Because both authentication and signing are important, and different, DocuSign makes an important distinction between the two. In DocuSign, they are tied together into the overall transaction or ceremony of agreement.

DocuSign’s secure authentication model enables you to leverage several different authentication tools for both prior and post authentication modes. DocuSign addresses two general signing scenarios – “remote” signing over the internet and “in-person” signing where the signer is present. DocuSign also provides several layers of authentication that are improvements over typical business practices.

DocuSign’s Authentication Options

DocuSign provides an integrated authentication system that works with the electronic signature process to ensure any level of authentication can be provided and that the authentication provides positive identification of the person signing. 

The DocuSign authentication process is designed and architected with no single point of authentication failure. Authentication can be required each time a signer reviews and signs a document, if requested. One authentication session for a document from company “A” does not mean that company “B” must rely on that authentication, as is the case with PKI digital certificates. 

The DocuSign secure authentication system provides several levels and tools integrated into the system:

1. Email authentication: validates a person’s email address and access to that email address.

2. Access code authentication: validates the person’s ability to provide a shared secret or passphrase.

3. ID check: validates a person’s knowledge based on a knowledge-based authentication process provided by RSA.

4. OFAC checking: validates whether a person’s name is on the Specially Designated Nationals List administered by the Office of Foreign Assets Control.

5. Age verification: validates a person’s age is correct as entered.

6. STAN PIN system: validates the person’s Student Authentication Network as entered.

7. Federated authentication: accepts and records authentication by another system when integrated with DocuSign. This can be any form.

The DocuSign secure authentication system supports a workflow of authentication for integrated customers, enabling decision-making during the authentication process. For example, if a person’s age verification results in an age older than 18 years, then the authentication process will also include knowledge-based authentication or if the age is 18 years or younger then the authentication process will also include the Federal STAN PIN system.

In addition to these prior authentication tools, DocuSign collects IP addresses of all the users and time stamps all activity into the audit trail along with all the authentication results.

In-Person Signing

If your signing process takes place in person, consider what authentication steps you require. Depending on your business, you may do one of the following:

1. No authentication other than accepting a signature. The vast majority of processes happen this way. The signer appears, signs a contract and it is considered good. In this case, you don’t have an electronic authentication process is really nothing. Simply have the signer appear in person and sign. No need to use additional authentication.

2. Identification before signing. In some cases, the signer is required to produce a valid drivers license or other form of picture ID for the person hosting the transaction to identify the signer.

3. Notarization. This is the most stringent form of in-person authentication and it is used in only very sensitive situations.

Using DocuSign, it is possible to sign in person by selecting the recipient type as “In-Person Signer.” Once this is selected for a recipient, the system asks for a signing host and depending on the business process defined will require whatever credential is typically used. One example is using a drivers license for authentication. 

DocuSign’s In-Person Signing process is a witnessed signing with credential collection support. Once the signer is authenticated by the witness, he or she may electronically sign on the local computer. Once done, the witness must re-apply his or her signature to record he or she was present for the whole signing. In addition to the local credential collection, the signer may also be requested to process a knowledge-based authentication or a shared secret for multi-layer authentication. Therefore, this can be either a prior or post authentication mode authentication process. 

Remote Signing

The most common form of electronic signing with DocuSign is remote signing. The signer receives an email that he or she has a document to sign. This remote signing process uses at least email authentication and the sender may elect to use additional layers of authentication for more sensitive transactions. 

In situations where the signing process is embedded into another portal or website, that portal’s authentication can be passed along when signing starts, and used as the only authentication process or supplemented by the authentication tools DocuSign provides.

In all cases, the signer’s authentication is recorded in the DocuSign Audit Log and the DocuSign Certificate of Signing regardless of how the person signed – in-person, remote, or embedded. The Audit Log and Certificate of Signing are encrypted and tamper-proof.

When considering your signer authentication strategy, you should evaluate your current processes and risks. Then establish any increased or decreased risks that might be present by transitioning from a paper process to an electronic one. Once you have this understanding, you can establish the policies and authentication procedures you should use with your electronic signature service. 

