From Ken…
When you do business electronically, you should anticipate the need to produce evidence that proves a given person signed a given electronic document on a given date. That means you should look at taking such steps as:

• Including authentication procedures to verify the identity of the signatory
• Maintaining evidence of the particular electronic document that was signed electronically
• Maintaining evidence of the electronic process that was followed in obtaining the electronic signature on the electronic document

In Prudential Insurance Company of America v Dukoff, the US District Court for the Eastern District of New York affirmed the importance of implementing clear electronic transaction procedures. Prudential initiated the action to void a life insurance policy issued on the life of the wife of the defendant and beneficiary on the basis of alleged misrepresentations in the application.

In response to Prudential’s complaint, defendant Dukoff and his wife’s estate filed a counterclaim for the full value of the policy, disputing the charge that it had been procured via fraud. The court was also called upon to consider a host of issues stemming directly from the fact that the application was submitted electronically via what the court called “a standard internet click-through process.”

The defendants argued that a box that was checked at the end of the electronic application process did not constitute a valid electronic signature under New York’s Electronic Signatures and Records Act (ESRA), and thus, Prudential was barred from challenging statements in the application to invalidate the contract.

While the court was unaware of any other court that had addressed the validity of electronic signatures for insurance documents under ESRA, in deference to holdings in advisory opinions by the New York Insurance Department, the court held that Prudential could challenge the statements if Prudential could reasonably identify the person who made them. The court then held that there was a triable issue of fact as to whether the final page of the application, which included personal information inputted by the applicant, sufficiently identified the person who signed the application.

The electronically filed application also raised evidentiary issues with regard to who actually submitted the application and when. According to the court, a computer printout produced by the plaintiff insurer shows the application was submitted on a date suggesting that Mrs. Dukoff did not submit the application. The court concluded, however, that the plaintiff insurer did not offer sufficient evidence to establish that this printout accurately reflects the date of submission.

Considerations When Choosing an Electronic Signature Vendor

Given that you may need to provide evidence that a given person signed a given electronic document on a given day, you should understand your electronic signature provider’s authentication services, the electronic signature capture process and subsequent documentation and the value of selecting a neutral third party provider.

Authentication

DocuSign provides an integrated authentication system that works with the electronic signature process to ensure any level of authentication can be provider and that the authentication provides positive identification of the person signing, NOT the equipment.

DocuSign’s authentication process is designed and architected with no single point of authentication failure. Authentication can be required each time a signer reviews and signs a document, if requested. One authentication session for a document from company “A” does not mean company “B” must rely on that authentication, as is the case with PKI digital certificates.

DocuSign’s Authentication Systems

1. Email Authentication: validates a person’s email address and access to that email address.
2. Access Code Authentication: validates a person’s ability to provide a shared secret or passphrase.
3. ID Check: validates a person’s knowledge based on a knowledge-based authentication process provided by RSA.
4. OFAC Checking: validates whether a person’s name is on the Specially Designated Nationals List administered by the Office of Foreign Assets Control.
5. Age Verification: validates a person’s age is correct as entered.
6. Federated Authentication: accepts and records authentication by another system when integrated with DocuSign. This can be any form.
7. Two Factor Biometric Authentication: validates a person’s phone number and access to that phone number. This authentication process also records a voiceprint of the signer.

Additionally, DocuSign’s authentication system supports a workflow of authentication for integrated customers, enabling decision-making during the authentication process. DocuSign also collects the IP addresses of all users and time stamps all activity into the encrypted, tamper-proof audit trail along with all the authentication results.

The DocuSign Electronic Signing Process

Visible Elements of a DocuSign Electronic Signature:

1. Script Signature Name: The script-written name generated in the DocuSign system by the document signer has legal significance, as the signer is required to agree that the script signature will have the same legal effect as his or her handwritten signature.
2. “DocuSigned By:” Box: Every electronic signature is bordered by a signature block that contains a portion of the signer’s Globally Unique Identifier (GUID) A GUID is a 128-bit number in hexadecimal form, such as { 3F2504E0-4F89-11D3-9A0C-0305E82C3301}, which is created for the signer by DocuSign. This partially visible GUID conceals the full ID.

