Where do we start with digital signatures? This is often the question that customers ask and our response is to counter with a question: what level of assurance do you need and what signing method best suits your requirements?
We ask this because every use case is different. Take a mortgage, for example. That is a legal document for which a Qualified Electronic Signature (QES) is needed. It has the same legal weight than a written signature carries. In contrast, you might be signing a timesheet or a purchase order. For these, a basic electronic signature is likely to suffice.
The minimum level of required assurance is normally the key driver in determining the right digital signature for the situation and organisation. The more flexible the signing solution, the more useful it will be to the document owner as this flexibility allows the user to request an appropriate level of assurance from document signers on a case-by-case basis.
Let’s take Belfius, the Belgian bank, as an example. The bank manages its digital signatures easily and quickly using a combination of the itsme service and a Belgian eID card, both of which are very popular in the Belgian market. It doesn’t matter to Belfius which option is selected as long as it is a Qualified Electronic Signature.
And this is the crux of the matter.
Document owners should be able to request an appropriate level of assurance from signers, regardless of the signature method needed.
Are smart cards smart?
When it comes to different methods, eID cards – also known as smart cards - are ideal for local signing where they act as a fully secure PKI signing key. They are compatible with a wide range of browsers and because the signer doesn’t have to download any code, they are easy and accessible.
Bulk signing on a local basis is more cost effective when managed through using a smart card too, but there are some drawbacks to this method. To start, a card reader is needed, the signer must be able to recall their pin number and a card won’t work if the signer is working on a mobile phone.
A larger challenge occurs within large organisations with thousands of employees. Issuing a card, with a corresponding certificate, to every single worker is an onerous task, particularly if people are unlikely to sign a document more than once a year. eID cards are not designed to scale in this way.
By comparison, a cloud-based remote signing solution allows documents to be digitally signed without the need for a reader using any internet-connected device. This also makes this method ideal for digital signatures that need to cross borders.
The CSC (Cloud Signature Consortium), with its commitment to building new standards for cloud-based digital signatures, does acknowledge the importance of smart cards, particularly when it comes to managing costs for local signers. However, the organisation’s remit is to encourage cloud-based services using centrally held keys that allow signing to be carried out on any device, at any time, from anywhere.
The real key to successful digital signature management is allowing for changing circumstances. A signer might select a remote method one day because they are using a smartphone, while the next day, sitting at their desk with numerous documents to sign, they prefer to use a smart card because the reader is to hand.
Ultimately, organisations need a solution that has a minimum level of assurance built in as well as the means for the document owner to flex thresholds for every signer on-demand.
At a time when businesses are adapting to new ways of working, with employees likely to be remote and in the office in equal measure, the accessibility, interoperability and security of high-trust signing solutions will add considerable value while also ensuring organisations are prepared for the digital future.