Signatory authentication: methods and issues

Why authentication is critical

The authentication of the signer is theweakest linkof the chain of evidence. Without it, it is impossible to prove who actually signed. A modern signature platform must offer several graduated mechanisms.

Available methods

Trusted email

The signatory receives a unique link to their email address. Only the box holder can click. Simple, effective for the SES.

Residual risk: email account theft. Acceptable for low-stakes documents.

OTP via SMS

One-time code sent to telephone number. Combined with email = AES.

Residual risk: SIM swapping (rare but known for high value targets).

OTP per app

Code generated by an app (Google Authenticator, Authy, Twilio Authy). Safer than SMS for high stakes.

Biometrics

Fingerprint, facial recognition. Used on mobile to streamline the experience. Not stored on the server side (GDPR compliance).

Personal certificate

Cryptographic certificate issued by a QTSP, stored on a device (YubiKey, smart card). Mandatory for QES.

Video KYC

Identity verification by videoconference or recording. Used for regulated sectors (banking, insurance).

National digital identity

FranceConnect+, itsme (Belgium), SPID (Italy). Recognized as “substantial” level by eIDAS.

Levels of Assurance (LoA)

eIDAS defines three levels:

Level | Requirement | Example

Low | Email or equivalent | HIS

Substantial | Double factor | AES (email + OTP)

High | Strict identity verification | QES, video KYC

Alignment with the issue

• Internal document, purchase order: Low LoA (SES) is enough
• Employment contract, lease, NDA: Substantial LoA (AES)
• Notarial deed, public market: High LoA (QES)

Common errors

• Use SES for everything (undersized)
• Stacking authentications unnecessarily (friction)
• Do not log methods used (weakened evidence)
• Collecting too much biometric data (GDPR)

Protection against attacks

• Phishing: train signatories to verify the sender
• Man-in-the-middle: TLS 1.3 required
• SIM swapping: OTP by app for very high stakes
• Deepfake video KYC: liveness checks + cross-check

Concrete case: neo-bank

Account opening process:

1. Trusted email
2. OTP SMS
3. Upload identity document
4. Liveness test (selfie)
5. Cross-checking of sanctions bases
6. AES Signature

LoA: substantial. ACPR compliant. Process in 10 minutes.

How Certyneo helps you

Certyneo offers all common mechanisms: email, OTP SMS (via Twilio Verify), integration of qualified certificates for QES, optional video KYC, FranceConnect+ integration. Each method is logged in the audit trail.

Discover the Certyneo electronic signature solution

FAQ

Is SMS secure enough?

For AES yes. For very high stakes, prefer OTP app or biometrics.

Are biometrics stored?

Server side no (GDPR compliance). The templates remain on the device.

Can we combine several methods?

Yes, to strengthen the evidence.

Is FranceConnect+ recognized?

Yes, substantial level. Can trigger AES and QES.

What happens if the OTP expires?

The signatory can request a new one. Anti-brute-force limits in place.

Conclusion

Good authentication is graded, traced, and adapted to the issue. Over-authenticating creates friction; underauthenticating weakens the proof. The balance is found document by document.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.