Invisible Elements of a DocuSign electronic signature:

1. GUID: Each person in the DocuSign system has a unique GUID, a pseudo-random number used in software applications. Each GUID is “mathematically guaranteed” to be unique, based on the principle that the total number of unique keys is so large that the possibility of the same number being generated twice is virtually zero. The full GUID is associated with a user upon authentication and electronic signature creation. The signer – electronic signature association is managed by DocuSign, encrypted and hashed to ensure that it cannot be modified. The hashing process entails the application of an algorithm to the GUID to create a digital representation of the GUID, resulting in a “hash value.” Any change in the underlying document would produce a different hash value, which would be evidence of tampering.
2. Hash of Signature: The entire signature element is stored in the DocuSign system in secure (hashed) format.
3. Signer Certificate: The data structure of the DocuSign system links a signer’s attributes, GUID and signature stamp to ensure that only that particular person ever has access to use that particular electronic signature.

The visible and invisible elements work together to link the person, document and electronic signature in an auditable system. Copying or duplicating only the visible elements of the electronic signature does not compromise the signer’s identity because only the invisible elements are solely under the electronic signature owner’s control.

Due to DocuSign’s strict adherence to the authentication and electronic signature process, which includes the signer’s involvement in creating and placing his or her electronic signature in specified locations on documents, DocuSign enables the most familiar and enforceable process for signers. For more information, take a look at the Electronic Signature Vendor Checklist.

Technology partners, DocuSign and Authentify, today announced that DocuSign has integrated Authentify’s automated phone call and voice capture authentication process into the DocuSign electronic document signature service. This authentication option is available now with the DocuSign Spring ’10 release.

According to Tom Gonser, DocuSign founder and chief strategy officer, the addition of the two-factor biometric telephone and voice authentication process further strengthens the signature and audit trail without adding complexity to the eSignature process:

All the recipient needs to do is answer the phone call and follow a simple instruction on the computer screen. It’s a very natural extension of our electronic signature process. The synchronization of the Web and telephony process requires users to interact simultaneously during the signing engagement. The entire transaction is documented, including captured authentication data during each stage until completed. The end result is a transaction backed by a solid, defensible audit trail.

The DocuSign telephone biometric authentication process is a flexible solution that is fully integrated into its eSignature platform. This optional DocuSign feature is sender and signer friendly, and available at a nominal charge. DocuSign users prepare documents for signature in the online DocuSign Console, click on Authentication and enter the recipient’s phone number. When the recipient e-signs the document using DocuSign, the process triggers an automated telephone call powered by Authentify to the specified recipient phone number, collects a spoken consent and builds a biometric authentication record for ironclad non-repudiation of the signature. The biometric voice print can be used much like a fingerprint in the event of a challenge.

Peter Tapling, president and CEO of Authentify, comments:

Authentify makes millions of secure phone calls on behalf of our clients and captures the audit trail from both our servers and the telephone network. We can create a digital record of a signature with a voice recording to prove, without question, its authenticity.

The optional Authentify biometric authentication option is now available with the release of DocuSign Spring ’10. Find details on new eSign features by clicking through to the DocuSign Web site.

How do you know your data is secure?

We provide a robust electronic signature system with several tiers of security. DocuSign has also passed multiple Fourtune 500 information security audits.

Our data centers are hardened and comply with the strictest standards, surpassing industry standards. We actually run two separate data centers – one in Seattle and one in Chicago, hosted by Savvis, a worldwide infrastructure provider.

Our data center security measures include:

• On-premise security guards
• Impenetrable building exterior with no signage, false entrances and vehicle blockades
• Biometric key-lock access, including palm scanners
• Security cameras with digital recorders and pan-tilt-zoom (PTZ) capabilities
• Security portals that allow authentication for only one person at a time

How do you know who signed?

