Table of contents
The electronic signatures enjoy full legal validity thanks to the European Regulation (Nº910/2014) known as eIDAS, as well as in other international legislations. But do they offer the same security guarantees?
This post will explain what the electronic signature with OTP and the advanced electronic signature based on biometric technology are and compare both acceptance systems.
What is the electronic signature with OTP?
The electronic signature with OTP (One-time password) is a signature system with a personal password and a temporary code that can only be used once. This one-time password allows you to digitally sign a document.
Through the signature with OTP, users can sign documents through any device in a legal and flexible way.
What is the biometric signature?
The advanced electronic signature is a data set that is attached to an electronic message, in order to identify the signer as the author thereof in a unique way, as if it were a handwritten signature.
Due to its characteristics, it adds security to the user’s electronic transactions, as it is possible to identify the signer and also to verify that the message has not been modified.
In this case, this type of signature allows us to guarantee the integrity of the signed content, in other words, that the signed content has not undergone any type of alteration or variation after it was signed.
The advanced electronic signature allows the signer to be identified and detect any subsequent change to the signed content
The probatory document of the advanced signature registers biometric information such as pressure, speed or acceleration of the stroke. All this additional data has much more legal validity than just accepting the terms and conditions of the signature with OTP.
Legal comparison : OTP vs Biometric Signature
Electronic signature with OTP
1.- It is linked to the signer in a unique way
In the case of the electronic signature with OTP there is a precise and unique link, as the signer receives an email.
Also, there are other measures to strengthen this link that include, as an addition to this email, the validation of IDs, passports, among others, through our OCR technology.
2.- It enables identifying the signer
The OTP system allows the signer to be identified to the same extent that the owner of a telephone number is personal and belongs, exclusively, to the signer. Therefore, there is a risk that the signer’s identity cannot be fully accredited by means of a OTP, as it only accredits the ownership of the telephone and not “who” the signer is.
3.- The signature must have been created using means of signature creation that the signer can use with a high level of trust and under their exclusive control
By making the signature requests through Signaturit, the signer decides in which environment to sign as well as when to sign. Signaturit sends the signature requests to the signer’s e-mail address, and can complete the signature process on any device, and whenever they deem appropriate.
4.- It is linked to the signed information so that any subsequent alteration can be detected
By using the time stamp, the integrity of the electronic data that make up the electronic signature is guaranteed. In other words, the time stamp guarantees that a signature was made at a specific time, making it impossible to modify it later, as the document is encrypted and stamped once the signature process has been completed.
In addition, the time stamp also guarantees the non-alteration of a data set associated with the electronic signature, such as the date, time and where it was signed, the email address of the issuer of the document to be signed, the signer’s email address or the signer’s signature characteristics, in other words, biometrics. Being able to offer an unchangeable and trustworthy document.
Signaturit uses its own qualified electronic time stamp, as a Qualified Trust Service Provider.
Biometric Signature
1.- Being linked to the signer in a unique way
For the advanced electronic signature, or the signature based on biometric technology, there is a precise and unique link in that the signer receives an email to their email address.
Furthermore, Signaturit offers other measures to reinforce this link such as the validation of IDs, passports, among others, through our OCR technology.
2.- Enables identifying the signer
As for the biometric signature, it should be noted that within the so-called advanced signature, in accordance with Article 26 of Regulation 910/2014, it is the system that offers the greatest and best capacity to identify the signer.
Thus, Article 9 of the EU General Data Protection Regulation (GDPR) establishes the types of data that have additional protection, due to the importance of identifying a subject and among them, biometric data.
The same regulation defines biometric data as personal data obtained from a specific technical processing, related to the physical, physiological or behavioural characteristics of a natural person that allow or confirm this person’s unique identification.
The signer has a unique handwritten signature that is impossible to copy. Biometrics consists of a series of procedures and physical-behavioural tools that allow people to recognize and confirm their identities.
The biometric data we gather comes from the data obtained from the signature, consisting of the points that form it and its position, speed, acceleration and finally, the pressure that, with the finger or with a cursor, is placed on the devise (if it so allows) used to sign. If the identity of the signer needs to be verified, this data may be made available to calligraphic experts.
With these parameters the identity of the individual can be confirmed, whereas using the OTP the signer cannot be accredited, but only through other types of evidence related to telecommunications (tracking), could the place, date and time where the signature took place be confirmed and not the identity correlation between the signature and the signer.
In this way the identity of the individual is confirmed, and together with the time stamp, complete security is provided in the accreditation and verification of the identity of the user or signer.
Therefore, verifying or proving the signer’s identity through the biometric electronic signature offers a greater degree of security with respect to the OTP system, and Signaturit is aware that it is the only way to be able to fully comply with Article 26 of Regulation (EU) 910/2014.
3.- Have been created using the electronic signature creation data that the signer can use, with a high level of trust, under the signer’s exclusive control, and
Making signature requests through Signaturit, the signer decides in what environment to sign and when to sign. Signaturit sends the signature requests to the signer’s e-mail address, and they can complete the signature process using whatever device they wish and at a time of their choosing.
Furthermore, the signer is the owner of signature creation data, since they biometrically sign, thus confirming their consent.
4.- Be linked to the data signed by the signer in such a way that any subsequent modification thereof is detectable.
By using a time stamp the integrity of the electronic data that makes up the biometric electronic signature is guaranteed.
In other words, the time stamp guarantees that a signature was made at a specific time, making it impossible to modify it later, as the document is encrypted and stamped once the signature process has been completed.
In addition, the time stamp also guarantees the non-alteration of a data set associated with the electronic signature, such as the date, time and where it was signed, the email address of the issuer of the document to be signed, the signer’s email address or the signer’s signature characteristics, in other words, biometrics. Being able to offer an unchangeable and trustworthy document.
Signaturit uses its own qualified electronic time stamp, as a Qualified Trust Service Provider.
Conclusion
The main difference between the advanced electronic signature and the simple electronic signature with OTP is the identification of the signer.
While the electronic signature does not necessarily identify the signer, in the advanced electronic signature it is an essential requirement.
This difference is key when it comes to signing contracts or content in which the risk assumed is high or where current legislation requires identification for “non-repudiation”, such as the case of the financial industry in order to comply with international anti-money laundering and terrorist financing regulations.