Authentication, Attribution & Identity
As practitioners in the Digital Transformation space, we hear our share of concerns about authentication, especially in the area of electronic contracts. When we get asked, we find it’s important to clarify what is meant by authentication. For example:
In IT terms, authentication means using a previously issued credential to grant access to a system. So, when I use my userID and password to log onto my email account, I have authenticated myself.
In legal terms, authentication means proving the genuineness of a document or any part of it, including a signature. To get a document entered into evidence, I will need to establish a foundation and I will need to fend off any objections to the authenticity of the document or its contents.
When we are talking about signatures, neither of those definitions really fits. And that’s because we often will use the term “authentication” when we really mean “attribution.” After all, as a party relying on the veracity of a written instrument, I simply want to know that the signer’s identity was established, and that he or she executed the document.
You must establish the identity of the person, and then you must attribute the actions of that identity to the document.
Whether you are issuing a credential to someone or trying to prove their ties to a document, the establishment of identity is always the first step. Attribution then follows from the facts and circumstances of the transaction.
The two pillars of US e-signature law, Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA), are technology neutral and are intended to give electronic records the same status as paper ones. They do not attempt to create standards for levels of assurance or proof, since those are left to the facts and circumstances of every case, just like on paper. Neither law addresses authentication. UETA, the state model statute, does address attribution in section 9, requiring that an electronic record or signature be attributable to a person if it was the act of a person, with the act of the person being shown in any manner:
SECTION 9. ATTRIBUTION AND EFFECT OF ELECTRONIC RECORD AND ELECTRONIC SIGNATURE. (a) An electronic record or electronic signature is attributable to a person if it was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable. (b) The effect of an electronic record or electronic signature attributed to a person under subsection (a) is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties’ agreement, if any, and otherwise as provided by law.
So, the physical artifact – whether it’s a handwritten scrawl or an electronic stamp -- is essentially worthless if you cannot attribute it to the signer in the event of a challenge, either by the signatory himself or by a relying party or regulator. How you establish attribution for an electronic signature will be determined by your assessment of the risks involved, just like you would do with your paper records.
Here is where it’s appropriate to use the term authentication, since a relying party may be satisfied that use of a credential (used to authenticate the signer) was sufficient to adequately attribute the signature to the signing party. Credentials are issued after an identity-proofing process, allowing the identified party to continue to benefit from the identity-proofing in future transactions. Whether I trust your credential enough to rely on it would be up to me as a relying party. Since many folks will discover that their paper process was created long ago, digital transformation initiatives like yours provide a unique opportunity to take a fresh look at the attribution tools at their disposal to improve the risk profile of their transactions. For some initial guidance on how to choose so-called authentication methods for your transactions, I’d recommend you read the comments to Section 9 of the 1999 Final Draft of the UETA. Then get some guidance on the latest trends in online identification. One final thought: if you need independent help – whether it’s quick email/phone Q&A or a full-blown assessment of your program under standards such as SPeRS—we’re here to share our insights and advice.