In terms of signer authentication, DocuSign supports the following authentication methods:

• Email – validate and record the signer had access to a known email address
• Access code – A PIN or Password that is provided to each signer to access the document in order to sign
• ID Check – a Knowledge Based Authentication (KBA) process provided through DocuSign from RSA. This presents a set of questions only the signer could know.

In addition, we offer many other tools – OFAC, Age Verification, and STAN PIN for student lenders. It is not required that you add additional layers of signer authentication to your process, but if you need it, we’ve made additional layers of signer authentication available.

Each document deposited into the DocuSign system is individually encrypted with government standard encryption algorithms (AES 256 bit), and a digital fingerprint is created. Every time the document is accessed, it is analyzed to be certain it has not been tampered or modified. We also capture all aspects of signing in the audit trail, including email, IP address used, and exact time of signing. Any authentication methods requested are also captured.

All of this goes on behind the scenes, so you get the benefit of the most secure processing and handling, with the easiest and most familiar signing interface available. You get nothing like this from any other service or process on the market, so choose DocuSign as your electronic signature service provider for security and peace of mind.

Reasons To Choose DocuSign
Among the top reasons to choose DocuSign for your Real Estate ESIGN provider is that NAR has named DocuSign the official and exclusive provider of eSign services through the NAR Member Benefits® Program!  This recognizes DocuSign as the best service for the complexities of Real Estate transactions.  What’s more, if you sign up for the DocuSign REALTOR® Edition, you’ll get the option to adopt an exclusive REALTOR® branded e-Signature, an intuitive, secure REALTOR® branded dashboard, with real-time document status updates, REALTOR® branded email communications templates, and a 20% savings over standard DocuSign rates on both editions – DocuSign REALTOR® Basic and DocuSign REALTOR® Standard.

In addition to DocuSign’s relationship with NAR, we also enable you to get your life back – you’ll no longer have to chase faxes, missed initials or signatures!

Personal Touch
Electronic signature from DocuSign doesn’t mean that you’re giving up the personal touch.  For busy buyers and sellers, using DocuSign’s electronic signature services demonstrates that you’re sensitive to their schedules. DocuSign also has an in-person signing feature, so that you can meet up with your clients, get their signatures and keep it in the DocuSign system. This eliminates the need to scan and upload!

DocuSign lets you focus on your most important value to your clients – the expert in Real Estate. Your knowledge of your area, the tools for the job, and the personal attention you provide are FAR MORE IMPORTANT than your role as a paper clerk!  Cut out the paper and focus on what you do best – you as the expert.

DocuSign Brings eSignature to your Mobile
DocuSign has “Designed for Mobile” functionality to allow anyone to sign on their phone in an interface specifically designed for smaller screens. There is no app to download, it runs in your mobile browser, and it works with Apple iPhone, Windows Mobile, Google Android and RIM Blackberry. It also enables your signers to eSign from the kids’ soccer game, in line at the grocery store, while pumping gas… anywhere they have access to their mobile email!

For those who DO have an iPhone, there is a really nifty application out there that allows you to do even more – review status, and even send from templates.  Yup, there’s an app for that.

DocuSign vs Tablet Screen
DocuSign can work on a PC, laptop or Tablet PC on both Windows and Mac. Did you know that if you want your handwritten signature to be your DocuSign signature, you can upload your custom signature?

With DocuSign, you don’t have to be face to face as you would need to be when capturing a digital signature via a tablet screen. This feature is very convenient when your signers are busy, traveling, or simply across town from each other!

Scan and Email vs DocuSign
It is possible to scan and email a document, but this process lacks the audit trail, encryption, and ESIGN compliant features that keeps your transactions safe and secure. Scanning a signature and emailing it takes more time and technology (scanners, etc) and has less legal evidence of who signed, etc.

With DocuSign, you’ll get an eSignature service that is ESIGN compliant as well as a Certificate of Completion and complete audit trail for each document, ESIGN Consumer Consent Manager, and integrated signer authentication. DocuSign is browser-based for Mac, PC & mobile devices and the only requirement is Internet connectivity.

