The signing process involving the use of OTP Text message/SMS is the following:
- The user is directed to a signature page.
- The user reads the document.
- The user clicks on ”Verify”.
- The system calculates a pseudo-random number generator (OTP = One Time Password) based on the content of the document to be signed.
- The system sends by SMS the code to the user’s smartphone and requests him/her to enter the code.
- The user enters the code.
- If it is correct, the system proceeds to incorporate electronic evidence into the document to be signed, and then digitally signs with an electronic certificate to guarantee the integrity of the document.
Technical and legal basis of the OTP SMS eSignatures
The OTP (One Time Password) is not a random code. The system uses the hash of each page of the document to obtain a random code based on these hashes. The system stores the code to be sent to the user’s mobile device, plus the positions of the hashes it has used (which are random).
Therefore, there’s a link between the document content and the calculated OTP, followed by a validation of the signed document. Statistically it is impossible for two different documents to have the same OTP code with the same hash calculation positions. Thus, with the SMS OTP signature, the content of the signed document can be linked to the signing process.
Legal reasons of OTP SMS
For many years, in many countries a mobile phone number cannot be obtained without user identity verification, the same as for a digital certificate. For example, in Spain, to obtain a mobile SIM card the phone company needs to verify the user’s identity, and also sign a contract. Therefore, a mobile network must be linked to a natural or legal person.
During the OTP SMS signing process, the signing operation is therefore linked to the signatory through that cell phone number, as well as to the content through the OTP calculation algorithm described above. Therefore, it can meet the requirements established for an advanced electronic signature according to Regulation (EU) No. 910/2014 of the European Parliament and Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, known as eIDAS .
According to this regulation, four requirements must be met for a signature to be considered advance. Below are the four requirements for the case of an OTP SMS signature:
- It is uniquely linked to the signatory. The signatory has a cell phone with a telephone number
- It is capable of identifying the signatory. The phone number is personal and belongs exclusively to the signatory.
- It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control. Both the access to the signature request (sent to the signatory’s email), and the SMS code (sent to the signatory’s cell phone), are under the exclusive control of the signatory.
- It is linked to the data signed therewith in such a way that any subsequent change in the data is detectable. Both the access to the signature request (sent to the signatory’s email), and the SMS code (sent to the signatory’s cell phone), are under the exclusive control of the signatory
This would not be the case in those countries where SIM cards can be obtained anonymously.
In the OTP SMS signing process, additional evidence is also obtained, such as the proof of having clicked on the link in an email (therefore, the signatory’s control not only of the cell phone, but also of the user’s email) or the traceability of the SMS (when it was sent, or when it was received, etc).