Signer Authentication: Methods and Challenges

Why Authentication Is Critical

Signer authentication is the weakest link in the proof chain. Without it, it's impossible to prove who actually signed. A modern signature platform must offer multiple graduated mechanisms.

Available Methods

Trusted Email

The signer receives a unique link at their email address. Only the email account holder can click it. Simple and effective for SES.

Residual risk: Email account compromise. Acceptable for low-stakes documents.

OTP via SMS

One-time code sent to phone number. Combined with email = AES.

Residual risk: SIM swapping (rare but known for high-value targets).

OTP via Application

Code generated by an app (Google Authenticator, Authy, Twilio Authy). More secure than SMS for high-stakes scenarios.

Biometry

Fingerprint, facial recognition. Used on mobile to streamline experience. Not stored server-side (GDPR compliance).

Personal Certificate

Cryptographic certificate issued by a QTSP, stored on a device (YubiKey, smart card). Mandatory for QES.

Video KYC

Identity verification via video conference or recording. Used in regulated sectors (banking, insurance).

National Digital Identity

FranceConnect+, itsme (Belgium), SPID (Italy). Recognized "substantial" level by eIDAS.

Assurance Levels (LoA)

eIDAS defines three levels:

Level | Requirement | Example

Low | Email or equivalent | SES

Substantial | Two-factor | AES (email + OTP)

High | Strict identity verification | QES, video KYC

Alignment with Stake Level

• Internal document, purchase order: Low LoA (SES) is sufficient

• Employment contract, lease, NDA: Substantial LoA (AES)

• Notarial deed, public contract: High LoA (QES)

Common Mistakes

• Using SES for everything (undersized)

• Stacking unnecessary authentications (friction)

• Not logging methods used (weakened proof)

• Collecting too much biometric data (GDPR)

Protection Against Attacks

• Phishing: Train signers to verify sender

• Man-in-the-middle: TLS 1.3 mandatory

• SIM swapping: OTP app for very high stakes

• Deepfake video KYC: Liveness checks + cross-validation

Real Case: Neo-Bank

Account opening journey:

• Trusted email

• OTP SMS

• ID upload

• Liveness test (selfie)

• Sanction list cross-check

• AES signature

LoA: substantial. ACPR compliant. Process in 10 minutes.

How Certyneo Helps You

Certyneo offers all common mechanisms: email, OTP SMS (via Twilio Verify), qualified certificate integration for QES, optional video KYC, FranceConnect+ integration. Each method is logged in the audit trail.

Discover Certyneo electronic signature solution

FAQ

Is SMS Secure Enough?

For AES yes. For very high stakes, prefer OTP app or biometry.

Is Biometry Stored?

Not server-side (GDPR compliance). Templates remain on the device.

Can Multiple Methods Be Combined?

Yes, to strengthen proof.

Is FranceConnect+ Recognized?

Yes, substantial level. Can trigger AES and QES.

What Happens If OTP Expires?

The signer can request a new one. Anti-brute-force limits in place.

Conclusion

Good authentication is graduated, logged, and tailored to stake level. Over-authenticating creates friction; under-authenticating weakens proof. The balance is found document by document.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.