DocuSign also provides reporting, custom storage folder structures, search and sort envelopes, and automated reminders/expirations, providing you with the utmost visibility into your transactions and saving you time from not having to print and scan!

Signer’s Learning Curve
DocuSign is incredibly easy for signers. All they have to do is log into their email, read the message, and click the link. Once they’re in the system, they simply have to check the ESIGN Consumer Consent, adopt a signature, and click the yellow stick-e-tabs to eSign or initial, placing their signature and initials wherever you instruct them in the document.

Once all the stick-e-tabs are clicked, they simply have to click the complete signing button.

Templates
Templates are available to new and recent subscribers with DocuSign Standard. You also have access to templates if you’re on the older DocuSign Professional Advanced plan. If you’re using DocuSign Basic or DocuSign Professional, you can always upgrade to DocuSign Standard if you want template functionality.

Templates allow you to place ALL the signature, initials, and other tabs for ALL your signers with ONLY ONE CLICK!  Yes, once you use templates you will never go back!  DocuSign is the ONLY service available that can automatically place tabs on all your documents automatically, no matter what documents you load.  (Probably one of the reasons NAR chose this service as the standard)

Banks, FHA and DocuSign

DocuSign has been working with the banks and FHA to get written documentation in place to enable the acceptance of electronic signature in real estate transactions.

Ken Moyle, DocuSign’s Chief Legal Officer, has written a blog post about the FHA and Electronic Signature Acceptance – the bottom line is that FHA does accept eSignature!

Identity theft, Security
How do you know who signed?  DocuSign provides a robust system with several tiers of security.  First, our data centers are hardened and comply with the strictest standards.  We actually run two separate data centers – one in Seattle and one in Chicago, hosted by Savvis, a worldwide infrastructure provider. In terms of signer authentication, DocuSign supports the following authentication methods:

1. Email – validate and record the signer had access to a known email address
2. Access code – A PIN or Password that is provided to each signer to access the document in order to sign
3. ID Check – a Knowledge Based Authentication (KBA) process provided through DocuSign from RSA.  This presents a set of questions only the signer could know.

In addition, we offer many other tools – OFAC, Age Verification, and STAN PIN for student lenders.   It is not required that you add additional layers of signer authentication to your process, but if you need it, it is there.

Each document deposited into the DocuSign system is individually encrypted with government standard encryption algorithms (AES 256 bit), and a digital fingerprint is created.   Every time the document is accessed, it is analyzed to be certain it has not been tampered or modified.  We also capture all aspects of signing in the audit trail, including email, IP address used, and exact time of signing. Any authentication methods requested are also captured.

All of this goes on behind the scenes, so you get the benefit of the most secure processing and handling, with the easiest and most familiar signing interface available. You get nothing like this from any other service or process on the market.

Other Questions about Using DocuSign’s eSignature Services
Can the other agent’s clients also sign or is just on your side?  If not, how does the other party sign and return?
This is a great question, and it has a few answers, all in the positive.  Yes, both sides can sign using DocuSign.  It depends on the situation:

A)   The other agent has DocuSign, and you don’t know the other agent’s signers.  – Simply tag up the document for your signers, add the other agent as a ‘CC’, and they will get a copy as soon as your signers complete signing.  The other agent can then also use the ‘Forward’ tool, and place tabs for their signers, and complete the transaction, adding you as the final ‘CC’.

B)   The other agent has DocuSign and you DO know the other agent’s signers – Simply tag up the document for all signers.  Put the other agent in sequenced AFTER your signers, and BEFORE the other signers so they can review it. Everyone gets a copy when the transaction is complete.

C)   The other agent does not use DocuSign – Simply tag up the document, get your signers to sign, and when done email (or forward) the signed document to the other agent. They can print it out and sign on paper.  Combined ESIGN and hand signed documents are fine.

I’m assuming the buyers/sellers sign then fax it to the system which puts it into the system in the sky making it available for you to obtain then resend via email?
No faxes required. Save your time and save a tree with DocuSign. Once you’ve set up a document for signature in the DocuSign system, DocuSign will send an email notification to your buyer / seller, notifying them that you have requested their signature via DocuSign.

