This article examines how federated signing can help banks overcome some of the obstacles they face when onboarding customers online in the era of eIDAS and PSD2.
Imagine you are an EU citizen intending to open a bank account in a member state, where you do not reside. Besides all the Know Your Customer (KYC) steps the bank performs, you are requested to sign a document with a Qualified Electronic Signature (QES), which is legally equivalent to a handwritten signature throughout the EU.
In your country of residence, your identity has been verified by a national Identity Provider (IdP) that offers authentication services. Since you are not yet a customer of the bank, your identity is not verified, therefore you cannot use the bank's digital signing service yet. Therefore, you might try downloading the document to your desktop and using a signature service in your home country to sign it and upload it to the bank portal.
With this approach as a customer, you face a broken, inconvenient and cumbersome process. For the bank, even if it accepts such an electronic signature, the broken flow and poor usability will have an impact on customer conversion rates. From a technical perspective, how can the bank know what signature format the user will produce when s/he uses another digital signature service? Lastly, the bank would like to use the digital signature service it invested in, which is already fully integrated into the back-end bank systems.
These challenges are now typical for many banks, but they also happen in other industries, such as insurance, retail, telecommunications, etc.
The idea behind Federated Signing
The bank should use its signature service to keep the user in the flow and produce a qualified signature format that the bank understands. Since users are capable of using their electronic ID (eID) to authenticate themselves towards an IdP in their own country, the bank should integrate with that IdP and rely on an assertion provided by the IdP to activate the signing operation using the bank’s own signature service.
In remote signing solutions, delegated authentication is a common scheme used to authenticate the user and activate a signature operation. The idea is that another party, like an IdP, verifies the signatory’s authentication methods (e.g. password, biometric, OTP) and provides an assertion used by the signing service to identify the signatory and activate the signature key for its intended purpose.
By integrating with multiple IdPs throughout Europe, the bank can suddenly target a much wider audience than its domestic market, at a low cost. Since the IdPs already provide trusted eID and authentication services, this significantly reduces the costs for the bank, which can then use those services with its own signing service for contract and transaction signing.
Architecture and signature flow
A simplified architecture containing the user with his/her browser accessing the bank signing service is described below. The bank signing service asks the user which IdP (s)he wants to use and redirects the browser to the IdP. For the IdP to ask the user for authentication and to authorize the signature, the redirect also contains session information, including information known to the user. It could be context-relevant text, hash values, etc.
The IdP authenticates the user while using the session information to display the relevant text and ask for signature authorization. The user who sees the familiar text approves the signing operation. The IdP creates an assertion that contains user information and session information and returns it to the Bank Signing Service using a redirect. The dependencies of the relevant parties for delegated authentication are depicted in Figure 1.
Figure 1: Delegated Authentication
When the Bank Signing Service has validated the assertion, it extracts user information and a certified key pair, which is used to generate the Qualified Electronic Signature.
The whole signature flow, including the authentication, is shown in Figure 2.
Figure 2: Signature Flow
Federated Signing is an elegant way to solve the challenges of onboarding customers in a frictionless manner while ensuring non-repudiation and contract fulfillment based on electronic signatures with the desired format and assurance level.
This requires the signing service to integrate with identity providers, and for the identity, providers are able to display context-relevant information. Cryptomathic Signer is designed to enable federated signing, and we are proud to integrate with common standards used by IdPs for user authentication.
References and Further Reading
- COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
- Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
Image: orange-lined sweetlips, courtesy of esormikin, Flickr (CC BY-ND 2.0)