The mechanism rests on two pillars: the authentication of the signer and the integrity of the document.
To authenticate the signatory, one or more identification factors are used: trusted email address (single-use link), OTP code received by SMS, personal cryptographic certificate, etc. To guarantee integrity, a fingerprint (hash) of the document is calculated at the time of signature. If the document is subsequently modified, the fingerprint no longer matches — the signature is then invalidated.
In solutions like Certyneo, the process relies on PDF processing libraries that integrate these cryptographic metadata directly into the file. A timestamped audit trail (action log) completes the system by recording each step: sending, opening, OTP validated, signature, etc.
On the technical side, several security mechanisms reinforce the inviolability of the process: qualified timestamping (RFC 3161) applies certified time proof to each signature; TLS 1.3 encryption protects data in transit; the signatory's geolocation and IP address are recorded for traceability; finally, in certain flows (AES/QES), behavioural biometric data (typing speed, pressure) complements the identity fingerprint.
The concept of non-repudiation is central: thanks to the timestamped and cryptographically signed audit trail, it is technically impossible for a signatory to deny signing a document without falsifying the chain of evidence. For archiving purposes, French regulation (Decree 2016-1673) requires a retention period of 10 years for most business documents — Certyneo ensures this archiving with probative value in sovereign hosting (EU).