Upload File

taking dynamic signatures seriously

3
9 November/December 2011 Biometric Technology Today FEATURE 5 Privacy Act of Canada. <http://www.priv. gc.ca/legislation/02_07_01_01_e.cfm> 6 Personal Identity Verification of Federal Employees and Contractors. <http://csrc. nist.gov/groups/SNS/piv/index.html> 7 Homeland Security Presidential Directive 12. <http://csrc.nist.gov/drivers/documents/ Presidential-Directive-Hspd-12.html> 8 Personal Identity Verification (PIV) Interoperability For Non-Federal Issuers. <http://www.idmanagement.gov/docu- ments/PIV_IO_NonFed_Issuers_May2009. pdf> 9 Unique Identification Authority of India (UIDAI) <http://uidai.gov.in/> 10 Soutar, Colin, ‘Security Considerations for the Implementation of Biometric Systems’ Automatic Fingerprint Recognition Systems (2004), pp 415-431. <http://www.springer- link.com/content/p23448431g727x5l/> 11 Ratha, NK, Connell, JH, Bolle, RM, ‘Enhancing security and privacy in biometrics- based authentication systems’, IBM Systems Journal, 2001, vol. 40, no. 3, pp614-634. 12 MINEX Minutiae Exchange. <http://www. nist.gov/itl/iad/ig/minex.cfm> 13 FpVTE 2003 Fingerprint Vendor Technology Evaluation. <http://www.nist. gov/itl/iad/ig/fpvte03.cfm> 14 Facial Recognition Vendor Test 2000. <http://frvt.org/FRVT2000/default.htm> 15 National Physical Laboratory Biometric Testing. <http://www.npl.co.uk/mathemat- ics-scientific-computing/biometrics/> 16 International Labour Office Biometric Testing. <http://www.ilo.org/public/english/dialogue/ sector/papers/maritime/sid-test-report1.pdf> 17 Biometric Evaluation Methodology. <http:// www.cesg.gov.uk/policy_technologies/ biometrics/media/bem_10.pdf> 18 ‘The Security Stack: A White Paper’. <http://www.csc.com/cybersecurity/ insights/53094-the_security_stack_a_ white_paper> 19 Privacy by Design. <http://www.ipc.on.ca/ english/Privacy/Introduction-to-PbD/> 20 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. <http://www.oecd.org/document/18/0,334 3,en_2649_34255_1815186_1_1_1_1,00. html> 21 NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). <http://csrc. nist.gov/publications/PubsSPs.html> 22 General Accounting Office Report 08-536 – ‘Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information’. <http://www.gao.gov/new. items/d08536.pdf> Taking dynamic signatures seriously Jörg Lenz While the usage of fingerprints is widely under- stood the usage of signatures for biometric authentication is still widely misunderstood by potential users and some doubt if signatures meet the definition of a biometric method at all. Yet signature recognition offers an auto- mated recognition of individuals on a par with any other biometric method. Signature biometrics Elisa van den Heuvel of the Netherlands Forensic Institute says, “Signatures are part of the hand- writing process. The signature of each individual is assumed to be unique because of the complex nature of the writing process, the relatively large number of elements and the variability over writ- ers in the forms of these elements.” Handwritten signatures can be electronically captured in two ways: either dynamically where the movement (position, velocity and accelera- tion) of the pen on the pad can be recorded as a function of time, or statically, where the sig- nature image itself (x,y coordinates of the pen line on the pad) can be recorded. In either of these cases, the recorded signal is the result of both the biology (handedness) and the learned and practised behaviour of the individual. Signatures from left handed and right handed people can often be distinguished. Signatures are also a signal of behaviour. Celebrities often have one signature for auto- graphs and another for contracts, indicating two different behaviours depending upon con- text. Signatures are biological and behavioural characteristics that can be used to automatically recognise individuals and thus meet the defini- tion of a biometric method. Challenges The recognition of fingers, faces, or veins and the like is primarily used for identification purposes and to control access. The purpose of signature recognition is usually different. Traditionally signatures on paper are captured for proof of intent like triggering a transaction. In a digital workflow, signatures are linked to an electronic documents and its content. E-signing is the usual term for this procedure. Handwritten signatures play different roles in the various e-signing solutions on the market. In some click-to-sign solutions they are used as a graphical representation only. Previously stored signature images are added to a document, which was signed by a click. The intent of a signer is hard to prove with this kind of system. “Some vendors are replacing clicks with signatures again as smartphones and tablets like Apple iPad allow for capturing the signatures of mobile users onscreen” Initially these systems were designed to replace handwritten signatures for signing on the go with a click. More sophisticated systems include challenge-response elements or time stamping. Today some vendors are replacing clicks with signatures again as smartphones and tablets like Apple iPad allow for capturing the signatures of mobile users onscreen. Some of these devices offer surprisingly reliable captur- ing of biometric characteristics too. Jörg Lenz, Softpro The mainstream biometric sector consists of applications based on anatomical traits like fingerprint, iris, face, hand geometry or veins. Biometric behavioural traits like the rhythm of typing or handwritten signatures may also be used but their application fields are significantly different.

