Biometrics reports in the media tend to concentrate on high-profile security applications, mainly physical access control and ID cards. Beside the "Biometric mainstream" other Biometrics are emerging as well such as Dynamic Signature Recognition.
There is one major business driver which finally supports the growth of Dynamic Signature Recognition: The aim to go paperless is in higher demand than ever - especially in the banking and insurance, but for a lot of other applications as well. All prospects share one common goal: To achieve trustworthy processes that are safe, secure and conducive to proving an individual's true intent. In applications where signatures are established as the de facto means of confirming the intent of an individual, Dynamic Signature Recognition offers a pretty smooth migration from paper to electronic processes. At the end of the day it's not all "fully blown Biometrics" in the first stage rather than a step-by-step movement away from paper.
Despite a general trend towards process automation a lot of people want to continue in relying on signatures and they seek options to use them in electronic processes, too. It is easy to understand why, as they are unique to a signer and offer a clear proof of his intent. Additionally, recipients of a document can rely on the non-repudiation of a signature. Throughout recent years major progress in this segment was achieved by a few vendors that learned to fully understand the business application requirements, business cases were solidified and more and more vendors concentrate on selling solutions rather than technology alone. As signatures play a major role in the banking world the adaption speed is rather slow as several opinion leaders need to be convinced that software and hardware are finally robust enough for a mass roll-out and to sort out quite a number of legal questions. In addition to this the projects with Dynamic Signature Recognition suffered from overruling by "even more important projects" or impacts such as the Subprime crisis which has put a lot of projects in the US on hold. The good news is that other economies besides the usual suspects in America and Europe are becoming more and more important for that sector such as South Africa, Australia or Brazil. Some of them are very fast in adapting new technologies.
In recent months the major software vendors in this sector came up with an increasing number of contract announcements as well as case studies published on their websites and in press releases - some of them with prominent names and a large number of users. It seems as if this market is now ready for growth. There even exit quite a number of YouTube clips that explain the technology and applications - just key in "signature verification" to get an idea
There also has been quite a bit of changes in alliances in recent times and some of the players in the market have switched their buddies or changed ownership. Some pretty new start-ups populate the market as well and try to get their share of the market. So there is now a dynamic development in this Biometrics segment that has seen some slower development in recent years.
Some Signature Terminology
There exists quite a lot of confusion around the terminology on “digital signatures” or electronic signatures. This presentation concentrates on the aspects of handwritten signatures digitized throughout the signing process - so called “dynamic” signatures (used herein after) which are also sometimes referred to as “biometric” or “on-line” signatures.
In the European Union all laws for electronic signatures are somewhat linked to the European directive 1999/93/EU. EU country laws for electronic signatures and their regulations are an implementation of this directive. This directive does not automatically specify a certain technology. However it defines levels of electronic signatures which are considered as “simple”, “advanced” or “qualified”. There are several ways how dynamic signatures may be used to create electronic signatures:
- The simple embedding of dynamic signature data into a document results in a “simple” electronic signature.
- The definition of “advanced electronic signatures” reflects that the trustworthiness of electronic documents is closely linked to the power of proof for authenticity and integrity in the particular application and workflow. So in addition to the option to verify the dynamic signature, this form of signature requires asymmetric encryption and the option to check that a document has not been tampered with (integrity check, typically via a hash code comparison). One of the products on the market for this kind of approach is trademarked “SignDoc” and manufactured by Softpro. The legal aspects have already been examined and communicated in a legal opinion by Professor Dr. Thomas Hoeren of the Institute for Information-, Telecommunication- and Media Law at the University of Muenster in Westphalia/Germany, and Judge at the Higher Regional Court in Duesseldorf. The quintessence of this extensive opinion sees SignDoc as an "equivalent surrogate to the conventional signing on a paper document", "which fulfils the formal aspects of the written form in an equivalent way". In other words: Such kind of electronic signatures may offer at least the same security as handwritten signatures on paper.
- Only qualified electronic signatures require the usage of digital certificates and trustworthy devices to carry those (usually a smart card). Dynamic signatures may be used in this environment to replace PINs and enhance the usability of this kind of electronic signatures. The German law and regulation on electronic signatures allows this explicitly since mid-2001. Some laws are confusingly influenced by a discriminating terminology. For instance the Austrian law uses the equivalent of a “secure electronic signature” instead of the EU-terminology of a “qualified electronic signature”.
Quite often there is a misunderstanding that potential users need to decide whether to choose biometric or PKI-based electronic signatures. However it is also possible to choose both options at the same time depending on the level of security someone wants to achieve and the willingness to invest.
Broad Array of Use Cases
The idea of trustworthy digitizing of a handwritten signature was not in the minds of those that were responsible for law making in the late 90’s. Up until today still quite a lot of people tend to know little about how to use so-called dynamic (or biometric) signatures in digital processes. However the technology has reached a mature stage and is being used by several customers in banking, insurance, government, education, retail and in the automotive industry. Another aim of this presentation is to provide a brief compilation where this kind of technology is now leaving its marks in various business processes.
Business Value and User Acceptance
The business value of dynamic signatures is obvious: Securing electronic documents with dynamic signatures allows to minimize paper usage and related costs (printing, shipping, scanning, indexing), reducing the loss of time and the potential of errors caused by media breaks as well as speeding up the workflow and achieving a higher level of automation. Besides the financial view on return on investment aspects the social factor of user acceptance and the well-established form of unambiguous authentication with handwritten signatures are still underrated.
Signature Images are not enough
If a signature has to be non-repudiated, the processes of capturing, storing and verifying have to fulfil certain technical and legal requirements. Furthermore, the engine(s) used for signature verification must achieve an acceptable Equal Error Rate (EER).
