a digital representation of someone’s handwriting (such as when you “sign” for purchases when using credit / debit card) does not qualify as a Prior because it is not compared to earlier, known samples. It does provide a good source for Post if there is a problem. While digital signature pads can also capture motion and pressure, without a previously recorded “known good” sample, it is not Prior .

7. Software or Service Based Private Key Infrastructure (): Using a public and private key and a trusted certificate authority (CA), a system can be set up to validate a private key held by a customer. The customer can apply this key to verify his or her identity. These “certificates” may exist on the signers’ PC or in an online account in some instances. Several challenges with have prevented broad adoption:

Level of Required: Five classes of certificates intended for different uses.
Challenge of Obtaining Certificate: Some may be easy to obtain or may require additional effort to obtain. A self-provisioned certificate is easy to obtain, but provides only minimal assurance of . Increasing assurance requires additional provisioning steps, such as a notarized transaction, physical presence, or payment to obtain a certificate. certificate adoption in the U.S. has been limited due to these issues.

Certificate Control: certificates are installed onto computers or key fobs. With loss or compromise, this is a single point of failure. Once someone has a certificate, how can you ensure that the intended user and only that user will protect and control that certificate?

Digital Signature Details and Authenticity: Customers must have software that can process the signature to apply the digital signature to a record. Typically, this means limiting the user to a few document formats, such as Microsoft Word or PDF and also creates significant overhead in complexity. For example, the software used to view the document’s content and digital signature must be aware of and trust the certificate authority for the signature to be shown as valid.

is a prior process.

8. Hardware-based : Hardware-based is similar to software certificate , but is installed on a small piece of computer hardware, such as a USB token. Carried by the authenticated user, these are password protected. Hardware has the same issues as software .

9. Biometric : This requires recognition of someone’s physical attribute to authenticate. Examples of physical attributes used in include fingerprint, iris, voice, face and palm. As with , the challenge with is the need of a “known good” starting point from which to compare later access attempts. While this is the strongest form of , it is also the most cumbersom because the customer typically needs a hardware device as well as a prior known good sample. is a prior mode.

For practical reasons, any mode that requires the customer to have software, certificates or hardware should be avoided. They are better suited for internal processes, where the business controls access points and employees.

So how does and fit together? We’ll explore in the next and final post of this series.

  • Share/Bookmark