Upload: joerg-lenz

Post on 17-Sep-2016

219 views

Category:

Documents


4 download

Report

TRANSCRIPT

Page 1: Taking dynamic signatures seriously

9November/December 2011 Biometric Technology Today

FEATURE

5 Privacy Act of Canada. <http://www.priv.gc.ca/legislation/02_07_01_01_e.cfm>

6 Personal Identity Verification of Federal Employees and Contractors. <http://csrc.nist.gov/groups/SNS/piv/index.html>

7 Homeland Security Presidential Directive 12. <http://csrc.nist.gov/drivers/documents/Presidential-Directive-Hspd-12.html>

8 Personal Identity Verification (PIV) Interoperability For Non-Federal Issuers. <http://www.idmanagement.gov/docu-ments/PIV_IO_NonFed_Issuers_May2009.pdf>

9 Unique Identification Authority of India (UIDAI) <http://uidai.gov.in/>

10 Soutar, Colin, ‘Security Considerations for the Implementation of Biometric Systems’ Automatic Fingerprint Recognition Systems (2004), pp 415-431. <http://www.springer-link.com/content/p23448431g727x5l/>

11 Ratha, NK, Connell, JH, Bolle, RM, ‘Enhancing security and privacy in biometrics-based authentication systems’, IBM Systems Journal, 2001, vol. 40, no. 3, pp614-634.

12 MINEX Minutiae Exchange. <http://www.nist.gov/itl/iad/ig/minex.cfm>

13 FpVTE 2003 Fingerprint Vendor Technology Evaluation. <http://www.nist.gov/itl/iad/ig/fpvte03.cfm>

14 Facial Recognition Vendor Test 2000. <http://frvt.org/FRVT2000/default.htm>

15 National Physical Laboratory Biometric Testing. <http://www.npl.co.uk/mathemat-ics-scientific-computing/biometrics/>

16 International Labour Office Biometric Testing. <http://www.ilo.org/public/english/dialogue/sector/papers/maritime/sid-test-report1.pdf>

17 Biometric Evaluation Methodology. <http://www.cesg.gov.uk/policy_technologies/biometrics/media/bem_10.pdf>

18 ‘The Security Stack: A White Paper’. <http://www.csc.com/cybersecuri ty/insights/53094-the_security_stack_a_white_paper>

19 Privacy by Design. <http://www.ipc.on.ca/english/Privacy/Introduction-to-PbD/>

20 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. <http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html>

21 NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). <http://csrc.nist.gov/publications/PubsSPs.html>

22 General Accounting Office Report 08-536 – ‘Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information’. <http://www.gao.gov/new.items/d08536.pdf>

Taking dynamic signatures seriously

Jörg Lenz

While the usage of fingerprints is widely under-stood the usage of signatures for biometric authentication is still widely misunderstood by potential users and some doubt if signatures meet the definition of a biometric method at all. Yet signature recognition offers an auto-mated recognition of individuals on a par with any other biometric method.

Signature biometricsElisa van den Heuvel of the Netherlands Forensic Institute says, “Signatures are part of the hand-writing process. The signature of each individual is assumed to be unique because of the complex nature of the writing process, the relatively large number of elements and the variability over writ-ers in the forms of these elements.”

Handwritten signatures can be electronically captured in two ways: either dynamically where the movement (position, velocity and accelera-tion) of the pen on the pad can be recorded as a function of time, or statically, where the sig-nature image itself (x,y coordinates of the pen

line on the pad) can be recorded. In either of these cases, the recorded signal is the result of both the biology (handedness) and the learned and practised behaviour of the individual.