They click the link which pops open a secure browser. They click on a consent notification, agreeing to do business electronically as well as adopt an electronic signature. Once they’ve signed and initialed where you’ve indicated with DocuSign’s stick-e-tabs and clicked the complete signing button, DocuSign will notify you that your signer has completed the signing process.

You can log into DocuSign and download a copy for your records. If you have DocuSign standard, you can set up DocuSign to automatically forward completed documents to the other agent on the transaction!

Thanks again for the questions and comments – if you have any further questions, please let me know!

Because both authentication and signing are important, and different, DocuSign makes an important distinction between the two. In DocuSign, they are tied together into the overall transaction or ceremony of agreement.

DocuSign’s secure authentication model enables you to leverage several different authentication tools for both prior and post authentication modes. DocuSign addresses two general signing scenarios – “remote” signing over the internet and “in-person” signing where the signer is present. DocuSign also provides several layers of authentication that are improvements over typical business practices.

DocuSign’s Authentication Options

DocuSign provides an integrated authentication system that works with the electronic signature process to ensure any level of authentication can be provided and that the authentication provides positive identification of the person signing. 

The DocuSign authentication process is designed and architected with no single point of authentication failure. Authentication can be required each time a signer reviews and signs a document, if requested. One authentication session for a document from company “A” does not mean that company “B” must rely on that authentication, as is the case with PKI digital certificates. 

The DocuSign secure authentication system provides several levels and tools integrated into the system:

1. Email authentication: validates a person’s email address and access to that email address.

2. Access code authentication: validates the person’s ability to provide a shared secret or passphrase.

3. ID check: validates a person’s knowledge based on a knowledge-based authentication process provided by RSA.

4. OFAC checking: validates whether a person’s name is on the Specially Designated Nationals List administered by the Office of Foreign Assets Control.

5. Age verification: validates a person’s age is correct as entered.

6. STAN PIN system: validates the person’s Student Authentication Network as entered.

7. Federated authentication: accepts and records authentication by another system when integrated with DocuSign. This can be any form.

The DocuSign secure authentication system supports a workflow of authentication for integrated customers, enabling decision-making during the authentication process. For example, if a person’s age verification results in an age older than 18 years, then the authentication process will also include knowledge-based authentication or if the age is 18 years or younger then the authentication process will also include the Federal STAN PIN system.

In addition to these prior authentication tools, DocuSign collects IP addresses of all the users and time stamps all activity into the audit trail along with all the authentication results.

In-Person Signing

If your signing process takes place in person, consider what authentication steps you require. Depending on your business, you may do one of the following:

1. No authentication other than accepting a signature. The vast majority of processes happen this way. The signer appears, signs a contract and it is considered good. In this case, you don’t have an electronic authentication process is really nothing. Simply have the signer appear in person and sign. No need to use additional authentication.

2. Identification before signing. In some cases, the signer is required to produce a valid drivers license or other form of picture ID for the person hosting the transaction to identify the signer.

3. Notarization. This is the most stringent form of in-person authentication and it is used in only very sensitive situations.

Using DocuSign, it is possible to sign in person by selecting the recipient type as “In-Person Signer.” Once this is selected for a recipient, the system asks for a signing host and depending on the business process defined will require whatever credential is typically used. One example is using a drivers license for authentication. 

DocuSign’s In-Person Signing process is a witnessed signing with credential collection support. Once the signer is authenticated by the witness, he or she may electronically sign on the local computer. Once done, the witness must re-apply his or her signature to record he or she was present for the whole signing. In addition to the local credential collection, the signer may also be requested to process a knowledge-based authentication or a shared secret for multi-layer authentication. Therefore, this can be either a prior or post authentication mode authentication process. 

Remote Signing

The most common form of electronic signing with DocuSign is remote signing. The signer receives an email that he or she has a document to sign. This remote signing process uses at least email authentication and the sender may elect to use additional layers of authentication for more sensitive transactions. 

