Signatory authentication: methods and challenges

Why authentication is critical

Signatory authentication is the weakest link in the chain of evidence. Without it, it's impossible to prove who actually signed. A modern signature platform must offer several graduated mechanisms.

Available methods

Trusted email

The signatory receives a unique link at their email address. Only the email account holder can click it. Simple, effective for SES.

Residual risk: email account compromise. Acceptable for low-stakes documents.

OTP via SMS

One-time code sent to the phone number. Combined with email = AES.

Residual risk: SIM swapping (rare but known for high-value targets).

OTP via application

Code generated by an app (Google Authenticator, Authy, Twilio Authy). More secure than SMS for high-stakes matters.

Biometrics

Fingerprint, facial recognition. Used on mobile to streamline experience. Not stored server-side (GDPR compliance).

Personal certificate

Cryptographic certificate issued by a QTSP, stored on a device (YubiKey, smart card). Mandatory for QES.

Video KYC

Identity verification via video conference or recording. Used for regulated sectors (banking, insurance).

National digital identity

FranceConnect+, itsme (Belgium), SPID (Italy). Recognised "substantial" level by eIDAS.

Assurance levels (LoA)

eIDAS defines three levels:

Level | Requirement | Example

Low | Email or equivalent | SES

Substantial | Dual factor | AES (email + OTP)

High | Strict identity verification | QES, video KYC

Alignment with stakes

• Internal document, purchase order: Low LoA (SES) sufficient

• Employment contract, lease, NDA: Substantial LoA (AES)

• Notarial deed, public procurement: High LoA (QES)

Common mistakes

• Using SES for everything (under-dimensioned)

• Stacking authentications unnecessarily (friction)

• Not logging methods used (weakened evidence)

• Collecting too much biometric data (GDPR)

Protection against attacks

• Phishing: train signatories to verify sender

• Man-in-the-middle: TLS 1.3 mandatory

• SIM swapping: OTP app for very high-stakes matters

• Video KYC deepfake: liveness checks + cross-verification

Real case study: neo-bank

Account opening journey:

• Trusted email

• OTP SMS

• Identity document upload

• Liveness test (selfie)

• Sanctions database cross-check

• AES signature

LoA: substantial. ACPR compliant. Process in 10 minutes.

How Certyneo helps you

Certyneo provides all common mechanisms: email, OTP SMS (via Twilio Verify), qualified certificate integration for QES, optional video KYC, FranceConnect+ integration. Each method is logged in the audit trail.

Discover Certyneo's electronic signature solution

FAQ

Is SMS secure enough?

For AES yes. For very high-stakes matters, prefer OTP app or biometrics.

Is biometrics stored?

Server-side no (GDPR compliance). Templates remain on device.

Can you combine multiple methods?

Yes, to strengthen the evidence.

Is FranceConnect+ recognised?

Yes, substantial level. Can trigger AES and QES.

What happens if the OTP expires?

The signatory can request a new one. Anti-brute-force limits in place.

Conclusion

Good authentication is graduated, traced, and tailored to the stakes. Over-authenticating creates friction; under-authenticating weakens the evidence. The balance is found document by document.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.