Signatory Authentication: Methods and Issues

Why Authentication is Critical

Signatory authentication is the weakest link in the chain of evidence. Without it, it is impossible to prove who actually signed. A modern signature platform must offer several graduated mechanisms.

Available Methods

Trusted Email

The signatory receives a unique link at their email address. Only the account holder can click on it. Simple and effective for SES.

Residual risk: email account theft. Acceptable for low-stakes documents.

OTP via SMS

One-time code sent to the phone number. Combined with email = AES.

Residual risk: SIM swapping (rare but known for high-value targets).

OTP via Application

Code generated by an app (Google Authenticator, Authy, Twilio Authy). Safer than SMS for high-stakes transactions.

Biometrics

Fingerprint, facial recognition. Used on mobile to streamline experience. Not stored on the server (GDPR compliance).

Personal Certificate

Cryptographic certificate issued by a QTSP, stored on a device (YubiKey, smart card). Mandatory for QES.

Video KYC

Identity verification via videoconference or recording. Used for regulated sectors (banking, insurance).

National Digital Identity

FranceConnect+, itsme (Belgium), SPID (Italy). Recognised "substantial" level by eIDAS.

Assurance Levels (LoA)

eIDAS defines three levels:

Level | Requirement | Example

Low | Email or equivalent | SES

Substantial | Two-factor | AES (email + OTP)

High | Strict identity verification | QES, video KYC

Alignment with Stakes

• Internal document, purchase order: Low LoA (SES) is sufficient

• Employment contract, lease, NDA: Substantial LoA (AES)

• Notarial deed, public tender: High LoA (QES)

Common Mistakes

• Using SES for everything (under-dimensioned)

• Stacking authentication unnecessarily (friction)

• Not logging the methods used (weakened evidence)

• Collecting too much biometric data (GDPR)

Protection Against Attacks

• Phishing: train signatories to verify the sender

• Man-in-the-middle: TLS 1.3 mandatory

• SIM swapping: OTP app for very high-stakes transactions

• Video KYC deepfake: liveness checks + cross-check

Real Case: Neo-bank

Account opening journey:

• Trusted email

• OTP SMS

• Upload identity document

• Liveness test (selfie)

• Sanctions database cross-reference

• AES signature

LoA: substantial. ACPR compliant. Process in 10 minutes.

How Certyneo Helps You

Certyneo offers all common mechanisms: email, OTP SMS (via Twilio Verify), integration of qualified certificates for QES, optional video KYC, FranceConnect+ integration. Each method is logged in the audit trail.

Discover Certyneo's electronic signature solution

FAQ

Is SMS Secure Enough?

For AES yes. For very high-stakes transactions, prefer OTP app or biometrics.

Is Biometrics Stored?

Server-side no (GDPR compliance). Templates remain on the device.

Can You Combine Multiple Methods?

Yes, to strengthen the evidence.

Is FranceConnect+ Recognised?

Yes, substantial level. Can trigger AES and QES.

What Happens If the OTP Expires?

The signatory can request a new one. Anti-brute-force limits in place.

Conclusion

Good authentication is graduated, traced, and tailored to the stakes. Over-authenticating creates friction; under-authenticating weakens the evidence. The balance is found document by document.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.