Digital identity: definition and challenges for electronic signatures

It's an oft-repeated but central idea: digital technology is profoundly transforming interactions between individuals, businesses and the authorities. In this context, where digital is king and simplifies exchanges, digital identity is the key.

From a practical point of view, digital identity enables access to services in the public sector (Assurance maladie, Impots.gouv, TousAntiCovid...) or the private sector (Facebook, AppleId, Identité Numérique La Poste, LinkedIn, ...). Having a controlled and secure digital identity is therefore a key challenge. And an asset, both for professionals and individuals.

But to master it, you need to understand it: what does the notion of digital identity cover? How and by whom is it protected? What impact does it have on the relationship between a company and its users?

How is it applied to electronic signatures, and under what conditions of use? Here's an overview of a concept that may seem a long way off to you, but it's one that's at the heart of our daily digital lives.

 

What is digital identity?

Before saying what it is, it's important to remember what digital identity is not: a transposition of civil identity. Digital identity is not just a face: it's a set of computer data (called attributes) associated with a person, a program, a computer, etc. Digital identity links these data to an individual and enables them to be used online. Digital identity links these data to an individual and enables them to be used online, in particular to interact with information systems.

 

Digital identity attributes

Digital identity is a set of attributes set of attributes recorded in digital form to establish the identity of a natural or legal person. Depending on the context, these attributes may be :

• personal information defining pivot identity (or regalian identity, i.e. civil status), birth name, first name, gender, date of birth and place of birth;
• biometric data, digital fingerprints, voice signatures ;
• additional information, e-mail address, username, pseudonym...

In essence, a person has several digital identitiesdepending on the context of use and the level of guaranteed reliability. For example, an identity used to register on an electoral roll is different from an identity used to register on a social network. Yet they identify the same person.

Means of electronic identification (MIE) 

Broadly speaking, digital identity involves three players:

• a user who wishes to access online and offline services and must identify himself to do so;
• an identity provider A trusted third party that provides a means of electronic identification (MIE) and guarantees the attributes presented by the user;
• a service provider (public or private operator) that provides users with a set of services to which access is reserved for a given digital identity.

A digital identity is therefore based on an means of electronic identification (or MIE). In other words, a tangible and/or intangible element containing personal identification data and used to authenticate oneself to an online service. It can be used to confirm :

• electronic identification of a natural or legal person;
• the origin and integrity of electronic data.

The level of security offered by a digital identity will depend on the level of guarantee that the electronic means of identification gives to the user's claimed or purported identity. Three levels of guarantee for electronic identification are set out in the eIDAS regulation:

• the low guarantee level whose objective is to reduce the risk of misuse or alteration of identity (limited level of reliability);
• the level of substantial guarantee whose objective is to substantially reduce the risk of misuse or alteration of identity (substantial degree of reliability);
• the high guarantee level whose purpose is to prevent misuse or alteration of identity (higher reliability level).

 

The legal framework for digital identity

The digital identity of individuals and businesses is governed by a framework established by French and European law and protected by various institutions.

Standards and requirements designed to protect Internet users (individuals and legal entities) and guarantee digital transactions are set out in various French and European texts. The main ones are : 

• The General Data Protection Regulation (GDPR)which aims to protect the personal data of European Union citizens;
• The European eIDASregulation, which aims to establish a framework for electronic identification and trust services in Europe;
• The Network and Information Systems Security Directivewhich aims to strengthen the cybersecurity of operators of services essential to the economy and society;
• The RGS (General Security Reference System) which aims to ensure the security of electronic exchanges within the French administration and between the administration and citizens.

Several French and European institutions are involved in ensuring compliance with these texts:

• The European Data Protection Committee (EDPC) ensures that the implementation of the GDPR is consistent between the various EU member states;
• The French Council of State advises the government on compliance with regulations and the drafting of legislation;
• The French Data Protection Authority (Commission nationale de l'informatique et des libertés - CNIL) has powers of control and sanction to ensure the protection of personal data and privacy.
  

Important!

In France, two national organizations are working together to ensure the security and compliance of digital identity solutions. The Interministerial Digital Department (DINUM) and theAgence nationale de la sécurité des systèmes d'information (ANSSI).