Online Authentication

Online authentication models typically focus on Prior Authentication models, identifying the user before allowing access. The three general categories, or factors of authentication:

1. Something you know: password or token value
2. Something you have: access card, cell phone or key fob
3. Something you are / do: fingerprint, rentinal scan or voice pattern

To raise the level of authentication assurance, companies can require authentication from more than one category, or “two-factor” authentication. One example is a password used with an access card. Using two passwords would not be two-factor authentication, but rather, “multi-factor” authentication. Two-factor authentication is more effective than multi-factor authentication at raising authentication assurance.

The Federal Financial Institutions Examination Council (FFIEC) prescribes an authentication standard, defined as multi-factor authentication, required for many financial transactions. The FFIEC, an interagency body of the U.S. government, works with the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration and many others.

Systems such as installed digital certificates, machine addresses and network adapter card addresses provide system authentication. This identifies a machine, not a person.

Identifying a Person Online

Ideally, online authentication identifies the person, not the equipment. Other methods of authentication are more effective as indicators of identity than relying on the relationship of the equipment to people. It may not be reasonable to (a) expect any person to have a particular piece of equipment; (b) for a particular piece of equipment to be used only by a particular person. Requiring specific software, certificates, or hardware for authentication purposes will hamper the adoption of the underlying solution and the success of authentication for a broad group of people. Several online authentication levels, in order of increasing security:

1. Self-Authentication: Lowest authentication level that relies on customers authenticating themselves, such as a simple registration that does not validate anything. Many services that allow a user to “self provision” a certification are self-authenticating. There is no Prior Authentication at all; to improve the authentication assurance, validate by an email receipt.

2. Email Authentication: Prior authentication that requires a user to prove access to an email address. Because email accounts can be set up without authentication, this is a very light form of authentication. Some email authentication systems reject a list of “free” email service providers such as Gmail, Yahoo, and others and allow only corporate email systems to be used. This increases the security of this method. Email authentication is a weak form of third party or system validation and prior authentication.

3. Shared Secret / Passphrase: Recipients must know or be given information to use for transaction access. The customer should receive the secret “out of band” from other communications methods used to deliver the transactions. For example, if you send the customer a link to a document via email, you should send the shared secret or passphrase by phone or any method BUT email. This authentication method is a Prior Authentication mode.

4. Knowledge Based Authentication (KBA): A third party data provider can generate a set of questions that only the individual would be able to answer. Common types of questions relate to prior addresses, phone numbers, and relative names. This popular form of authentication works in real time; generates dynamic questions and possible answers; includes questions with more than one, or no, correct answers; and does not require possession of a specific device. These reasons make it difficult for someone to pass another’s knowledge-based authentication questionnaire and makes KBA a very strong Prior Authentication mode.

5. Phone Based Authentication: This relies on a person being available to use a known wireless phone or wired phone number. When used with a password, a phone based authentication method qualifies as two-factor authentication, via the “what you know” and “what you have” categories. Phone authentication works by requesting the customer enter in a code in a web session provided via phone call to the known phone number, or by sending a code to a wireless phone. Depending on its use, phone authentication may be a Prior or Post Authentication mode.

6. Digitized Signature: Collecting a digital representation of someone’s handwriting (such as when you “sign” for purchases when using credit / debit card) does not qualify as a Prior Authentication because it is not compared to earlier, known samples. It does provide a good source for Post Authentication if there is a problem. While digital signature pads can also capture motion and pressure, without a previously recorded “known good” sample, it is not Prior Authentication.

7. Software or Service Based Private Key Infrastructure (PKI): Using a public and private key and a trusted certificate authority (CA), a system can be set up to validate a private key held by a customer. The customer can apply this key to verify his or her identity. These PKI “certificates” may exist on the signers’ PC or in an online account in some instances. Several challenges with PKI have prevented broad adoption:

Level of PKI Required: Five classes of certificates intended for different uses.
Challenge of Obtaining PKI Certificate: Some may be easy to obtain or may require additional effort to obtain. A self-provisioned certificate is easy to obtain, but provides only minimal assurance of authentication. Increasing authentication assurance requires additional provisioning steps, such as a notarized transaction, physical presence, or payment to obtain a certificate. PKI certificate adoption in the U.S. has been limited due to these issues.

Certificate Control: PKI certificates are installed onto computers or key fobs. With loss or compromise, this is a single point of authentication failure. Once someone has a PKI certificate, how can you ensure that the intended user and only that user will protect and control that certificate?

Digital Signature Details and Authenticity: Customers must have software that can process the signature to apply the digital signature to a record. Typically, this means limiting the user to a few document formats, such as Microsoft Word or PDF and also creates significant overhead in complexity. For example, the software used to view the document’s content and digital signature must be aware of and trust the certificate authority for the signature to be shown as valid.

PKI is a prior authentication process.

8. Hardware-based PKI: Hardware-based PKI is similar to software certificate PKI, but is installed on a small piece of computer hardware, such as a USB token. Carried by the authenticated user, these are password protected. Hardware PKI has the same issues as software PKI.

9. Biometric Authentication: This requires recognition of someone’s physical attribute to authenticate. Examples of physical attributes used in biometric authentication include fingerprint, iris, voice, face and palm. As with Digitized Signature, the challenge with Biometric Authentication is the need of a “known good” starting point from which to compare later access attempts. While this is the strongest form of authentication, it is also the most cumbersom because the customer typically needs a hardware device as well as a prior known good sample. Biometric authentication is a prior authentication mode.

For practical reasons, any authentication mode that requires the customer to have software, certificates or hardware should be avoided. They are better suited for internal processes, where the business controls access points and employees.

So how does authentication and electronic signature fit together? We’ll explore electronic signature in the next and final post of this series.

When I try to ‘sign,’ either the pad is slippery, or the surface so scratched, I cannot get anything to look remotely like my signature.  That does not appear to matter! 

Apparently, that scratched up signing device isn’t connected to anything that remotely protects my identity. Nothing is ‘validating’ my signature at all – this e-signature process is a total waste of time.

Digital Signature from Tom Gonser

The digital signatures above are actual signatures I provided when checking out!  NEITHER of these looks like my signature and they don’t even look like each other!  How exactly does this prevent signature theft and fraud?

Here at DocuSign, we take signatures more seriously. Our electronic signature process involves creating a customized signature, and adopting it for use online.  Then when you want to sign using YOUR signature, the sender can elect to require several different levels of authentication, thus connecting your electronic signature to YOU. The right authentication level depends on the document and risk.

Like their paper counterparts, however, electronic records pose authenticity challenges when they are copied onto a paper medium.

For example, when a paper copy of a paper-based transaction is submitted, one assumes that the copy is a photographic reproduction of the original document as executed by the parties. Reliance on that copy is based on many factors, including the presumption that risk of repudiation of the transaction is mitigated because parties have hand signed. While these are merely copies of handwritten signatures and the original signatures may not have been verified that the named parties were indeed the individuals who signed the original document, lenders, underwriters and government agencies have generally accepted these copies as providing adequate evidence of authenticity to mitigate the risk of fraud or repudiation. If necessary to enforce the underlying transaction, the original paper document can be found and the handwritten signatures can be verified through handwriting analysis.

With a paper copy of an electronic record, more may be required to support the initial assumption that the copy is a reliable reproduction of the original document. The two reasons for this are:

First, unlike a photocopy of a paper document, the version of an electronic record that is reduced to paper may not look anything like the record that was signed electronically.

Second, and more importantly, the visual representation of a signing party’s electronic signature on a paper rendering, if present at all, may not be adequate by itself to affirmatively identify it as an actual signature. It may be a stamp or seal, a mark or border, or just a notation. Each of these symbols or marks indicates that the document has been signed using an electronic process, but the symbols do not themselves constitute the electronic signatures.

Since the adoption of the signature and association of the signature with the record (along with consent and authentication) have all occurred electronically, an extra step is required to bring some evidence of the electronic signature process into the paper record so that it can be relied upon to the same extent that an image of a handwritten signature on a paper document can be.

DocuSign accomplishes this important step by capturing, retaining and reproducing the essential elements of the signing process.

