There are several types of electronic signatures, with different levels of technical complexity and security. Naturally, we tend to go by default to the one with the highest level of security, even though it might be overkill for our needs and actually be counterproductive.
eIDAS (Electronic Identification, Authentication and Trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market, and it defines 3 types of electronic signatures:
- Simple Electronic Signatures*
- Advanced Electronic Signatures (AdES)
- Qualified Electronic Signatures (QES)
* ”Simple” Electronic Signatures is a vernacular name that regroups all the electronic signatures that aren’t advanced or qualified. Even though it is used by the majority of electronic signature providers, eIDAS doesn’t really use this term. However, in order to simplify comprehension of this article, we’ll use the term “simple signature” to designate the first of the 3 levels of electronic signature.
According to eIDAS, an electronic signature is “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
Ideally, it should:
- respect the ETSI (European Telecommunications Standards Institute) signature standards, along with the eIDAS regulation on electronic identification and trust services for electronic transactions in the European Single Market
- use electronic certification
- use an identity verification system
- Have a way to prove that the document has not been edited after it was signed.
It is industry standard to sign documents electronically through a trusted provider who is also a certificate authority. You can find the full list of the qualified certificate authorities in Europe on the website of the European Commission.
The difference between the 3 types of signature is mainly the level of security that each type has, and the complexity of the signer identity verification system they each use. The strength of the signature thus lies in the degree of confidence it provides as to the identification of the signer and in the proof that the document is indeed the signed one.
However, is it always useful to ask your customers to use a system that requires several complex steps when a simple or advanced signature may already have an appropriate level of validity and security?
In order for you to not get lost, we will explain the differences between the three existing levels of electronic signature and their usefulness, which will obviously change depending on the type of document being signed.
Simple Electronic Signature
The simple electronic signature is currently the most widely used procedure. Today, the overwhelming majority of electronic signatures on the market are so-called "simple" because they are more suitable and facilitate rapid and fluid use. The simple electronic signature matches to the first level of security and legal recognition of a document’s signature.
Level of Security
There is no established list of requirements for this type of signature. You can therefore, in just 2 clicks and without any concrete process of identity verification or consent, have a document signed. In this case, it would be very easy for the signer to deny having signed it. Under this definition, a scanned signature or a basic digital signature, such as the one you make on the terminal of the delivery man who brings you your parcels for instance, are so-called simple signatures.
The simple electronic signature process can, however, be strengthened and acquire greater legal value if an extra authentication step is added, like the double authentication system that Yousign has, where an SMS code received by the signer is necessary to sign the document.
Similarly, while it isn’t mandatory to keep an audit trail with simple electronic signatures, it is clear that the creation and storage of one, as well as the number and quality of the pieces of evidence that will be gathered in this file, will provide a much higher level of credibility in case the contract is ever contested.
This audit trail file can be made up of elements such as the signer’s email address, his telephone number, the IP address of the computer used to sign the document, etc. The aim of this proof file is to give lawyers the ability to easily trace the different stages of a transaction step by step.
Even in the case of a simple electronic signature, Yousign creates a time-stamped audit trail file for each and every procedure containing a set of computer traces that will be stored for 10 years at a government-backed third party archivist called CDC Arkhineo, which is a subsidiary of the French Deposits and Consignments Fund.
Advanced Electronic Signature (AdES)
Advanced electronic signature, which is more secure, is recommended for large financial transactions or for signing documents that may present significant legal stakes.
Level of Security
As seen just before, the definition of a simple electronic signature is rather broad and open for interpretation. The advanced electronic signature, on the other hand, has to meet more stringent identity verification criteria and thus has a higher level of security as set out in the eIDAS Regulation.
Thus, an advanced electronic signature must :
- be uniquely and clearly linked to its signer
- enable the signer to be formally identified
- be created by means under the sole control of the signer, such as his or her telephone or personal computer
- ensure that the document to which it relates cannot be amended
This can be done through solutions such as the upload and live verification of the signer's ID, and its addition to the audit trail, as proposed by Yousign. Adding the signer’s proof of consent, such as a checkbox to show that the document is properly understood, or a text to be copied before signing, will further demonstrate, in the event of litigation, the signer’s willingness to sign the document. All these systems of identity verification and proof of consent can be combined to further reinforce the legal validity of the signature.
There is also an advanced signature procedure with qualified certificate that requires face-to-face verification (physically or remotely) of the identity of the signer and can be used in specific cases. It is the intermediate solution between the advanced signature and the qualified signature.
Qualified Electronic Signature (QES)
The qualified electronic signature is the most advanced stage of electronic signature security. It can be particularly burdensome and is only used in very specific cases where qualified is absolutely required.
Level of Security
From a legal standpoint, there is a big step between qualified signatures and simple or advanced signatures. Qualified electronic signature have precisely defined regulatory constraints in terms of how the identity of the signer is verified and how the signature key is protected. Its legal effect is equivalent to that of a handwritten signature, whereas the other levels of electronic signature have probative value. It is thus legally recognised in all the Member States of the European Union.
An electronic signature process is presumed to be reliable when it uses a qualified electronic signature issued by a certification authority. These certification authorities are controlled by the ICO (Information Commissioner's Office) in the United Kingdom and by equivalent bodies in each European country.
The qualified signature procedure uses the same security criteria as the advanced signature, but requires that the identity of the signer be validated beforehand and that the signature key be in a qualified electronic signature creation device (QSCD). Whereas previously identity verification required a physical meeting, it can now be performed remotely if certain conditions are met.
This can therefore be done during a physical meeting during which the signer will be given an identification method called "token" (smart card, USB key, badge...) allowing the certification authority to validate his or her identity for them to sign his or her documents after entering a personal PIN code. This cryptographic key must be extremely protected and reliable and therefore logically must be stored in a safe place. It will have been verified and validated beforehand by the Information Commissioner's Office when the qualification of the device is given. The same key can often be used for up to 3 years.
An alternative to the delivery of a cryptographic key is the use of an HSM in the Cloud, allowing this operation to be carried out remotely with a two-factor authentication of the signer once the signature request is triggered, after a first initial physical face-to-face verification of identity.
Your choice of the type of electronic signature must therefore be made accounting ease of use and security. The implementation of a qualified signature procedure should only be used in specific cases, as this procedure is particularly complex. On the other hand, there is less nuance between simple and advanced signatures. It is therefore up to you to decide whether security takes precedence over user experience or whether a simple level of security is already more than sufficient.
We therefore advise you to choose following this 3-steps methodology:
- Analysis of the regulatory and legal context to identify the constraints and risks associated with the use of electronic signatures for your specific case.
- Analysis of other types of risks and opportunities: company image, impact in terms of productivity, financial stakes, etc.
- The choice of the level of electronic signature, reconciling user experience and security needs.
Yousign's team can advise and support you in finding the solution best suited to your company and your use of electronic signatures. You can contact them at firstname.lastname@example.org.