Authentication-based signatures in Dokobit portal: everything you need to know

Despite the eIDAS regulation in the EU, each country has different eIDs. Some are used merely for authentication, and some for both authentication and signing with an Advanced or Qualified Electronic Signature.

As a result, expanding into new markets inevitably brings new signature creation policies to the Dokobit portal. With that in mind, in Norway, Sweden, Finland, and Denmark, Dokobit allows creating authentication-based signatures. What are they, and are they to be trusted? Read on to find all the answers.

What is an authentication-based signature?

An authentication-based signature in the Dokobit portal is an Advanced Electronic Signature (AdES) as per eIDAS regulation and is uniquely linked to a signer by including required evidences to prove signing action by the specified signer. Such signature in the Dokobit portal can be considered strong evidence in court.

An authentication-based signature in the Dokobit portal is created by collecting the evidences that the person has consented to sign the document with a chosen eID, and adding an e-seal on that document to confirm their consent. In addition, we make sure that the person will have seen the document and will have consented to sign it with a chosen eID. We call this action a Signing ceremony.

How do we do that? The user authenticates for signing with the chosen eID, and then we collect such evidences as full name, birth date, personal code, IP address, browser information, document audit log, etc. We call it Evidences, and it is added as additional metadata in a PDF document.

The collected evidences allow to assume that the document was signed by that specific person. We add this evidences file to the PDF and add an electronic seal on it. According to eIDAS, this is how an Advanced Electronic Signature (AdES) is created – we link data to the signatory and ensure the integrity. The Signing ceremony is conducted in a way that afterwards it is clear that the signer has willingly signed the document.

Our main distinction from other signing platforms is that we take financial responsibility for the Signing ceremony and the fact that the signatory signed with a certain eID, rather than creating our made-up signature. Our Liability is defined in our authentication-based signatures policy. See more here.

How does it differ from a Qualified Electronic Signature?

Qualified Electronic Signatures (QES) are equivalent to the handwritten ones and are accepted across the entire EU. In regards to the signatures with qualified certificates, Trust Service Providers (TSP) are liable for the operation and security of eIDs.

However, not all eIDs are meant for signing; the purpose of some is only authentication. When it comes to AdES without a qualified certificate, most likely, neither the TSP nor the platform allowing to create a signature doesn’t have defined procedures for creating a signature. This means that in such a case, the signing platforms can basically create their own process. Nevertheless, it’s important to note that the platform doesn’t necessarily hold any responsibility as such a process is not regulated – platforms that allow drawing a signature or signing with eIDs without qualified certificates usually hold no responsibility for process facilitation. If you draw a signature, can other people be sure that it was you who added the signature and confirmed the action? There is no solid proof.

Meanwhile, Dokobit’s authentication-based signatures can be considered AdES with strong evidence. Dokobit takes all responsibility and liability for how these signatures were created.

Verdict: can authentication-based signatures be trusted?

Can such signatures be trusted? eID provider takes responsibility for identity proofing; meanwhile, Dokobit takes responsibility and liability that a specific user has consented to sign the document.

Although in theory, AdES in court could be challenged, we provide aggregated evidence proving the identity and consent of a signatory to sign a document, meaning that it would be hard to challenge and negate such a signature. In addition, we are liable for the signatures created in the Dokobit portal. Thus, the answer is yes – authentication-based signatures in the Dokobit portal can be trusted.

In addition, Swedish BankID and Danish NemID are notified eIDs under eIDAS regulation, which means that they are recognised as valid and trustworthy eID tools in the entire EU. Norwegian BankID is pre-reviewed, which means it is undergoing the process of notification. Although Danish MitID and Finnish Trust Network are not on the EU notified scheme list, they are widely used in the countries as main electronic identification tools showing they are trusted by the locals.