The DocuSign system:

• Captures the party’s identity, his consent to use electronic signatures, adoption of a GUID/Symbol combination as a signature, and his application of that signature to an unalterable document with a unique envelope ID number.
• Retains an audit log of the sending and signing process and retains a hash value for the actual image of the signed document.
• Can reproduce the document as it was presented to and signed by the parties, test the hash value against contested versions or images, and furnish a certificate of completion with an audit log of the transaction.
• Attest to the systemic treatment of all signers using the system. In other words, no party can sign a document without going through the process defined by DocuSign’s closed system.
• Can issue a digitally signed (sealed) electronic record of the transaction for true reproduction of the electronic version of the document.

Thus far, all cases of attempted repudiation of a DocuSigned contract have been defeated, simply by presenting to the signer the evidence of their participation in the transaction.

]]> http://www.docusign.com/blog/2009/05/01/authenticating-paper-copies-of-electronic-records/feed/ 0 http://www.docusign.com/blog/2009/04/30/beyond-esign-evidentiary-issues-admissibility-into-evidence/ http://www.docusign.com/blog/2009/04/30/beyond-esign-evidentiary-issues-admissibility-into-evidence/#comments Fri, 01 May 2009 05:20:22 +0000 An Bui, DocuSign Social Media http://www.docusign.com/blog/?p=365

The “Best Evidence Rule” provides that in order to prove the content of a writing, the original writing is required. An “original” is defined as the writing itself or any counterpart intended to have the same effect by a person executing or issuing it. If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original.

The Federal Rules require that all documentary evidence be presented in admissible form, including that the evidence must be properly identified and authenticated. The party seeking to introduce an electronic record into evidence must present declarations or other evidence showing that the document is what it is purported to be. Authentication may require evidence proving the genuineness of signatures or a declaration from the document’s custodian laying a foundation for admissibility. Genuineness is provable based on the character of the signature, and the elements of character will be established by the facts surrounding the signature event.

In the case of an electronic signature, then, it is important to demonstrate to the satisfaction of the finder of fact that (a) the appropriate level and amount of information surrounding the signing process was retained, and (b) the system used to retain the information is itself reliable.

Additional requirements arise in a situation where two substantively different documents purport to genuine. The finders of fact will seek to determine the identity of the true “original” document. In the paper/ink world, this would be accomplished in part by expert testimony about the handwriting, paper and/or ink when comparing the two documents. Where the documents are electronic, the proof will lie in the logs, timestamps, encryption/hashing, etc. associated with the creation and storage of the document and signature(s).

Further, chain of custody will be critical for persuasive argument that the document introduced is the true original, or a true copy thereof. If the current custodian is also a party to the litigation, there will be higher burden on that party to demonstrate that the document has not been altered. Any proof offered must relate specifically to the record whose veracity is at issue. However, where a secure, third-party electronic signature system is used to create and store the electronic record, the burden on the defending party is reduced substantially, often allowing the party to merely demonstrate that the system can reliably produce a verifiable copy of the original signed document.

The factors to consider include, at a minimum: fulfillment of the original writing requirement, presentation in admissible form, retention of appropriate information regarding the signing process, and reliability of the system used to retain the information. Of course, specific relationships with third party providers and/or vendors, if applicable, will change the burden on the challenging party.

DocuSign’s electronic signature and electronic contract execution solution is one of the few that addresses all of the above. Before signing the document which fulfills the original writing requirement, DocuSign includes an authentication process that satisfies the presentation in admissible form requirement. DocuSign also retains logs regarding the signing process and custody of documents throughout the electronic contract execution process, reducing the burden on the defending party.

]]> http://www.docusign.com/blog/2009/04/30/beyond-esign-evidentiary-issues-admissibility-into-evidence/feed/ 0 http://www.docusign.com/blog/2009/02/03/the-etymology-of-signature/ http://www.docusign.com/blog/2009/02/03/the-etymology-of-signature/#comments Tue, 03 Feb 2009 22:57:55 +0000 An Bui, DocuSign Social Media http://blog.docusign.net/?p=134

Signature Etymology:
Middle French or Medieval Latin; Middle French, from Medieval Latin signatura, from Latin signatus, past participle of signare to sign, seal – from Merriam Webster Online Dictionary

Merriam Webster Online Dictionary defines signature as: (1) a: the act of signing one’s name to something b: the name of a person written with his or her own hand. Though there are six other definitions, we’ll focus on the one above.