 

The challenges of digital identity for electronic signatures

Digital identity risks

While the implementation of digital identity makes online exchanges easier and more fluid, it also represents a major cybersecurity risk.

The secure digital identity management is a prerequisite for preventingidentity theft, online document fraud and all kinds of threats to personal data and privacy.

Applied to electronic signatures, this issue is all the more important, because without a solid solid digital identitythe electronic signature would lose its legal value and reliability. A robust digital identity ensures that :

• the signatory is who he claims to be;
• the document has not been altered after signing.

Digital identity is therefore a decisive factor in establishing a secure electronic signature environment. In use, the main bulwark for protecting and securing your digital identity is authentication. It enables you to prove the link between a user and the identity he or she claims.

A quick lexicon point: identification and authentication are two distinct terms. In the context of digital identity, identification answers the question "who are you? Authentication, on the other hand, answers the question "Are you who you say you are? 

 

Digital identity authentication methods

Authentication is the process process by which a person proves that it is one of their digital identities that is being used.. Authentication methods vary according to the guarantee levels (low, substantial and high) set out in the eIDAS regulation.

Among the authentication methods used to verify a person's digital identity includeinclude :

• Password authentication ;
• Two-factor authentication (2FA): usually a password and a code generated on a cell phone or sent by SMS.
• Biometric authentication (facial or voice recognition, iris or fingerprint recognition, etc.);
• Smart card authentication ;
• Digital certificate authentication ;
• SMS or e-mail authentication with generation of a unique authentication code code;
• Authentication by token or software generating a single-use authentication code;
• Knowledge-based authentication with predefined security questions to prove identity;
• Battleship" authentication, where you are asked to fill in a box on a personal code card;
• Authentication via an authentication solution such as France Connect or L'Identité Numérique La Poste.

All of these diverse and varied methods apply in different ways the three "whats " principle principle: "what you know" (a PIN code, a password, etc.), "what you have" (a token, a phone, etc.) and "what you are" (your fingerprints, your face, etc.).

In the case of electronic signatures authentication methods depend on the signature level (simple, advanced or qualified). (simple, advanced or qualified). Some may seem daunting because of the number of steps involved, or the technical specificities they imply, especially for the high-level signatures - advanced and qualified - often recommended for companies. Yet simple solutions do exist (can you see us coming?): let us introduce you to Lex Entreprise.

 

How does Lex Entreprise facilitate signatory authentication?

Lex Enterprise, our electronic signature softwarestands out as one of the most comprehensive solutions on the market, for all three types of signature. It offers total flexibility by ensuring simplify and streamline signature processes, without sacrificing security. A challenge for digital services and platforms, at a time of digital mistrust.

Lex Entreprise has designed its platform to be ergonomic and intuitive: operation is simple and secure, withsignatory authentication methods proportionate to the legal risk of the transaction, even for signatures with a higher level of legal security, which are reputed to be more complex to set up.

In this respect, it relies in particular on two certified, reliable and easy-to-use authentication services: 

• FranceConnect for advanced electronic signature ;
• L'Identité Numérique La Poste for qualified remote electronic signature (a first in France!), which benefits from the highest level of legal security... in just a few clicks.

These two processes, in addition to those used for other types of signatures, allow : 

• Enhance the security of electronic signatures by easily and effectively guaranteeing the identity of the signatory;
• Strengthen the trust of signatories (customers, partners, employees, suppliers, etc.);
• Offer a remarkably smooth user experience by by simplifying the signature process;
• Ensure compliance regulations in force ;

 

Optimize your electronic signature process with Lex Enterprise. Discover how our comprehensive solution can strengthen the security of your digital transactions and simplify your workflows. Would you like to integrate one of our solutions, or simply find out more? Our experts are here to help.

No time to wait for the webinar?

Contact us

Recommended items

---

How Mon Logis digitalizes its end-to-end customer relations with Lex Enterprise

Case studies

Syndicat Mixte Ouvert - Seine-et-Yvelines Numérique chooses Lex Enterprise electronic signature management system

Case studies

Y SCHOOLS chooses Lex Persona to electronically sign its contracts

Case studies

Bouygues Immobilier takes the step of signing electronically

Case studies

ADP Group: Electronic signatures at the heart of the dematerialization of its administrative processes

Case studies

Coffreo integrates electronic signature for contracts signing

Case studies