Digital Signatures for online customers, clients, and other external signers

By Larry Kluger posted 04-10-2014 08:37


In my last column, I discussed how your customers, clients, and similar signers can sign documents in the presence of your staff member. A key part of the process is authenticating the signer. When your staff member and the signer are together, it’s easy for your staffer to ask for ID. But what if the signer is not present, if they’re online? No problem, Bunky!


First, your staff should still authenticate the signer, either in person or through a series of questions that only the signer will know the answer to. For example, it is now common for banks to authenticate telephone callers by asking a series of questions. To improve the quality of the authentication, the bank employee has some discretion with the type and number of questions they ask. This authentication only has to be done once, at account signup, or when the information changes (when the customer gets a new phone number).

Signers can also be automatically authenticated by using online services which ask a series of questions from the signer’s credit record such as make of car, prior addresses, etc. Or you can authenticate someone by using the postal mail to send them a password.

Online signing

Once you’ve authenticated someone as being who they say they are, how can they actually sign a document online? Different techniques are available. Which one you choose depends on your budget, and the level of fraud protection and non-repudiation that you need. Non-repudiation is your assurance that someone who signed a document cannot later claim that they didn’t.

Some signature services rely on the idea (or hope) that a specific email account is only accessible to one person, the signer. But it is common for email accounts to be shared and unfortunately they can also be broken into. 

Better is to use two different paths to send the signing authorization to the intended signer, eg send an email and an SMS text message. And by using one-time passwords, we can be sure that the password cannot be used again or later discovered by the wrong person. Text To Speech services can be used to call people who don’t have SMS capability.

Next, the remote signer is sent the signing information by two different paths: a signing link by email and a one-time password by SMS.

The remote signer uses the information to digitally sign the document or data via a web site. As part of the process, a digital signing certificate is created for the signer, and then deleted after the document is signed.

The result: a document digitally and remotely signed by your authenticated customer or client.

#digitalsignature #electronicsignature #externalsigner #digitalsignatures