The function of signatures is evidentiary, to provide evidence of the contracting party’s identity or the contracting party’s intention with regard to a specific document. In many consumer contracts, signatures provide evidence of the contracting party’s identity and serve as additional evidence of deliberation and informed consent. This explains why signatures often appear at the end of documents.

Before There was DocuSign
A seal, such as a wax seal bearing an impressed figure or an embossed figure in paper, is created with the purpose of authenticating a document. Seal also refers to a device for making such impressions or embossments. Signet rings are rings with a seal mounted atop the ring. Signet rings generally bear a coat of arms, and the tradition of wearing signet rings is associated with nobles in European and other cultures. Typically, the ring is worn on the little finger of either hand, though exceptions exist. For example, the Swiss wear it on the ring finger of the right hand. The ring’s seal should be outward facing, so that the wearer can create wax impressions without removing the ring. In this way, a signet ring serves as a signature device.

Another way to gather signatures on documents include ink on paper, or wet signatures. Wet signatures have been around for as long as people were making agreements and documenting them. The document that gave birth of our country also gave birth to a synonym for a wet signature, John Hancock.

And Now There is DocuSign
A DocuSign signature is distinct and serves the same purpose as the other signatures we’ve discussed. DocuSign provides authentication measures that fit our customers’ needs for legally binding electronic signatures, under ESIGN and UETA.

The DocuSign process can capture, retain, and reproduce the essential elements of the signing process in a simple, secure way. If you were to DocuSign a simple contract online for the first time as a signer you would:

1. Receive an email, or visit a web site where the signing was integrated
2. Pass any authentication requested by the sender (optional)
3. Create and adopt your signature with a few clicks
4. Affix your signature where the yellow stick-e Tabs indicate in the document
5. Click “complete”.

You just ‘DocuSigned’. It’s that simple and fast. Instead of writing your name with your hand, you’re clicking your name with your hand. It all is very easy, and anyone who has ever seen a ‘yellow sticky tab’ will be very comfortable. Behind the scenes, a bunch of work is happening, to make sure the whole process creates strong legal evidence, the contract cannot be modified, and all authentication data is gathered.

Now let’s compare a ‘wet’ signature to a DocuSign signature…

A ‘wet’ signature:

• Is unique to the signer, but may look slightly different each time
• May not be known by the recipient, so there is no certain way to rely on it
• Is subjective – handwriting experts can indicate ‘likelihood’ that it is yours, but it is often arguable
• Can be easily copied and used on other documents
• Does not ensure the underlying document has not been modified
• Has to be physically moved around by mail or fax

While a DocuSign Signature:

• Is unique to the signer – both the visible and invisible aspects of the signature cannot be copied
• Arrives with evidence about signer’s identity including email, IP address, authentication information, time stamps, etc.
• Is objective – it is backed up with evidence. Experts can easily determine from the extensive audit log exactly who signed, when they signed, and where they signed on the document
• Cannot be copied anymore than a picture of the Mona Lisa is the authentic Mona Lisa
• Affirms the fact the underlying document has not been modified
• Does not have to be physically moved, as it is electronic

We started our discussion of the etymology of signature, looked briefly at the Merriam-Webster definition of the word signature, examined a DocuSign electronic signature and online contract execution process and compared a wet signature to a DocuSign signature. As electronic signatures and online contract execution adoption rates increase, I hope to see definition 1b of the word signature from Merriam-Webster become obsolete. If you haven’t DocuSigned, I encourage you to try our electronic signature process.

