User Authentication Best Practices for E-Signatures Wednesday February 25, 2015
Agenda E-Signature Overview Legality, Authentication & Best Practices Role of authentication in e-signing Options and applications of user authentication techniques Live demo Silanis 2015 2
User Authentication and E-Signatures User authentication: validating a person s identity Prevent or detect fraudulent transactions Prevent repudiation of a signed document E-Signing: capturing intent Enforce a transaction, contract, agreement Is signing the same as authenticating a person? Historically, signature was seen as method of user authentication (i.e. checks) Identity fraud prevention and detection is not normally associated with signatures Repudiation of a signed document may void the business transaction Silanis 2015 3
User Authentication as a Process Identify: validate a credential or other data against claimed identity Web-based Identification Knowledge-based authentication (KBA) through online databases of credit information, DMV and other available information Credential: data, device or process to authenticate claimed identity Web-based credentials Passwords, tokens, digital certificates, biometrics User Authentication for web-based e-signatures Transactions requiring: personal data capture, document exchange, third party verification, payment and delivery of goods and/or services Reliability of user authentication increases with process Silanis 2015 4
Associate Affirmative act click SIGN Clear purpose to signature Apply at signature location for explicit intent i.e. consumer forms Implicit intent place button anywhere Authenticate Associate action to document and signature location Embed verifiable signature data in document and secure User ID/PIN Email address Shared secret Graphic signature capture SMS Passcode Online ID Service (KBA) Voice IP Address Silanis 2015 5
Balance Usability & Security Security safeguards should be in proportion to risk Security safeguards should be similar to security applied in paper process For most electronic signature and e-delivery processes, the goal will be to have the transaction, on the whole, be no riskier than the current processes. Pat Hatfield, Partner, Locke Lord LLP Silanis 2015 6
E-Signature Process Workflow Access Web app, Mobile app, Email, SMS, Transaction Manager, Integrated app UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 7
E-Signature Process Workflow Authenticate UID/PIN, Q&A, Email, SMS, KBA, External (SAML, Directory, Web UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 8
E-Signature Process Workflow Document Presentment On-screen, mobile, paper (hybrid), ADA UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 9
E-Signature Process Workflow Data Capture Form fields, controls, auto-fill, data merge and update, data return UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 10
E-Signature Process Workflow Document Upload Update document changes; Scan, upload or fax paper or digital documents UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 11
E-Signature Process Workflow Sign Click to sign, Write to sign on mobile phone or tablet, or on signature capture tablet UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 12
E-Signature Process Workflow Deliver Distribute documents during and after e-signing, deliver disclosures UI NAVIGATION WORKFLOW USER MGMT NOTICATIONS Legal, Regulated E-Transaction Silanis Technology 2014 13
Authentication factors Something the user knows Password to email account Shared secret, e.g. loan number ATM card PIN Something the user has ATM card Phone Something the user is Iris scan Silanis 2015 14
Biometrics Characteristics Universality Uniqueness Permanence Measurability Performance Acceptability Circumvention Process Enrollment Template storage Verification Template matching Silanis 2015 15
Knowledge based authentication False negative The user knows who they are but the system disagrees False negative rate How often are users turned back due to a failed identification attempt False positive An impersonator successfully identifies themselves as someone else False positive rate How often is the system allowing someone through that it should not Silanis 2015 16
The right authentication method for the right risk level Knowledge based authentication (KBA) is a last resort If using KBA, try using recent events as questions Make it hard for impersonators and easy for legitimate users Evaluate the risk first Consider what is being done in the paper world today Silanis 2015 17
User Authentication Methods Authentication Method Description Use Case Email Transaction is accessed from email account Low risk, internal processes e.g. NDA, expense reports User Name & Password Shared Secrets SSO Signer enters password to access transaction. Password management done by e-signlive and shared with signer. Signer agrees on series of challenge response questions in advance with rep who enters the data into e-signlive Signer logs on to Web application which embeds e-signature process within it Existing/repeat signers Call center processes or advisor-customer relationship. Online banking; any customer portal Smartcard, Token Individual s own digital certificate is used to sign Government agencies SMS Passcode User must enter one-time passcode received via Face-to-face, POS transaction SMS; two-factor authentication in combo with email KBA via Equifax Identification questions generated dynamically Account opening; customer acquisition Silanis 2015 18
USE CASE DEMONSTRATION 1. New business application (account opening) 2. Signer identification with, SMS text and KBA 3. Document and evidence review Silanis 2015 19
Questions? Silanis 2015 21
Next Steps Download the White Paper: User Authentication for E-Signature Transactions https://www.silanis.com/resource-center Silanis 2015 22