In situations where the signing process is embedded into another portal or website, that portal’s authentication can be passed along when signing starts, and used as the only authentication process or supplemented by the authentication tools DocuSign provides.

In all cases, the signer’s authentication is recorded in the DocuSign Audit Log and the DocuSign Certificate of Signing regardless of how the person signed – in-person, remote, or embedded. The Audit Log and Certificate of Signing are encrypted and tamper-proof.

When considering your signer authentication strategy, you should evaluate your current processes and risks. Then establish any increased or decreased risks that might be present by transitioning from a paper process to an electronic one. Once you have this understanding, you can establish the policies and authentication procedures you should use with your electronic signature service. 

Online Authentication

Online authentication models typically focus on Prior Authentication models, identifying the user before allowing access. The three general categories, or factors of authentication:

1. Something you know: password or token value
2. Something you have: access card, cell phone or key fob
3. Something you are / do: fingerprint, rentinal scan or voice pattern

To raise the level of authentication assurance, companies can require authentication from more than one category, or “two-factor” authentication. One example is a password used with an access card. Using two passwords would not be two-factor authentication, but rather, “multi-factor” authentication. Two-factor authentication is more effective than multi-factor authentication at raising authentication assurance.

The Federal Financial Institutions Examination Council (FFIEC) prescribes an authentication standard, defined as multi-factor authentication, required for many financial transactions. The FFIEC, an interagency body of the U.S. government, works with the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration and many others.

Systems such as installed digital certificates, machine addresses and network adapter card addresses provide system authentication. This identifies a machine, not a person.

Identifying a Person Online

Ideally, online authentication identifies the person, not the equipment. Other methods of authentication are more effective as indicators of identity than relying on the relationship of the equipment to people. It may not be reasonable to (a) expect any person to have a particular piece of equipment; (b) for a particular piece of equipment to be used only by a particular person. Requiring specific software, certificates, or hardware for authentication purposes will hamper the adoption of the underlying solution and the success of authentication for a broad group of people. Several online authentication levels, in order of increasing security:

1. Self-Authentication: Lowest authentication level that relies on customers authenticating themselves, such as a simple registration that does not validate anything. Many services that allow a user to “self provision” a certification are self-authenticating. There is no Prior Authentication at all; to improve the authentication assurance, validate by an email receipt.

2. Email Authentication: Prior authentication that requires a user to prove access to an email address. Because email accounts can be set up without authentication, this is a very light form of authentication. Some email authentication systems reject a list of “free” email service providers such as Gmail, Yahoo, and others and allow only corporate email systems to be used. This increases the security of this method. Email authentication is a weak form of third party or system validation and prior authentication.

3. Shared Secret / Passphrase: Recipients must know or be given information to use for transaction access. The customer should receive the secret “out of band” from other communications methods used to deliver the transactions. For example, if you send the customer a link to a document via email, you should send the shared secret or passphrase by phone or any method BUT email. This authentication method is a Prior Authentication mode.

4. Knowledge Based Authentication (KBA): A third party data provider can generate a set of questions that only the individual would be able to answer. Common types of questions relate to prior addresses, phone numbers, and relative names. This popular form of authentication works in real time; generates dynamic questions and possible answers; includes questions with more than one, or no, correct answers; and does not require possession of a specific device. These reasons make it difficult for someone to pass another’s knowledge-based authentication questionnaire and makes KBA a very strong Prior Authentication mode.

5. Phone Based Authentication: This relies on a person being available to use a known wireless phone or wired phone number. When used with a password, a phone based authentication method qualifies as two-factor authentication, via the “what you know” and “what you have” categories. Phone authentication works by requesting the customer enter in a code in a web session provided via phone call to the known phone number, or by sending a code to a wireless phone. Depending on its use, phone authentication may be a Prior or Post Authentication mode.