Signet ring photo courtesy of flickr user Somma used under Creative Commons. ]]> http://www.docusign.com/blog/2009/02/03/the-etymology-of-signature/feed/ 0 http://www.docusign.com/blog/2009/02/02/data-security-is-it-on-your-mind/ http://www.docusign.com/blog/2009/02/02/data-security-is-it-on-your-mind/#comments Mon, 02 Feb 2009 23:05:22 +0000 An Bui, DocuSign Social Media http://blog.docusign.net/?p=139 I spend a great deal of time thinking about electronic signature and online contract execution. The DocuSign process is a green process for contract execution, when compared to a purple (fax) process. How do the two compare regarding security?

I was just reading Schneier on Security, a blog on security and security technology. According to Schneier, the security of a purple process is sorely lacking:

“It’s trivial to cut and paste — with real scissors and glue — anyone’s signature onto a document so that it’ll look real when faxed. There is so little security in fax signatures that it’s mind-boggling that anyone accepts them.”

In another post from his archives, Schneier commented on the story of a prisoner being freed from jail on the basis of a forged fax – a fax was sent to the jail, stating that a decision had been reached to release the prisoner immediately. Because faxes are treated as if they were original documents, people do accept fax signatures and do so all the time. However, faxes lack authentication mechanisms of original documents, such as letterheads, watermarks and signatures. We also have the issue of unsecured data within the fax process, such as exposed credit card numbers, personal contact information and other potentially sensitive data.

Security Considerations of a ‘wet’ Signature:

• Is unique to the signer, but each one may look slightly different
• May not be known by the recipient, so there is no certain way to rely on it
• Is subjective in that handwriting experts can indicate ‘likelihood’ that it belongs to a given individual, but it is often arguable
• Can be easily copied and used on other documents via “real scissors and glue”
• Does not ensure the underlying document has not been modified
• Has to be physically moved around, as in faxed

What if Security Were Highly Important to You?
DocuSign’s electronic signature and online contract execution process captures the identity of the party to the agreement, generally via an email address associated with the individual. DocuSign also captures the individual’s consent to use electronic signatures and adoption of a GUID/Symbol combination. This combination serves as the individual’s signature which can then be applied to an unalterable document with a unique envelope ID number. Combine the above with an audit log of the sending and signing process with a hash value to the actual image of the signed document, you have a process that would take more than cut-and-paste to fake. DocuSign can issue a digitally signed (sealed) electronic record of the transaction for true reproduction of the electronic version of the document. Eliminating the manual document handling eliminates data leakage via fax in the physical world.

Security Considerations of a DocuSign Signature:

• Both the visible and invisible aspects of the signature are completely unique to the signer and cannot be copied
• Arrives with evidence about the signer’s identity such as email, IP address, authentication information, time stamps, etc.
• Is not subjective, as experts can easily determine from the extensive audit log exactly who signed, when they signed, and where they signed on the document with evidence.
• Cannot be copied anymore than a picture of the Mona Lisa is the actual Mona Lisa
• Affirms the fact the underlying document has not been modified
• Does not have to be physically moved, as it is electronic

In our ‘mock trials’ the judge indicated that if a person wanted to commit fraud, the first thing they would do is to request a paper transaction because

How important is your and your customers' data?

Image courtesy of flickr user L.Marie under Creative Commons. v

 I am headed back from Enterprise 2.0 conference in Boston where I was on a panel to discuss Enterprise 2.0 and its growth. I knew my perspective from DocuSign was going to be a little different than some of the mainstream “Enterprise 2.0″ thinking. I was not talking about FaceBook.com for the enterprise or social networks where people can share ideas and thoughts. Interesting ideas in their own right, but not what we do.

Different because DocuSign is not a social network. We are very focused on streamlining the last step in business transactions that take place between people ? something we call “Contract Execution.” This means notification, contract distribution, managing data collection and obtaining signatures on contracts and forms electronically.

You see, despite all the development in CMS, EMS, and CRM, over the last decade, most businesses still take this last step using “paper,” like they have been for 4,000 years. They print out agreements, put “sign here” tabs on them, and physically move it from place to place so people can sign. Then they scan everything back in when done. There is no real control or visibility in this manual process.

In order to do this electronically we need to connect people together in a trust relationship that spans beyond the walls of the Enterprise. It requires a businesses to think about enabling their customers to be brought into the loop collaboratively, but with control and security.

