Signers are the people who will sign the documents.
-
You do not share your signers, and related due diligence you have done with them with other IgniSign clients!
Signers are segregated by applications and environments.
So, if you have 2 applications, the same person will be two different signer. -
Signers have claims. Claims are the information that have to be "verified" to be able to sign the document.
-
Some Claims are related to the identification, others to the authentication.
-
Signature Profiles define the claims that are needed to sign the document.
-
When signers launch a Signature session , Identification or Authentication Registration could be prompted to the signer to
VERIFYorDECLAREsome claims needed to properly sign the documents
To know which inputs are needed, you can use the API call Get Signer Creation Constraints
If you have a signer that is already created, but need to add some inputs, you can update it with the API call Update Signer.
This principle of claims could be a little bit complex to understand, but it's one of the key elements that allow IgniSign to be able to sign.
Globally you do not have to manage it, IgniSign do it for You.
Often, people don't realy understand the difference between Identification and Authentication.
In the Electronic Signature world, it's very important to distinguish them.
- Identification is the act of binding a, identity to an actor.
- Authentication is the act to enable access and features to an actor.
Depending of the level of signature, the identification could be Declared or Verified.
- If your signature is Electronic/Simple, the requester
Declarethe identity of the signer and send the request to the signer. - If your signature is Digital/Advanced or Digital/Qualified the identity of the signer must be
Verified.
Regarding the Digital/Advanced Signature:
-
An Automatic Video Onboarding:
The signer is invited to make a video of himself and to show his Id document (passport, ID card, driving licence, etc.) -
A Open Banking Identification:
The signer is invited to connect to his bank account and to share his identity.
No data about his account except his identity and the IBAN of his main account is stored by our services. -
A Social Security Number Verification (US only):
The Signer is invited to share his SSN. We verify the SSN with the Social Security Administration (SSA) and the IRS. -
An eID (electronic Identity) identification (EU only):
The signer is identified throw his eID.
We verify the eID with an eIDAS Node. High, Subtantial level are accepted (Notified or not Notified) -
A Delegated Identification:
The signer is verifier by the organization that initiate the signature request.
Regarding the Digital/Qualified Signature:
-
An Online Qualified Onboarding:
The signer is invited to make a video of himself and to show his Id document (passport, ID card, driving licence, etc.)
The elements are verified by a human operator. This processus is compliant with the eIDAS regulation. -
An eID (electronic Identity) identification (EU only):
The signer is identified throw his eID. We verify the eID with an eIDAS Node.
High Notified identity only are accepted. -
A Delegated Identification.
The signer is verifier by the organization that initiate the signature request.
Authentication of the signers is used to validate that the signer is the one previously identified during an identification session. During this identification, a registration of authentication factor is processed to associate the identity of the signer to its credentials.
Based on requirements defined into the Signature Profile, different configuration are available
| Legally Binding Level | First Factor | Second Factor |
|---|---|---|
| Electronic/Simple | BySide: Email-Token Embedded: Signer-Secret | N/A |
| Digital/Advanced | BySide: Email-Token Embedded: Signer-Secret | - SMS-Nonce - TOPT - PassKey - eID |
| Digital/Qualified | BySide: Email-Token Embedded: Signer-Secret | - SMS-Nonce - TOPT - PassKey - eID |
When you use an Electronic/Simple signature, only one factor is required. When you use a Digital/Advanced or Digital/Qualified signature, two factors are mandatory.
below, a description of the different authentication methods available:
-
Email-Token
The signer receive an email with a link to access to a Signature Session.
The link contains a token that is used to authenticate the signer. -
Email-Nonce
The signer receive an email with a secret (6 numbers).
The Signer have to input them during the Signature Session.
This authentication method is used in the Electronic/Simple signature level in the case of an embedded signature because it's mandatory that IgniSign keep at least one authentication factor on its sole control. -
Signer-Secret
When the signer is created, a secret is generated and sent to the application by Webhook
The application have to provide the secret when the Signature Session. is initialized.
More information about this method is available in the Delegation of Authentication section -
SMS-Nonce
The signer receive a SMS with a secret (6 numbers).
The Signer have to input them during the Signature Session. -
TOPT
The signer initialize the TOTP during a authentication registration session (almost always linked to an Identification Session)
This intialization is done by scanning a QRCode with a mobile authentication application (Google Authenticator, Authy, ...)
The Signer have to input the secret generated by the application during the Signature Session. -
PassKey
The signer initialize a PassKey during a authentication registration session (almost always linked to an Identification Session).
The signer is invited to use its PassKey during the Signature Session.
PassKey is a technology linked to the W3C's WebAuthn standard.
This technology have been selected by Google, Apple And Microsoft to replace passwords (article)
This technology is mostly available on all modern browsers except Firefox for Now more info -
eID
The signer use its eID to authenticate itself.