Signatures from left handed and right handed people can often be distinguished. Signatures are also a signal of behaviour. Celebrities often have one signature for auto-graphs and another for contracts, indicating two different behaviours depending upon con-text. Signatures are biological and behavioural characteristics that can be used to automatically recognise individuals and thus meet the defini-tion of a biometric method.

ChallengesThe recognition of fingers, faces, or veins and the like is primarily used for identification purposes and to control access. The purpose of signature recognition is usually different. Traditionally signatures on paper are captured for proof of intent like triggering a transaction. In a digital workflow, signatures are linked

to an electronic documents and its content. E-signing is the usual term for this procedure.

Handwritten signatures play different roles in the various e-signing solutions on the market. In some click-to-sign solutions they are used as a graphical representation only. Previously stored signature images are added to a document, which was signed by a click. The intent of a signer is hard to prove with this kind of system.

“Some vendors are replacing clicks with signatures again as smartphones and tablets like Apple iPad allow for capturing the signatures of mobile users onscreen”

Initially these systems were designed to replace handwritten signatures for signing on the go with a click. More sophisticated systems include challenge-response elements or time stamping. Today some vendors are replacing clicks with signatures again as smartphones and tablets like Apple iPad allow for capturing the signatures of mobile users onscreen. Some of these devices offer surprisingly reliable captur-ing of biometric characteristics too.

Jörg Lenz, Softpro

The mainstream biometric sector consists of applications based on anatomical traits like fingerprint, iris, face, hand geometry or veins. Biometric behavioural traits like the rhythm of typing or handwritten signatures may also be used but their application fields are significantly different.

Page 2: Taking dynamic signatures seriously

10Biometric Technology Today November/December 2011

FEATURE

Digital inkHandwritten signatures on paper are often described as ‘wet ink signatures’. The electronic equivalent is a ‘digital ink signature’. Digital ink became a common feature in mainstream PCs with the launch of Windows Vista for comments or annotations. Today it is a feature in Microsoft Office (since version 2007) or in Adobe Acrobat (since version 9). A hand-writing-like signature on a file may be printed out or emailed, much in the same way a fax signature might work. These signatures can be manipulated, duplicated or deleted.

There is no protection against document tampering hence these kind of signatures can be repudiated easily. It is important to keep in mind that a signature that was captured using digital ink only is not securely bound to a document.

Secure combinationOne frequent misunderstanding is the assump-tion that there are either biometric signatures, created with handwritten signatures, or digital signatures created based on digital certificates. The most successful applications of e-signing combine both biometrics and cryptography.

The Spanish Confederation of Savings Banks (CECA) received the innovation award of the European IT security association TeleTrusT in 2009 for this combination in its project ‘Firma Digitalizada’.

Today the project is rated as the benchmark for digitising handwritten signatures in the banking industry. When rolled-out in full, e-signing will be in place at 25,000 branches of Spanish savings banks. A major supplier for this project is the German company Softpro. In 2010 similar projects for e-signing were kicked off in South Africa and Malaysia. The Spanish experience was a major spark for these projects.

The combination of biometrics results in the creation of advanced electronic signatures. This form of electronic signature requires asym-metric encryption and the option to validate that a document has not been tampered with via an integrity check, typically via a hash code comparison. The integrity check ought to be executed with commonly used PDF readers like the Adobe Reader and not require validation software to be downloaded from the vendor of a signing software.

CertificationTwo years ago it was seen as one of the weak spots of signing solutions with handwritten signatures that they came without a quality mark, while solutions for the creation of qualified electronic

signatures carry the approval of authorities such as the Federal Network Agency in Germany.

In 2010 the German Technical Inspection Association Group (TÜV) certified the first solutions. The web-signing platform SignDoc Web was the first of its kind to receive this quality mark for being a secure and user friend-ly application. “The Electronic Signature – and the document associated with it – is protected against manipulation attempts and fundamental transmission errors have been systematically excluded,” states the test report.

In addition to the TÜV quality mark there are now several approvals of IT processing centres which list this sort of e-signing as safe to use, for example the Finanz Informatik, Europe’s largest IT processing of the finance industry serving the German savings banks, or Fiducia IT, the major IT service provider of credit unions in Germany.

Smart card bluesSome years ago banks were focusing on replac-ing the handwritten signature rather than inte-grating it. At a time when the first laws about e-signatures were created in the mid 90s the intention was to replace handwritten signatures with certificates stored on smart cards. SignPads for trustworthy signature capturing appeared on the scene in late 2007.