This requires Enterprise 2.0 technology, thinking and really important ? Enterprise 2.0 PROCESS adoption. To automate this”contract execution phase,” DocuSign does not create a “social network.” Rather, our customers use DocuSign to quickly create and manage ‘transaction networks’ where people come together to authenticate and close deals online faster and more reliably that is possible with paper.

The Evolution into the Enterprise 2.0 e-Signature Processes

Let’s say I need us to sign a contract with three others to lease some equipment. In “pre-Web” days this was accomplished by using fax or overnight express: “When it absolutely positively has to be there overnight.” You would print, place sticky tabs, go to the FedEx box and wait. Then, you’d rekey, scan, and store paper. Ten day total turnaround. Not Web 1.0, not Web 2.0, just “planes, trains and automobiles.”

Then in 1990s we started using digital signature technology for signing. This was installed software that let us encrypt documents if we installed enough stuff on our systems. You buy your digital certificate, and convince me to buy one. Then digitally sign your document and email it to me. I’ll sign. Then perhaps you forward it to someone else – all still disconnected from each other, but now we are moving documents electronically, not via paper. What happened:

• It did not take off ? it was complex software to install, not user centered design
• It did not have central visibility or control
• PKI authentication has a single point of failure — its authentication model is a hub and spoke. You authenticate at the hub, and then everyone has to believe it is you. NOT the way authentication happens in the organic world. In the organic world we authenticate each other when and how we want depending on the circumstances ? mesh authentication ? no single point of failure. This is technology centric design, and was focused on the EVENT of signing, not the process.

Today, a new e-signing strategy has emerged. This new strategy is based on the fact that we are all on the same wire. This new strategy is a Web 2.0 approach ? it is different because the design focuses on the PEOPLE in the transaction and how they interact when transactions span enterprise boundaries, not just the servers. It focuses on managing the process, not just a single event. This Web 2.0 technology solving Enterprise business issues across the enterprise boundaries is characterized by the following:

• It is based on Web services ? no software to install, it lives in the cloud. And interestingly this function “signing” is best serviced from a neutral 3rd party and NOT behind a firewall.
• It values the user experience, recognizing that “usability drives use” ? mirroring the paper paradigm but going way beyond what is possible with paper.
• It values the process of bringing people together electronically to reach agreement on the same document ? put another way, it allows one to easily create a transaction network for an agreement, defining who is to sign, how they are to authenticate, and in what order ? then takes the steps to bring everyone together to agree no matter where in the world they are.
• It authenticates users organically ? by allowing senders to define how they want signers to authenticate on a case-case basis. No hub and spoke; mesh.
• It also remembers relationships between signers. So if I have signed with you before, the fact that I have a trust relationship established there is known, and I can choose to rely on it or expand it more.
• And very importantly for enterprise, there are dramatic positive business effects of using it. Doubled close rates, reduction in costs by 80%, and a core part of a green initiative. What’s more it engages customers partners into longer term relations.

This approach is USER centered design, and is focused on managing the PROCESS of interaction to reach agreement. So, DocuSign delivers a solution that leverages a number of Enterprise 2.0 examples:

• Open web service SOAP interface that uses XML to send, sign, control, and collect data during a contract execution process
• It creates “transaction networks” designed with the sole purpose of executing agreements by connecting people anywhere in the Web
• Highly customizable transactions can be created — by end users, not requiring IT Mesh Authentication – using different forms of authentication on a case – case basis
• Signers are given a secure storage account/view where they can aggregate their important contracts for free

So, DocuSign offers one type of “interactive network” –- one with a narrow focus to close transactions. I’d argue there is a spectrum with online “interactive networks,” ranging from Social Networking on one end of the spectrum to “transaction networks” on the other end.

Types of ‘interactive networks’ compared

So what is the biggest challenge? PROCESS THINKING. Just because you can now build a solution that includes your partners and suppliers in an interactive network to speed transactions does not mean that we are home free. In order for an enterprise to be ABLE to realize Enterprise 2.0 value they need to also embrace “Process 2.0″ also.

