WatchGuard Blog

Digital signatures must use MFA

Digital signatures are increasingly used in companies and public administrations. However, without adequate cybersecurity measures, this method can be a vector for cybercriminals and fraudsters: through social engineering they can dupe signer victims into believing a document is legitimate and, through their signature, obtain authorization to carry out other operations without their consent, among many other malicious activities. So, how can we avoid this? 

Electronic vs. digital signatures  

First, it is important to distinguish between the concepts of an electronic or e-signature and a digital signature because cybersecurity plays a key role in their differentiation. Although many media and sources use these terms interchangeably, in fact, all digital signatures are electronic, but not all e-signatures are digital.  

In theory, the purpose of e-signatures is to verify the authenticity of the document, but digital signatures go beyond that. They are a specific type of e-signature that provide additional security. In addition to ensuring the authenticity of the document, they employ standardized cryptographic methods such as digital certificates (e.g. SSL) to ensure that no third parties interfere with the processes. Some form of multi-factor authentication (MFA) must be included to offer the highest security guarantees that the signers are legitimate and are already incorporated in digital signature certificates (DSCs) at a certain cybersecurity level. 

Security Levels  

Digital signature certificates are divided into three categories:  

  • Class 1 (DSC1): this represents a basic level of security as they are only validated by email and/or password. Therefore, they are not suitable for use with legal documents and are only valid for very low-risk environments and documents.  

  • Class 2 (DSC2): this is the most common secure level for signing documents. In this case, it verifies the authenticity of signers against a pre-established database where the signer was verified previously upon registration and, increasingly, has a second layer of verification to ensure that the signer is the original signer on record.  

  • Class 3 (DSC3): this is the highest level of security, but also the least practical, as it requires an organization or third party to be present to verify the signer's identity before the signature. For this reason, its use tends to be restricted to legal documents where the consequences of a security breach could be very dangerous.  

For the vast majority of documents for organizations, a DSC2 certification should be sufficient, as the processes that require DSC3 certification are generally too costly in terms of resources and time. 

However, it is imperative that these DSC2 certificates include an additional method of verification. Bear in mind that 61% of data breaches involved the victim's credentials. If cybercriminals have obtained these credentials, they could use a previously obtained digital certificate. But if the organization has a second method of verification such as an MFA service that is easily manageable and highly secure, it will significantly reduce the chances of documents being manipulated. In this sense, the most advanced solutions have additional MFA protection on the mobile phones themselves, to ensure that they are the authorized devices and thus prevent attackers from being able to use cloned phones.