6. Digitized Signature: Collecting a digital representation of someone’s handwriting (such as when you “sign” for purchases when using credit / debit card) does not qualify as a Prior Authentication because it is not compared to earlier, known samples. It does provide a good source for Post Authentication if there is a problem. While digital signature pads can also capture motion and pressure, without a previously recorded “known good” sample, it is not Prior Authentication.

7. Software or Service Based Private Key Infrastructure (PKI): Using a public and private key and a trusted certificate authority (CA), a system can be set up to validate a private key held by a customer. The customer can apply this key to verify his or her identity. These PKI “certificates” may exist on the signers’ PC or in an online account in some instances. Several challenges with PKI have prevented broad adoption:

Level of PKI Required: Five classes of certificates intended for different uses.
Challenge of Obtaining PKI Certificate: Some may be easy to obtain or may require additional effort to obtain. A self-provisioned certificate is easy to obtain, but provides only minimal assurance of authentication. Increasing authentication assurance requires additional provisioning steps, such as a notarized transaction, physical presence, or payment to obtain a certificate. PKI certificate adoption in the U.S. has been limited due to these issues.

Certificate Control: PKI certificates are installed onto computers or key fobs. With loss or compromise, this is a single point of authentication failure. Once someone has a PKI certificate, how can you ensure that the intended user and only that user will protect and control that certificate?

Digital Signature Details and Authenticity: Customers must have software that can process the signature to apply the digital signature to a record. Typically, this means limiting the user to a few document formats, such as Microsoft Word or PDF and also creates significant overhead in complexity. For example, the software used to view the document’s content and digital signature must be aware of and trust the certificate authority for the signature to be shown as valid.

PKI is a prior authentication process.

8. Hardware-based PKI: Hardware-based PKI is similar to software certificate PKI, but is installed on a small piece of computer hardware, such as a USB token. Carried by the authenticated user, these are password protected. Hardware PKI has the same issues as software PKI.

9. Biometric Authentication: This requires recognition of someone’s physical attribute to authenticate. Examples of physical attributes used in biometric authentication include fingerprint, iris, voice, face and palm. As with Digitized Signature, the challenge with Biometric Authentication is the need of a “known good” starting point from which to compare later access attempts. While this is the strongest form of authentication, it is also the most cumbersom because the customer typically needs a hardware device as well as a prior known good sample. Biometric authentication is a prior authentication mode.

For practical reasons, any authentication mode that requires the customer to have software, certificates or hardware should be avoided. They are better suited for internal processes, where the business controls access points and employees.

So how does authentication and electronic signature fit together? We’ll explore electronic signature in the next and final post of this series.

When I try to ‘sign,’ either the pad is slippery, or the surface so scratched, I cannot get anything to look remotely like my signature.  That does not appear to matter! 

Apparently, that scratched up signing device isn’t connected to anything that remotely protects my identity. Nothing is ‘validating’ my signature at all – this e-signature process is a total waste of time.

Digital Signature from Tom Gonser

The digital signatures above are actual signatures I provided when checking out!  NEITHER of these looks like my signature and they don’t even look like each other!  How exactly does this prevent signature theft and fraud?

Here at DocuSign, we take signatures more seriously. Our electronic signature process involves creating a customized signature, and adopting it for use online.  Then when you want to sign using YOUR signature, the sender can elect to require several different levels of authentication, thus connecting your electronic signature to YOU. The right authentication level depends on the document and risk.

Like their paper counterparts, however, electronic records pose authenticity challenges when they are copied onto a paper medium.

For example, when a paper copy of a paper-based transaction is submitted, one assumes that the copy is a photographic reproduction of the original document as executed by the parties. Reliance on that copy is based on many factors, including the presumption that risk of repudiation of the transaction is mitigated because parties have hand signed. While these are merely copies of handwritten signatures and the original signatures may not have been verified that the named parties were indeed the individuals who signed the original document, lenders, underwriters and government agencies have generally accepted these copies as providing adequate evidence of authenticity to mitigate the risk of fraud or repudiation. If necessary to enforce the underlying transaction, the original paper document can be found and the handwritten signatures can be verified through handwriting analysis.

