Authentication, Attribution & Identity

By Ken Moyle

 As practitioners in the Digital Transformation space, we hear our share of concerns about authentication, especially in the area of electronic contracts. When we get asked, we find it’s important to clarify what is meant by authentication.  For example: 

  • In IT terms, authentication means using a previously issued credential to grant access to a system.  So, when I use my userID and password to log onto my email account, I have authenticated myself.
  • In legal terms, authentication means proving the genuineness of a document or any part of it, including a signature.  To get a document entered into evidence, I will need to establish a foundation and I will need to fend off any objections to the authenticity of the document or its contents.

When we are talking about signatures, neither of those definitions really fits. And that’s because we often will use the term “authentication” when we really mean “attribution.” After all, as a party relying on the veracity of a written instrument, I simply want to know that the signer’s identity was established, and that he or she executed the document.

You must establish the identity of the person, and then you must attribute the actions of that identity to the document.
Whether you are issuing a credential to someone or trying to prove their ties to a document, the establishment of identity is always the first step. Attribution then follows from the facts and circumstances of the transaction. 

The two pillars of US e-signature law, Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), are technology neutral and are intended to give electronic records the same status as paper ones.  They do not attempt to create standards for levels of assurance or proof, since those are left to the facts and circumstances of every case, just like on paper.  Neither law addresses authentication. UETA, the state model statute, does address attribution in section 9, requiring that an electronic record or signature be attributable to a person if it was the act of a person, with the act of the person being shown in any manner:

SECTION 9.  ATTRIBUTION AND EFFECT OF ELECTRONIC RECORD AND ELECTRONIC SIGNATURE.
(a)  An electronic record or electronic signature is attributable to a person if it was the act of the person.  The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable.

(b)  The effect of an electronic record or electronic signature attributed to a person under subsection (a) is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties’ agreement, if any, and otherwise as provided by law.


So, the physical artifact – whether it’s a handwritten scrawl or an electronic stamp -- is essentially worthless if you cannot attribute it to the signer in the event of a challenge, either by the signatory himself or by a relying party or regulator. How you establish attribution for an electronic signature will be determined by your assessment of the risks involved, just like you would do with your paper records. 

Here is where it’s appropriate to use the term authentication, since a relying party may be satisfied that use of a credential (used to authenticate the signer) was sufficient to adequately attribute the signature to the signing party. Credentials are issued after an identity-proofing process, allowing the identified party to continue to benefit from the identity-proofing in future transactions. Whether I trust your credential enough to rely on it would be up to me as a relying party.

Since many folks will discover that their paper process was created long ago, digital transformation initiatives like yours provide a unique opportunity to take a fresh look at the attribution tools at their disposal to improve the risk profile of their transactions.  For some initial guidance on how to choose so-called authentication methods for your transactions, I’d recommend you read the comments to Section 9 of the 1999 Final Draft of the UETA. Then get some guidance on the latest trends in online identification.

One final thought: if you need independent help – whether it’s quick email/phone Q&A or a full-blown assessment of your program under standards such as SPeRSwe’re here to share our insights and advice. 

 Ken Moyle is President of K6 Partners LLC.

Comments

Post a Comment

Popular posts from this blog

SEC Cyber Unit files first charges

The Securities and Exchange Commission today announced it obtained an emergency asset freeze to halt a fast-moving Initial Coin Offering (ICO) fraud that raised up to $15 million from thousands of investors since August by falsely promising a 13-fold profit in less than a month. The SEC filed charges against a recidivist Quebec securities law violator, Dominic Lacroix, and his company, PlexCorps. The Commission's complaint, filed in federal court in Brooklyn, New York, alleges that Lacroix and PlexCorps marketed and sold securities called PlexCoin on the internet to investors in the U.S. and elsewhere, claiming that investments in PlexCoin would yield a 1,354 percent profit in less than 29 days. The SEC also charged Lacroix's partner, Sabrina Paradis-Royer, in connection with the scheme. Today's charges are the first filed by the SEC's new Cyber Unit. The unit was created in September to focus the Enforcement Division's cyber-related expertise on misconduct in
Read more

Stop passing blockchain laws

History has a way of repeating itself. Twenty years ago, when Amazon was just an experiment in online book sales and Google was just a Yahoo! copycat, nobody seemed to understand what the “Internet” actually was or how it would eventually affect our lives. That went double for lawyers, who in the mid-1990s pushed the panic button when the concept of online contracting became a reality. State lawmakers rushed to introduce statutes that would define and constrain this monster before it wrought havoc on the unsuspecting analog world of contract law. They came up with technology-specific, proscriptive rules for electronic signatures that, had they been successful, would have left the U.S. a patchwork of unworkable state laws that would have prevented electronic delivery and signatures for all kinds of transactions that we take for granted today. Fortunately, a model law called the Uniform Electronic Transactions Act (UETA) emerged that, in contrast to the initial view that online
Read more

Just Published: Free Library of Digital Policies

K6 Partners announced today the release of a free e-signature policy library at www.esignaturepolicies.com . “The lack of esignature policies–and the sense of certainty they provide– is the number 1 reason for delaying critical digital transformation initiatives,” said Ken Moyle , president of K6 Partners.  “The eSignature Policies site is designed to give transformation leaders a resource for learning more about esignature policy design.” Free Webinar: E-Signature Policies for the Public Sector K6 Partners previously announced that experts in public sector e-signature policy will offer a free webinar on July 11 , 2017 at 2:00 PM Eastern / 11:00 AM Pacific. Panelists from state and local governments will share insights on adopting and managing online citizen engagement. "State and local entities are looking for new ways to engage citizens and provide value through digital channels," Moyle said. "Yet they face challenges that are different from those faced by p
Read more