eID

Electronic signature is a broad term for any kind of signature in an electronic format. They are a legal way to get approval or consent on electronic documents or forms and can be considered as a replacement of a written signature. There are different levels of assurance among electronic signatures, which are most often differentiated into electronic and digital signatures.

Commonly, electronic signatures come with no level of assurance regarding the authenticity of the signer. For example, confirming the delivery of a parcel by signing on a device offered by the delivery service provider acknowledges that the parcel has been delivered, but does not provide any further authentication of the signature and hence the person who received the parcel.

A digital signature provides more advanced levels of assurance regarding the authenticity of the signer. The advanced levels of assurance are provided by so-called trusted service providers, who hold the license to issue electronic IDs/digital IDs.

When signing a document with an eID, higher levels of security are realized through fast and easy validation of a person’s identity, also ensuring that only the correct signer has access to the information provided and no one else.

It also provides evidence regarding the origin, identity and status of an electronic document or transaction and acknowledges an informed consent by the signer. Documents signed with an eID support the provision of proof that an electronic document or transaction was not forged or modified intentionally or unintentionally from the time it was signed. Tamper-sealed protection secures an audit trail of any potential changes made within an electronic document or transaction by adding electronic logs from the moment a document is created. This is done by a unique hash for the electronic document or transaction and encrypting it with the sender’s private key. If the electronic document or transaction has changed, the hash will change as well.

Verified complies with the eIDAS Regulation set by the European Union on electronic identification and trust services for electronic transactions in the European Single Market. The eIDAS Regulation’s intent is to enable convenient and secure electronic transactions across EU borders for citizens, businesses, and public sector institutions. Regulation (EU) No 910/2014 (eIDAS Regulation) went into force on 1 July, 2016, being mandatory and fully adopted in all EU member states, with precedent over any conflicting national laws.

eIDAS ensures that each form of electronic signature is admissible as evidence in EU courts and shall not be denied legal effect solely because it is in electronic form. However, the enforceability of an agreement made using electronic signatures is depending on the type of electronic signature used and its embedded evidence. A scanned image of a written signature is more likely to be challenged in court versus a qualified electronic signature meeting multiple EU technical standards and containing significant embedded signer information.

eIDAS differentiates four different levels of electronic signatures, of which level 1 (lowest level) is not in scope of the eIDAS regulation. We will focus on eIDAS assurance levels 2 till 4 in the following paragraphs.

Do you need to accept a delivery package? Check a digital box on a desktop screen? Scan a manually signed document? Then the basic electronic signature will suffice. This may either be a signature that’s manually put on a desktop screen (after which it’s digitally saved) or a click on an ‘I accept’ button.

Generally, this type of signature is mainly used in lower-value processes, as there is no foolproof way to confirm the identity of the signer. If someone would copy another person’s signature and put it on the document, it would be difficult to prove (or even discover) that. Using the basic electronic signature in legally valid documents could obviously pose an issue, depending on the process in place. Therefore, a signature on insurance, financial, or real estate documents, for example, should meet stricter requirements so it can be connected to the signer with (more) certainty.

According to eIDAS, at the basic level, an electronic signature can be defined as:

“Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”

Taking this definition literally, you can sign a document simply by scanning your signature or ticking a box in a document opened on your device of choice. Technically, the data is in electronic form and attached to a file, but there are problems with this model which eIDAS is trying to address.

As you might already have guessed, this isn’t covering the purpose of signing a document at all. The document can still be tampered with, and a “signature” can easily be forged (i.e., we cannot be sure who ticked the box to confirm the terms and conditions were accepted). Simply put: Neither integrity nor authenticity of the document are guaranteed.

Under eIDAS, this is a type of electronic signature that must meet specific requirements providing a higher level of signer ID verification, security, and tamper-sealing. The main requirements are:

• Uniquely linked to the signer, enabling its identification
• The signer can use the signature creation data under their sole control with a high level of confidence
• Any subsequent changes in the signed data can be detectable

Using digital signatures that are applied with a digital certificate satisfies all of the above requirements. Digital certificates are obtained after a thorough verification of an individual’s identity by a trusted third party (e.g. certificate authority). Digital certificates, and their resulting signatures, are unique to the individual and virtually impossible to spoof, achieving the two requirements above.

Because the signatory is the sole holder of the private key which is used to apply the signature (see our article on Public Key Infrastructure to get an understanding of how public and private keypairs work), you can be assured that the signer is the person who they say they are. Finally, part of the signature verification process, which automatically occurs when a recipient opens the document, includes checking to see if any changes have been made to the document since it was signed.

This is the only electronic signature type to have special legal status in EU member states, being the legal equivalent of a written signature. It must meet advanced electronic signature requirements and be backed by a qualified certificate, meaning a certificate issued by a trust service provider that is on the EU Trusted List (ETL) and certified by an EU member state. The trust service provider must verify the identity of the signer and vouch for the authenticity of the resulting signature. Furthermore, the signature has been given by approved means like a qualified signature creation device.

The legal framework of the country you are operating in defines if there is a need for a qualified signature or if an advanced electronic signature is considered as legally binding. However, depending on the type of business you are in, a qualified electronic signature might be the right one to choose for you. For instance, any business that is exposed to a high risk of scam or fraud might consider having a more secure signing system implemented. This could be businesses operating in the financial, insurance, healthcare or telecommunications sector, as well as governmental institutions.

As explained above, electronic signatures are classified by the level of assurance they offer. Each of the three types of electronic signatures can be legally effective under eIDAS. A basic level of integrity is always guaranteed in the sense that content can’t be altered after signing the document. But the levels of security differ significantly, and if you ever need to prove to a court a signature is genuine and was intentionally put on a particular document, there’s a difference in the evidence you must provide.
‍

Verified offers the following integrations:

Native methods

• BankID, Sweden
• BankID, Norway
• FTN, Finland
• Email
• SMS OTP
• Touch Sign

Third party integrations & ID hubs

• Smart-ID, the Baltics
• Freja-ID, Sweden
• Passport reader, Global
• ID card, Belgium
• ID card, Serbia
• ID card, Lithuania
• ID card Latvia
• ID card Estonia
  ‍‍