Below are some of the comparisons for process 1.0 and 2.0 when it comes to contract execution:

DocuSign can enable a complete end-end transaction from CRM through storage; across the enterprise. To take advantage of this, businesses need to think deeply about the whole process, not just a portion of it.  It does no good to automate most of the process, only to turn to paper half-way through -– it must transform the way it thinks about getting things done.

So, DocuSign gives an enterprise a solid set of reasons WHY they should construct interactive networks with their customers and suppliers to close transactions, and why they should care about Enterprise 2.0…the best reason of all ? Profitability. ]]> http://www.docusign.com/blog/2008/06/12/enterprise-20-something-besides-social-networking/feed/ 0 http://www.docusign.com/blog/2007/12/18/amazing-artificial-intelligence-in-docusign-pro-20/ http://www.docusign.com/blog/2007/12/18/amazing-artificial-intelligence-in-docusign-pro-20/#comments Wed, 19 Dec 2007 00:01:20 +0000 Tom Gonser http://blog.docusign.net/?p=250 Back in 1972, my Dad was an attorney. He used to dictate into a tape recorder, and later his secretary would present him with a contract ready to go, with an envelope and “sign here” tabs in place.  His assistant was performing the task of creating the document, and preparing it to be sent.  This let him focus on higher order tasks, and the assistant was very good at making sure the contracts were ready and error free. The Encyclopedia Britannica defines Artificial Intelligence (AI) as:

The ability of a digital or computer-controlled to perform tasks commonly associated with intelligent beings. The term is frequently applied to the project of developing systems endowed with the intellectual processes characteristic of humans, such as the ability to reason, discover meaning, generalize, or learn from past experience.

In essence, AI seeks to duplicate tasks that require a human being. When applied to preparing Documents for the signature process, AI might feel a little like my Dad’s assistant from 1972.

The new “Intelligent Document Recognition” (IDR) capability of DocuSign Pro 2.0 has been a very interesting foray into the application of AI to the task of preparing documents for signature – creating an “assistant” capable of preparing your documents for you.

As some know, DocuSign has a very powerful feature called “Signing Workflow Templates.” These templates describe the signing process that should be applied to a document. Signing Workflow Templates include everything about the signing workflow – who is to sign (buyer, seller), where they are to sign, initial, or provide data, how they should authenticate, what sequence should be followed, etc. They are incredibly powerful because they allow a sender of a document to have the benefit of standardizing on a workflow for signing by simply applying a template to a document when they go to send it. All the sender has to do is apply the right template. This gives the power of exact signature placement, with “one click” simplicity. The only challenge is selecting the proper template to apply.

Enter AI. (and the word “automagically”)

With the release of DocuSign Pro 2.0, these signing templates are automagically applied to documents on the fly, and these templates are created automagically on the fly. The system literally learns the documents you send for signature, where you place signatures, what sort of recipients you use, etc. Once it learns this, it automatically begins to place your “sign here” tabs, and prepares your documents for you…just like my Dad’s assistant in 1972.

The amazing part – how it works

The way IDR works is very similar to the way a human being decides which document is being presented. It ‘looks at it’. It literally does the same thing a human does –- it reads the first few sentences of the document, it looks for pictures and other tell-tale signs, and decides if it has seen it before. If it has, it knows exactly where to put your signature tabs, and what roles will be signing.

More amazing

DocuSign Pro 2.0 is even capable of “looking at pictures.” My favorite demo involves two documents that have nothing but pictures. Document One is a picture of a golf course, Document Two is a picture of the Columbia River. From a distance, a human could not tell the difference, DocuSign Pro’s “Document Assistant” can reliably differentiate the two images without a problem.

Even more amazing

Some “line of business applications” used by our customers actually create PDF documents on the fly which are actually composed of multiple documents. This poses a unique challenge – how to tell what documents are inside the single file, and then determining if any of these documents are recognized. Well, our Document Prep Assistant is able to do this as well. It literally recognizes that there are multiple documents inside one file, and can place signatures and assign roles to the documents inside properly –- no matter what order these documents may appear.

The experience of sending documents for signature using DocuSign Pro now feels a lot like you have your own assistant looking over your shoulder helping you work faster and work smarter.