Signer Authentication: Methods and Challenges

Why authentication is critical

Signer authentication is the weakest link in the proof chain. Without it, it's impossible to prove who actually signed. A modern signature platform must offer several graduated mechanisms.

Available methods

Trusted email

The signer receives a unique link at their email address. Only the mailbox holder can click it. Simple, effective for SES.

Residual risk: email account compromise. Acceptable for low-stakes documents.

OTP via SMS

One-time code sent to the phone number. Combined with email = AES.

Residual risk: SIM swapping (rare but known for high-value targets).

OTP via application

Code generated by an app (Google Authenticator, Authy, Twilio Authy). Safer than SMS for high-stakes matters.

Biometrics

Fingerprint, facial recognition. Used on mobile to streamline experience. Not stored on server (GDPR compliance).

Personal certificate

Cryptographic certificate issued by a QTSP, stored on a device (YubiKey, smart card). Mandatory for QES.

Video KYC

Identity verification via video conference or recording. Used for regulated sectors (banking, insurance).

National digital identity

FranceConnect+, itsme (Belgium), SPID (Italy). Recognised "substantial" level by eIDAS.

Assurance levels (LoA)

eIDAS defines three levels:

Level | Requirement | Example

Low | Email or equivalent | SES

Substantial | Two-factor | AES (email + OTP)

High | Strict identity verification | QES, video KYC

Alignment with stakes

• Internal document, purchase order: Low LoA (SES) is sufficient

• Employment contract, lease, NDA: Substantial LoA (AES)

• Notarial deed, public procurement: High LoA (QES)

Common mistakes

• Using SES for everything (under-dimensioned)

• Stacking authentication unnecessarily (friction)

• Not logging methods used (weakened proof)

• Collecting too much biometric data (GDPR)

Protection against attacks

• Phishing: train signers to verify sender

• Man-in-the-middle: TLS 1.3 mandatory

• SIM swapping: OTP app for very high stakes

• Video KYC deepfakes: liveness checks + cross-verification

Practical case: neo-bank

Account opening journey:

• Trusted email

• OTP SMS

• ID document upload

• Liveness test (selfie)

• Sanctions database cross-check

• AES signature

LoA: substantial. ACPR compliant. Process in 10 minutes.

How Certyneo helps you

Certyneo offers all common mechanisms: email, OTP SMS (via Twilio Verify), qualified certificate integration for QES, optional video KYC, FranceConnect+ integration. Each method is logged in the audit trail.

Discover Certyneo's electronic signature solution

FAQ

Is SMS secure enough?

For AES yes. For very high stakes, prefer OTP app or biometrics.

Is biometric data stored?

Not on server side (GDPR compliance). Templates remain on the device.

Can you combine multiple methods?

Yes, to strengthen proof.

Is FranceConnect+ recognised?

Yes, substantial level. Can trigger AES and QES.

What happens if the OTP expires?

The signer can request a new one. Anti-brute-force limits in place.

Conclusion

Good authentication is graduated, traced, and tailored to the stakes. Over-authenticating creates friction; under-authenticating weakens proof. The balance is found document by document.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.