Many eSignatures solutions appear to be simple, but taking a look under the hood reveals a complex set of technologies that ensure security and compliance. In the digital world, one of the major threats is identity theft. Identity theft can lead to a falsification of documents that would endanger the victim of the action. As more and more contracts are executed digitally, it exponentially exposes all parties to forgery and identity theft.
To contend with this reality, companies have developed secure methods that can protect both the parties involved and the contract itself from being falsified by adding digital encryption.
How a legally-binding eSignature is built
To create an eSignature solution that carries legal weight, engineers must make use of public key infrastructure (PKI).
PKI allows for the authentication of users and devices online by technological means. The parties involved are able to securely and digitally sign documents that guarantee that a cryptographic key belongs to a particular party. The key serves as an identifier of the user in a digital environment.
Users, programs, devices, components, manufacturers and many other things that can be associated with keys are known as entities. A PKI establishes the connection between a key and an entity in a secure way.
The structure of PKI is made of the following elements:
A Public Key Certificate, also known as a digital certificate: Proves ownership of a public key.
Private key tokens: Enable the secure generation of private keys
Certificate authority: An organization that validates the identities of various entities
Registration authority: An authority that validates user requests for a digital certificate and directs the certificate authority to grant it
Certificate Management System: A system that manages the entire lifecycle for certificate issuing, inspection, renewal, and more
The PKI allows for the secure management of eSignatures by creating two mathematically linked keys: a public key and a private key.
The public key is available to those who are authorized to validate the authenticity of the eSignature. The private key remains hidden to everyone besides the signer of the document or contract. Encrypting and decrypting eSignature data relies on both the sender’s and receiver’s public and private keys. This security relies on the trust that the sender’s private key has not been shared with anyone else.
By using PKI, the developers of the eSignature solution ensure that the technology meets the requirements of certificate authority (CA), which is upheld by organizations that are responsible for guaranteeing key security integrity. The CA uses a cryptographic key for signing these documents, which are known as certificates.
Once the signer of the document provides his or her electronic signature, a cryptographic hash is created as a kind of digital fingerprint.
When a signatory provides an electronic signature, a cryptographic hash is created for the form or document, which serves as a unique digital fingerprint.
The sender’s private key then takes the cryptographic hash and encrypts it, then stores it in a secure HSM box. It is added to the document and sent to the recipient with the sender’s public key.
Using the sender’s public key certificate, the recipient is able to decrypt the encrypted hash. On the recipient’s end, a new cryptographic hash is generated. The two hashes are compared to validate the eSignature’s authenticity, and demonstrate that no tampering has taken place.
There are three different classes of digital signatures, each with their own level of security and legality.
Class I signatures: Provide a basic level of security for low-risk environment, and are not legally binding for business documents
Class II signatures: Authenticate a signer's identity against a pre-verified database. Used for a moderate risk environment, such as income tax returns.
Class III signatures: Require a person to present in front of a certifying authority to prove identity before providing a signature. This is reserved for court filings, e-tendering, e-ticketing where a data breach can have significant consequences.
Lightico’s digital signature solution
Lightico’s eSignature solution is unique in that it enables users to sign from their mobile phone, ensuring greater efficiency and turnaround time thanks to the location independence it provides. Businesses simply send a text message link to the customer’s smartphone, which opens up to a secure environment where documents and forms can be uploaded and reviewed, and signatures can be provided, all via smartphone.
The Lightico solution provides the highest level of eSignature protection by using trusted CA and tamper-proof, time-stamped audit trails. It exceeds even the high standards of the ESIGN Act, as well as international equivalents.
The bottom line
Digital signatures not only prevent impersonation, but provide evidence of an electronic message’s origin, identity, and status, as well as the signer’s informed consent. Lightico is an eSignature solution that combines a highly efficient, intuitive mobile signing experience with the most stringent compliance measures in the industry.
Start Completing at the Speed of Lightico
Instant eSignatures, Payments, Document Collection & More
The most helpful thing about Lightico is the fast turnaround time, The upside is that you are giving your customer an easy way to respond quickly and efficiently. Lightico has cut work and waiting time as you can send customer forms via text and get them back quickly, very convenient for both parties.
"Great Service and Product"
I love the fact that I can send or request documents from a customer and it is easy to get the documents back in a secured site via text message. Our company switched from Docusign to Lightico, as Lightico is easier and more convenient than Docusign, as the customer can choose between receiving a text message or an email.