With a paper copy of an electronic record, more may be required to support the initial assumption that the copy is a reliable reproduction of the original document. The two reasons for this are:

First, unlike a photocopy of a paper document, the version of an electronic record that is reduced to paper may not look anything like the record that was signed electronically.

Second, and more importantly, the visual representation of a signing party’s electronic signature on a paper rendering, if present at all, may not be adequate by itself to affirmatively identify it as an actual signature. It may be a stamp or seal, a mark or border, or just a notation. Each of these symbols or marks indicates that the document has been signed using an electronic process, but the symbols do not themselves constitute the electronic signatures.

Since the adoption of the signature and association of the signature with the record (along with consent and authentication) have all occurred electronically, an extra step is required to bring some evidence of the electronic signature process into the paper record so that it can be relied upon to the same extent that an image of a handwritten signature on a paper document can be.

DocuSign accomplishes this important step by capturing, retaining and reproducing the essential elements of the signing process.

The DocuSign system:

• Captures the party’s identity, his consent to use electronic signatures, adoption of a GUID/Symbol combination as a signature, and his application of that signature to an unalterable document with a unique envelope ID number.
• Retains an audit log of the sending and signing process and retains a hash value for the actual image of the signed document.
• Can reproduce the document as it was presented to and signed by the parties, test the hash value against contested versions or images, and furnish a certificate of completion with an audit log of the transaction.
• Attest to the systemic treatment of all signers using the system. In other words, no party can sign a document without going through the process defined by DocuSign’s closed system.
• Can issue a digitally signed (sealed) electronic record of the transaction for true reproduction of the electronic version of the document.

Thus far, all cases of attempted repudiation of a DocuSigned contract have been defeated, simply by presenting to the signer the evidence of their participation in the transaction.

The “Best Evidence Rule” provides that in order to prove the content of a writing, the original writing is required. An “original” is defined as the writing itself or any counterpart intended to have the same effect by a person executing or issuing it. If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original.

The Federal Rules require that all documentary evidence be presented in admissible form, including that the evidence must be properly identified and authenticated. The party seeking to introduce an electronic record into evidence must present declarations or other evidence showing that the document is what it is purported to be. Authentication may require evidence proving the genuineness of signatures or a declaration from the document’s custodian laying a foundation for admissibility. Genuineness is provable based on the character of the signature, and the elements of character will be established by the facts surrounding the signature event.

In the case of an electronic signature, then, it is important to demonstrate to the satisfaction of the finder of fact that (a) the appropriate level and amount of information surrounding the signing process was retained, and (b) the system used to retain the information is itself reliable.

Additional requirements arise in a situation where two substantively different documents purport to genuine. The finders of fact will seek to determine the identity of the true “original” document. In the paper/ink world, this would be accomplished in part by expert testimony about the handwriting, paper and/or ink when comparing the two documents. Where the documents are electronic, the proof will lie in the logs, timestamps, encryption/hashing, etc. associated with the creation and storage of the document and signature(s).

Further, chain of custody will be critical for persuasive argument that the document introduced is the true original, or a true copy thereof. If the current custodian is also a party to the litigation, there will be higher burden on that party to demonstrate that the document has not been altered. Any proof offered must relate specifically to the record whose veracity is at issue. However, where a secure, third-party electronic signature system is used to create and store the electronic record, the burden on the defending party is reduced substantially, often allowing the party to merely demonstrate that the system can reliably produce a verifiable copy of the original signed document.

The factors to consider include, at a minimum: fulfillment of the original writing requirement, presentation in admissible form, retention of appropriate information regarding the signing process, and reliability of the system used to retain the information. Of course, specific relationships with third party providers and/or vendors, if applicable, will change the burden on the challenging party.

DocuSign’s electronic signature and electronic contract execution solution is one of the few that addresses all of the above. Before signing the document which fulfills the original writing requirement, DocuSign includes an authentication process that satisfies the presentation in admissible form requirement. DocuSign also retains logs regarding the signing process and custody of documents throughout the electronic contract execution process, reducing the burden on the defending party.