Today some early movers in the field of dig-ital signatures based on smart cards suffer from ‘card blues’. The forecasted mass adoption of this technology has not happened so far.

“Today some early movers in the field of digital signatures based on smart cards suffer from ‘card blues’. The forecasted mass adoption of this technology has not happened so far”

For a long time Germany was aiming for the most stringent security standards which almost completely blocked the adoption of other forms of e-signatures. Despite official announcements of a breakthrough for digital signatures the launch of the German electronic identity card (neuer Personalausweis) in November 2010 was overshadowed by a series of failures like security loopholes in the software update process.

So far the eID card is another option of a card that could carry digital certificates like millions of Maestro Cards from the German Savings Bank organisation, which offer this possibility too. In theory they could be used for digital signing with smart cards. Practically it is difficult to find anyone using them.

In 2011 there have been indications that qualified electronic signatures will remain a technology only used where it is required by law. In April 2011 the German Savings Bank organisation stopped preparing Maestro Cards to host digital certificates for qualified elec-tronic signatures for consumers in favour of promoting their own signature card focus to a small range of business customers only. By August 2011 no company provided certificates for the German eID card and only one certified card reader costing around 150 Euros was on the market.

Interested users of digital signatures with smart cards need to take additional action and also need to invest. Initial and annual fees need to be paid for digital certificates and card read-ers must be sourced. The certificate has to be activated or downloaded. Card readers offering enhanced security with their own PIN pads are required to create qualified electronic sig-natures. These card readers also need a special certification by authorities.

Little wonder that a critical mass of card reader infrastructure is still lacking and hence the amount of applications for e-signing this way remains at low level.

The electronic transfer of income statements in Germany (project name ELENA) was once meant to fuel the adoption of digital certificates smart cards and card readers according to the e-Card strategy of the government back in 2005. It failed dramatically and was stopped by the Minister of Economic and Technology and the Minister of Labour on 18 July 2011. The press release confirms the lack of the adoption of this form of e-signing. Creating digital signatures with certificates stored on smart cards as the way to sign for everyone in the 21st century remains a vision.

E-ID realityOther EU countries like Belgium and Spain have similar experiences with a lack of adop-tion their electronic identity cards. Although 15 million Spanish citizens possessed an eID-card (DNI electrónico) in 2010, 99% of the transactions signed in the Spanish Savings Bank in that year were processed with digitised hand-written signatures, according to Santiago Uriel, CIO of the Spanish Savings Bank Federation. Similar acceptance rates are reported from banks or toll booth stations in Italy where e-signing was introduced in 2011.

The major goal when signatures are digi-tized while they are written on signature pads is usually to minimize the usage of paper in a particular workflow. Secure processing of signa-tures is an expected feature but usually not the key business trigger.

Page 3: Taking dynamic signatures seriously

11November/December 2011 Biometric Technology Today

FEATURE

Hybrid approachSome attempts to establish dynamic signature recognition in the past failed. The assumption that processes might be catapulted from paper to 100% digital in organisations was too vision-ary. Successful projects are more likely to be based on the support of hybrid signature data, which means a gradual replacement of signature image processing to biometric signature data.

“Some attempts to establish dynamic signature recognition in the past failed. The assumption that processes might be catapulted from paper to 100% digital in organisations was too visionary”

In the absence of dynamic signature parame-ters, static features may be used for comparison. Static automatic signature verification has been used since the mid 90s in financial institutions worldwide. Banks still receive many signatures on paper so it is vital for them to have a system in place that is able to cater for both signature images and biometric data.

In recent years the amount of devices to capture signatures in sufficient quality became plentiful. Signatures may be digitised during the signing process instead of scanning them from paper using a wide range of instruments including pen pads, special pens, tablet PCs and recently slate tablets like Apple iPad. Choosing the appropriate capturing device is almost a science of its own.

Today most signatures are captured on sig-nature tablets. The SignPad eSignio (Wacom STU-500) is one of the most popular devices, with more than 20,000 units installed in savings banks in Europe alone. This kind of signature tablet fulfils the criteria for reliable capturing. Signatures captured on its screen resemble the way signatures look on paper almost perfectly.

Signers experience a natural way of signing on screen unlike on devices familiar from cou-rier services. They have the visual impression that their signature is taken seriously. A large screen allows display of corresponding text.

It offers also excellent visibility of content on screen, even in bright sunshine due to its reflec-tive TFT. This type of device also has a long life expectancy as the sensor lies below the display surface, preventing the wear and tear found in devices based on touch technologies.

