A biometric signature is any signature on an electronic document in which the identity of the signer is associated with it by capturing his biometric data, which can be of many types: iris, voice, fingerprint, etc.
There is a specific type of biometric signature where the data associated with it is that produced by physically signing on a device that can capture aspects of the signature-stroke, pressure, speed-that, when grouped together, make it unique. They are the electronic handwritten signatures that we make on graphics tablets. There is a wide variety of application scenarios, but some of the most common examples are debit or credit card payments (very typical in large shopping malls), receiving mail and parcels, signing car rental contracts, etc.
Since it is the most widely used, it is generally accepted to identify the biometric signature as the one that captures the biometrics of the electronic handwritten signature.
These types of signatures are usually collected for specific tablets from manufacturers such as Topaz, Wacom, Symbol, etc., or even tablets with capacitive (touch) screens such as iPads or some Android models.
Key concepts about digitized signature
The digitized signature is the simplest and most primitive version of the digital signature. It is the typical signature on a paper document, which is then scanned and collected in a digital document (jpg, pdf, etc.). It is very easy to forge. Although its security level is very low, it is still used in many business processes.
Legal aspects of digitized signature with biometric capture
If the digitization process is simply scanning the user’s handwritten signature on paper and then inserting it into the document, or scanning a document signed on paper in its entirety, it is a digitized signature that is very easy to forge. This is the lowest level of security. Some legal frameworks, such as the European one, do not even consider it an electronic signature.
If the operation is performed on a graphic tablet or touch screen, such as a mobile device, but only the trace is captured (the usual finger signature when picking up a package, for example), we are talking about a simple electronic signature, which is included as an example in the European eIDAS regulation as a legal signature, but with weak evidentiary value.
But if the signature is made on a graphic tablet capturing and storing more than one biometric data (stroke, speed, pressure), then sufficient security is guaranteed and it is considered an advanced electronic signature if it has the following characteristics:
- Identification of the signatory.
- Unique linkage to the signer and the signed data.
- Ability to detect any subsequent changes to the signature.
- Assurance that only the signer can generate the signature.
In short, Viafirma’s biometric signature is an advanced electronic signature that allows to ensure that:
- It is the signatory who has made the signature,
- That the document that was signed has not been modified (or if there have been modifications, what they are and where they are),
- At what time the signature was made (or being stricter, that at a given moment in time that signature already existed),
- And that the signature cannot be reused in subsequent documents.
Generation of biometric signature in Viafirma
Our solution leverages the cryptographic capabilities of the platform to perform the operations necessary to meet these requirements:
- A set of biometric signature data (pressure, stroke speed, etc.) is captured so that a handwriting expert can analyze whether the stored data matches the user’s handwritten signature.
- These data are NEVER in the possession of the service provider (owner of the application) or the software manufacturer (via company), as they are sensitive data that would allow the signature to be forged at a later date. For this purpose, Topaz and Wacom devices perform local encryption on the device (which can only be decrypted with software delivered under court order). For iPad, Android, etc. tablets, our Viafirma application encrypts the biometric data thanks to a key from a trusted third party, so that we cannot access it.
- Another series of data is captured, related to the document the user is signing, the signature device, etc.
- All this information is electronically signed, with the time stamp of a Certification Service Provider.
- The encrypted, encrypted and signed results are attached to the signed document (on which the scanned signature is stamped). In other words, the result is a PDF containing the scanned signature, linked to a validatable and decryptable file containing all the information contained, and which is included within the PDF file itself. In this way, the PDF is the only file needed in the whole process.
- We have an application that is responsible for validating all the results generated, and that, with the participation of the trusted third party, allows the recovery of the biometric data of the signature and its delivery to an expert, within the framework of a judicial action in the event of a possible repudiation of a biometric signature. This application can even detect possible alterations in the future of a signed document, showing the changes made, thus guaranteeing the requirements associated with an advanced electronic signature.
Of course, with Viafirma, it is also possible to use a simple electronic signature for processes with low security needs.