Federated Signing

by Jan Ulrik Kjærsgaard on 08. August 2018

This article explores how federated signing can resolve some of the challenges banks face when onboarding customers online in the eIDAS and PSD2 era.

The challenges

Imagine you are an EU citizen intending to open a bank account in a member state, where you do not reside. Besides all the Know Your Customer (KYC) steps the bank performs, you are requested to sign a document with a Qualified Electronic Signature (QES), which is legally equivalent to a handwritten signature throughout the EU.

In your country of residence, your identity has been verified by a national Identity Provider (IdP), who provide authentication services. Since you are not yet a customer of the bank, your identity is not verified so you can’t yet use the digital signature service provided by the bank. Therefore, you might try to download the document to your desktop and use a signature service in your own country to sign the document and upload it to the bank portal.

With this approach, you, as an end-user, face a broken, inconvenient and cumbersome process. For the bank, even if it accepts such a signature, the broken flow and poor usability will have an impact on customer conversion rates. From a technical perspective, how can the bank know what signature format the user will produce when (s)he uses another digital signature service? Finally, the bank would like to leverage the digital signature service that it invested in and which is already fully integrated in the back-end bank systems.

These challenges are now common to banks, but also apply to many other businesses facing the same issue including the insurance sector, retail, telco, etc.

The idea behind Federated Signing

To keep the user in the flow and to produce a qualified signature format that the bank understands, the bank should use its own signature service. Since users are capable of using their electronic ID (eID) to authenticate themselves towards an IdP in their own country, the bank should integrate with that IdP and rely on an assertion provided by the IdP to activate the signing operation using the bank’s own signature service.

In remote signing solutions, delegated authentication is a common scheme used to authenticate the user and activate a signature operation. The idea is that another party, like an IdP, verifies the signatory’s authentication mean (e.g. password, biometric, OTP) and provides an assertion used by the signing service to identify the signatory and activate the signature key for its intended purpose.

By integrating with multiple IdPs throughout Europe, the bank can suddenly target a much wider audience than its domestic market, at a low cost. Since the IdPs already provide trusted eID and authentication services, this significantly reduces the costs for the bank who can then use those services with its own signing service for contract and transaction signing.

Architecture and signature flow

A simplified architecture containing the user with his/her browser accessing the bank signing service is described below. The banks signing service asks the user which IdP (s)he wants to use and redirects the browser to the IdP. In order for the IdP to ask the user for authentication and to authorize the signature, the redirect also contains session information, which includes information known to the user. It could be context relevant text, hash values, etc.

The IdP authenticates the user, while using the session information to display the relevant text and ask for signature authorization. The user who sees the familiar text approves the signing operation. The IdP creates an assertion which contains user information and session information and returns it to the Bank Signing Service using a redirect. The dependencies of the relevant parties for delegated authentication are depicted in Figure 1.

 Federated-signing-figure-1

Figure 1: Delegated Authentication

When the Bank Signing Service has verified the assertion, it extracts user information and establishes a certified key pair, which is used to create the Qualified Electronic Signature.

The whole signature flow, including the authentication is shown in Figure 2.

Federated-remote-signing-eIDAS-Cryptomathic

Figure 2: Signature Flow

Conclusion

Federated Signing is an elegant way to solve the challenges of onboarding customers in a frictionless manner, while ensuring non-repudiation and contract fulfillment based on electronic signatures with the desired format and assurance level.

This requires the signing service to integrate with identity providers and for the identity providers being able to display the context relevant information. Cryptomathic Signer is designed to enable federated signing and we are proud to integrate with common standards used by IdPs for user authentication.

 

Download white paper

References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Image: orange-lined sweetlips, courtesy of esormikin, Flickr (CC BY-ND 2.0)

 

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.