A proper comparison of static signature characteristics and dynamic signature signals requires a digitizing instrument that is taking a sufficient amount of time signals. It also has to be able to differentiate between various pressure levels and to provide an appropriate resolution rate. These requirements are also reflected in the standard for the interchange of biometric signature data (ISO/IEC FDIS 19794-7). Some of the vendors have started to implement this standard into their products.

Signature apps for iPadApple iPad and other tablets are now entering the business world in a massive pace. Until recently, tablets were mostly used for showcas-ing products, but they are capable of more. For example, it is now possible to display, fill out and sign electronic documents on tablets.

Apps take signatures seriously on the iPad. Not all of them are found in the iTunes store as they are often integrated in the core solutions of organ-isations. One of the world’s largest insurance com-panies has started to integrate this technology for several hundred iPad users in August 2011. Their solution includes SignDoc Mobile as E-Signing application, which caters for signature capturing and realistic display on the tablet screen.

When a signature is captured, signals of time and location are recorded. Signatures and docu-ment content are securely saved. The iPad does not provide data about the different levels of writ-ing pressure. However a sophisticated calligraphic algorithm would allow calculating so-called pseu-do dynamic writing pressure levels if required for

additional analysis. It is a procedure that is similar to the analysis of the ink flow in signature images.

The integration of e-signing on iPads usu-ally comes with other security features too like the embedding of an image of the signer taken while he or she is signing as part of the elec-tronic signature.

Practical aspects such as the amount of data transferred over a network have high business relevance. Hence sophisticated e-signing solutions for Apple iPads and tablets retrieve only data needed for filling a form and the signing it from the system at the time of signature. The document itself remains in the secure server until its finalisa-tion, after which the completed PDF document can be downloaded from the web server, further processed, and/or sent to its next destination.

VerificationDepending on the level of security required, signatures on electronic documents are either verified straight after signing or only if doubts arise about the authenticity of the signature. In most cases today signatures and documents are stored without verification. This is similar to the paper process where most signed docu-ments are not verified either.

Dynamic signatures in electronic documents may be verified if a repository for reference data can be accessed. One example for immediate sig-nature verification is a solution catering for small branches of Credit Unions and Savings Banks in rural districts. In these branches it is common that only person is staffing the branch. To operate these banks it is required to document the ‘Four-Eye’ principle when doing banking transactions.

One of the options to deal with this require-ment is to capture handwritten signatures of the bank’s employee and of a registered customer on a signature pad and verify these signatures prior to completing a transaction or processing a document. This is one example of an operational solution incorporating immedi-ate dynamic signature verification.

About the author

Jörg Lenz is marketing manager at Softpro GmbH, provider of products and solutions for digital capture, management and verification of handwritten signatures.

iPad users can capture signatures along with time and location data.


taking race seriously

Taking Children Seriously EPSD_Report4

Legal Interpretation: Taking Words Seriously

Taking Citizenship Seriously

Taking rehabilitation seriously - WHO

Taking Jesus Seriously Course - Home - Anabaptist ... › wp-content › uploads › 2019 › 07 › Taking...Taking Jesus Seriously ‘Taking Jesus Seriously’ is one of a number

Taking Tasers seriously

Taking Racism seRiously - EMN

TAKING GOD SERIOUSLY - Masaryk University

Taking Time Seriously

Taking Institutions Seriously:

TAKING POWER SERIOUSLY

AGRICULTURAL TRADE: TAKING INTEGRATION SERIOUSLY

Taking Warrants Seriously - Northwestern University

Taking Coase Seriously

Taking Laws Seriously - Cornell University

Taking Voluntariness Seriously - Boston College

Taking Sex Differences Seriously

Litigation Governance: Taking Accountability Seriously

TAKING SUBJECTIVITY AND REFLEXIVITY SERIOUSLY

Moravcsik - Taking Preferences Seriously

KLATT - Taking Rights Less Seriously

taking harlem renaissance seriously

Taking backwards compatibility seriously

Lawvere, Taking Categories Seriously

Taking Compliance Seriously - Yale University

Taking Salmonella Seriously

EPSD_Report4 taking children seriously

Taking Drugs Seriously

Taking Exit Row Seating Seriously

Taking PHP Seriously

Taking children seriously

Taking cybercrime seriously

Taking Kotlin to production, Seriously

Taking Gender Equality Seriously