Reference
The recognition of digital signatures as a valid (and more reliable) form of authentication is happening far too slow. Whilst this form of authenticating communications from an individual is widely used in niche (generally technology centric) communities, our security is being compromised by it's lack of recognition more widely.
A secure scenario:
John needs to make a significant change to his fund through his financial institution. He emails instructions to the organisation and signs it using his digital key using appropriate software. Most email clients support this function now or free add-ons are available.
Upon receipt of this email John's financial institution verifies the instructions are indeed from John by verifying the "fingerprint" of his key using freely available software. This fingerprint information has been provided by John earlier and stored in the client database. If the institution doesn't have a record of John's fingerprint on file they simply ring John and verify it over the phone and possibly ask some addition security questions as is currently the practice. Once verified to fingerprint is stored for future reference.
The less secure scenario:
Currently in most cases when a client like John wants to interact with an institution he will email or call them. Absurdly, most institution consider digitally signed email insecure and request the client e-mail or fax a scanned document with a scribble at the bottom to verify that persons identity. Alternatively if called the institution will request some"personally identifiable" information.
T
hink for a moment how vulnerable this information is. Your signature is everywhere; Drivers license, backs of credit cards, library card, mortgage contract, job application. Incredibly exposed. If it were a password its security would be laughable. With every device having a camera attached today, duplication is trivial. What about the verification of "personal information" over the phone; Mothers maiden name, first pet, date of birth, address. These represent a limited challenge to a committed identity thief. Just ask Sarah Palin. One cheaply intercepted cordless phone call and someone can have all of it.
Use the best solution available
On some levels the traditional signature has always be broken. Whether it's the school kid forging the parents signature for a day off, forging a spouses credit card signature on a shopping spree or the real estate agent slipping that extra sheet of the contract in with all the nasty clauses, the traditional signature has never been a reliable form of authentication. Sure, there are writing experts that can pick apart the curls and swirls of traditional signatures in important cases but most of them freely acknowledge the greyness of their work. Interestingly, much of this work relies on pressure and speed information, usually destroyed when scanned or faxed.
Digital signatures may not be perfect (very smart people with supercomputers can break them) but they're considerably better than a little bit of scribble at the bottom of a piece of paper, verifying somebody's DOB or a bit of wax moulded into shape. The sooner organisations recognise digitally verified communications from their clients the more secure we will all be. The best part is you can get all the benefits of this secure form of authentication, and encryption, for free!
For a guide on how easy it is to start using this email encryption and signing technology check out our introduction to getting started for free or contact us.
Reference:
