Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Closing deals and signing agreements in a face-to-face meeting seem almost quaint. Soon, they will likely be a thing of the past, replaced by digital agreements and document signing.
Still, with that fully virtual back-and-forth, how do you know if a document is real and legitimate? That it came from the person it’s supposed to? That the signer is not a hacker?
The Web3 world ultimately necessitates a more sophisticated approach to digital agreement security.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
“Security must be woven throughout the transaction process given the patch-quilt nature of today’s cloud — and this is where the e-signature market is falling short because e-signature companies are not security companies,” said Matthew Moynahan, OneSpan president and CEO.
The virtual data room market is a young but rapidly expanding one: Expected to reach $3.2 billion by 2026, representing a compound annual growth rate (CAGR) of 14.5% over 2021.
OneSpan’s new product competes with those offered by iDeals, SecureDocs, ShareVault, Ansarada and Citrix ShareFile.
“The number one attack vector today is to target people for the purpose of stealing their credentials,” said Jim Lundy, founder and CEO of Aragon Research.
This makes user authentication vital for transactions, he said. And for documents that need to be highly secure, that process has traditionally been slow and cumbersome. This has prompted what he called a “race” to digital onboarding, which allows user identities to be digitally verified in minutes versus hours or days. It is particularly becoming a “hot use case” for new account openings.
But electronic documents require higher levels of identity verification and validation — users must pass a series of identity requirements such as biometric verification (facial identity, for instance) and one-time passwords. Only when the user is verified are documents presented, said Lundy.
Organizations are increasingly adopting credential management and advanced multifactor authentication that generates tokens. This is a “safer and proven way to prevent phishing attacks of user credentials,” he said. Similarly, to further speed up the process, there is growing use of content AI (artificial intelligence) that automatically validates user documents such as driver’s licenses and images via picture verification.
But in addition to such tools, organizations need to train their IT and C-suite staff, said Lundy. “There are highly sophisticated spear phishing attacks going on that are targeting both IT administrators and executives,” he said.
Inadequate authentication and verification tools
In today’s “anywhere economy,” consumers expect convenient, digital experiences, and they want to engage with companies through remote channels instead of meeting in-person. The e-signature and digital agreement evolution has bolstered this.
Yet, when e-signature providers emerged, most documents were simple forms, said Moynahan. Now? High-value agreements including contracts, mortgages and loan agreements are being handled digitally. This market has grown due to its convenience and accessibility; security and compliance features “fell to the wayside,” said Moynahan.
Similarly, video conferencing platforms have grown in use, and they do add a level of security.
“The thinking was if you can see the other person and watch them sign, they must be who they say they are,” said Moynahan.
But off-the-shelf video conferencing tools present serious security risks. We “live in a world of insecure links,” and video conferencing platforms don’t always offer authentication and verification capabilities to confirm if a person joining a virtual meeting through a web link is the person they claim to be.
He pointed to so-called “Zoom-bombing” in the early days of the pandemic with the near-overnight adjustment to remote life. This in particular highlighted how easy it is for anyone to get access to video conferencing links.
Although Zoom was quick to add password capabilities, these aren’t always enforced, he said. E-signature providers such as DocuSign are collaborating with video conferencing and business communications platforms, but this doesn’t always involve identity verification and does not capture all events occurring in the signing process. Also, hosts or signers (or both) can easily override access with “remote control” and accidentally sign on behalf of each other.
Digital transactions, in real time
By contrast, upon entering OneSpan’s new Virtual Room, users must be identified and authenticated via email, login credentials, SMS, Q&A or knowledge-based authentication and ID verification, explained Moynahan.
Then, legally binding e-signatures are captured in real time, and cobrowsing allows agents and customers to collaborate on documents and simultaneously review them and address questions.
Digital signature encryption helps to ensure that data and agreements are secure in transit and at rest, said Moynahan. Built-in security controls prevent participants from signing on behalf of others. An audit trail also maintains the integrity of signed documents by capturing signing privileges passed between participants, geolocation details, authentication and signing order. Furthermore, virtual sessions are recorded.
The platform can be used by any industry seeking a remote, human-assisted financial agreements process, said Moynahan — including retail and corporate and personal banking, financing, wealth management, auto financing and healthcare companies.
For example, wealth management advisors can help customers select the right products and complete investment strategy agreements, said Moynahan. Advisors at retail and corporate banks can help customers open new accounts and manage changes to existing accounts. Other scenarios could include insurance policies and claims or financing services.
Preparing for a Web3 world
In the era of Web3 — the next iteration of the internet —high-value transactions are occurring digitally and in massive volumes with more complicated cloud workflows, said Moynahan.
But, “many of us have become so conditioned to simple click and scribble processes that we aren’t thinking about the security of the workflows or people interacting, especially for high value transactions,” he said. “We simply trust that the SaaS provider is doing this for us when the truth is, it’s not there across the entire business process.”
Our trust and integrity in the internet has been broken due to deep fakes, fake news and insecure links. “It’s really difficult to tell what is real anymore,” said Moynahan.
Cybersecurity must move into a completely new realm to protect such Web3 interactions, he said. As the threat landscape continues to evolve, attackers will too. They are poised to take advantage; they will seek to manipulate the integrity of digital agreements and their underlying artifacts, which are essentially the foundation of business and capital markets.
“It’s happened already, unfortunately,” said Moynahan. “At the end of the day, it is a business responsibility to restore this trust and integrity.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.