- A lot of signatures today are taken with a low resolution. One example is the capturing devices that courier services are using. They capture a rather pixilated image of a signature that is usually not applicable for a later verification. Signatures taken on these devices may easily be claimed to be a forgery. Non-repudiation can only be achieved when the biometric characteristics of a signature are captured too, and when this information is securely bound to the signed document. The additional verification of dynamic signals offers a higher level in security. A signature with a similar image like the reference signature may be detected as falsification because differences in their creation characteristics are discovered.
- Nowadays a lot of companies are capturing a signature image and embed it into documents somehow. They do not realize that this image will not allow any further verification process if its authenticity is in doubt. Furthermore this process is not compliant with various e-sign laws throughout the world.
Capturing Reliable Signature Data
In order to understand what is necessary to trust a signature it is important to keep in mind that forensic experts rely on the holistic analysis of signatures, i.e. they look at and take into account the paper features, type of stylus, the ink flow and “visible” pressure. Most forensic experts exposed to the analysis of dynamic signatures tend to forget to apply the same principles. The equivalent holistic approach for dynamic signatures must take into account which device was used for signature capture, the device features (see below) and maybe even the signing environment and the co-relations to the signing process.
Signatures may be digitized during the signing process instead of scanning them from paper using a wide range of instruments: pen pads (with and without LC display), special pens and Tablet PCs. They allow a gradual move from paper-based documentation to electronic forms and straight-through-processing as well as upgrading the quality of signature verification in general.
Softpro has defined a set of quality criteria for capturing signatures with digitizing instruments. A proper comparison of static signature characteristics and dynamic signature signals requires a digitizing instrument that is taking a sufficient amount of time signals. It also has to be able to differentiate between various pressure levels and to provide an appropriate resolution rate. These requirements are also reflected in the standard for the interchange of biometric signature data (ISO/IEC FDIS 19794-7).
The Japanese hardware manufacturer Wacom and the German software specialist Softpro teamed up to provide the market with a best-of-breed solution. Its aim is to fully satisfy forensic experts when asked to analyze the signals captured. This specific Signature LCD tablet named SignPad is first demonstrated to a broad audience in the US at BAI Retail Delivery Show 2007. The tablet has the capability to capture all distinct behavioural characteristics of an individual’s signature - including shape, speed, stroke, pen pressure and timing information. When assessing the products that are on the market today the development partners received the feedback from forensic experts that today’s capturing devices may offer “some sort of interpretation option” but they typically do not fulfil all of the aspects listed below:
- Forensic experts require precise information on the relation of force applied and pressure levels. Manufactures must make available this sort of “pressure curve chart” to vendors of signature verification software and to the forensic experts.
- A reliable capturing device has to record the same pressure levels in all segments of the capturing area with the same precision when the same force is being applied.
- When capturing signatures on different tablets of the same type from the same manufacturer signal data must not exceed a certain tolerance level, otherwise an analysis or verification would have to be adjusted to each device.
- The ergonomics of the writing tablet must reflect the typical signing situation and ideally provide for a “paper-like” surface (which imitates the writing feeling on paper as close as possible).
- The capturing technology must exclude the capturing of unwanted “overspill” information such as signals from a thumb ball that touched the capturing surface while signing.
- In addition, for non-repudiation, security and auditing purposes, the capturing device must provide a unique serial number, a device id number and trustworthy of the communication between device (firmware) and device driver (operating system).
Where Dynamic Signatures are used today
To judge the business and legal relevance of dynamic signatures today it is best to list some of the projects in the various vertical markets that use Softpro’s dynamic signature related products. While signature capturing and verification used to be a typical banking topic it became a truly horizontal application in recent years.
- Finance: IT-Processing Centers of German Savings Banks are offering their customers solutions to embed dynamic signatures securely into electronic documents in an Adobe LiveCycle environment: The first savings banks implemented signature capture at the teller for account openings, standing orders, exemption orders for capital gains, deposits and other banking products. A very large US bank (name can not be disclosed at time of publication of this release), has embarked on a similar approach. The e-Finance-Lab, think tank of the German banking industry, has showcased the feasibility of replacing PIN/TANs with dynamic signatures for online banking at the D/A/CH Security conference in March 2006 in Duesseldorf.
- Insurance: Signing an insurance contract (for liability reasons the focus is on accident, life and health insurance) and documenting the consulting process that is required by EU legislation from July 1st 2007 onwards are triggers for several insurance companies to go paperless with either signature capturing tablets connected to a notebook or a Tablet PC.
- Real Estate: Increasingly popular among real estate agents - especially in the US - is the option of paperless contracting through signing on Tablet PCs.
- Automotive: The house bank of a big German car manufacturer evaluates a pilot for its dealers to sign leasing contracts on-line.
- Health: The Hospital of Ingolstadt is capturing and verifying the signatures of their doctors that fill electronic patient records on Tablet PCs. The National Health Service in the United Kingdom has started a similar project.
- Telecommunication: Signing phone and DSL contracts in the telecom shops is another emerging market.
- Retail: In combination with a major payment solutions provider, pilots are under preparation to capture dynamic signatures at the point of sale. Another project blue print sees loyalty cards users that authenticate themselves with dynamic signatures.
- Education: Paperless signing becomes an issue in this vertical as well. Projects are under way with counties in the US and various universities in the UK and the US as well as usage in training classes in Germany
- Government: The Chambers of Commerce in Saudi Arabia have chosen to authenticate their web portal users by verification of dynamic signatures.
