Contact

Electronic and Digital Signatures

Need a web application with digital signatures? We’re the right people to talk to.

Contact Us

Secure Software Systems for Healthcare

We have strong expertise in building high quality software for the healthcare sector with cryptographically secure digital signatures.

Digital and electronic signatures are a complex area, often clouded by poor marketing and user misunderstanding. Many people assume all systems are cryptographically secure, when in fact real security depends on the entire package of measures in place, as explained below.

One common area of confusion is the difference between an electronic signature and a digital signature. An electronic signature is an on-screen representation of a written signature attached to a contract or record, used by a person with the intent to sign. Its security often relies on the signer logging in securely to the provider’s system, where their identity is verified. The signature itself may be digitally signed, but typically with a company-issued certificate rather than a personal one.

In contrast, a digital signature explicitly uses a personal cryptographic key to validate both the individual and the document. In the past, these certificates were expensive, but today many governments issue them at low or no cost - for example, through the EU’s eIDAS 2.0 framework. Regulations such as eIDAS 2.0 in Europe and the updated US ESIGN Act now encourage the use of qualified electronic signatures (QES) with personal cryptographic keys for higher assurance.

Looking ahead, newer models like Decentralised Identity (DID) and Self-Sovereign Identity (SSI) are giving users more control over their own credentials, with standards such as W3C Verifiable Credentials gaining traction internationally.

E-signature platforms are also evolving to include AI-driven behavioral biometrics (e.g., keystroke dynamics, mouse movements) and deepfake detection to reduce impersonation risks. In addition, many now leverage blockchain technologies (Ethereum, Hyperledger) or decentralised storage solutions (like IPFS) to provide tamper-proof audit logs, ensuring that signed records remain secure and verifiable.

Our Software Services_Our Expertise.jpg

Different Mechanisms for Signature Verification

Electronic signatures are some combination of the mechanisms shown below. The weak ones omit step No.2, but as long as you have a good provider, the whole system should work as intended. Digital signatures use mechanisms No.5 or No.6. For electronic prescriptions, either will do.

1

Simply pasting an electronic picture of a signature onto a document offers no real security or authentication. Modern systems now require cryptographic proof or strong identity verification to ensure the signer is genuine.

2
Robust login mechanism.svg

Requiring the signer to log into an online system is stronger, especially if combined with multi-factor authentication. However, while traditional 2FA methods (SMS or email codes) are still used, they are now considered vulnerable to phishing and SIM-swapping. The gold standard is phishing-resistant authentication, such as WebAuthn, FIDO2 passkeys, or hardware tokens.

3
Verify identity.svg

Manual identity verification - such as uploading a passport or official document - is still used but is increasingly being replaced by AI-driven automated checks. These include biometric liveness detection (e.g., confirming someone is physically present) and government-backed digital IDs (such as those enabled by the EU’s eIDAS 2.0).

4
Cryptographic signature.svg

Applying a centrally issued cryptographic signature (sometimes called a witness signature) is useful when combined with the steps above. For example, if you receive a document with a cryptographic signature from a provider such as DocuSign, it represents their assurance that the signer’s identity has been verified.

5
Signature in the digital system.svg

Issuing an individual cryptographic key but storing it in a centralised online system is less secure, as it creates risks from hacking or insider threats. Modern systems instead use hardware-secured keys (e.g., HSMs, TPMs) or decentralised key management to reduce those risks.

6
Storing signature on PC.svg

Issuing an individual cryptographic key and storing it locally provides stronger control, but local PC storage is vulnerable to malware. Today’s best practice is to use hardware wallets (e.g., YubiKey, Ledger) or secure enclaves built into devices (e.g., Apple Secure Enclave, Android StrongBox) for maximum protection.

Still Have Questions? We’ve Got Answers

One of the big myths of key cryptography is that if a system uses public and private keys, it’s automatically secure. This isn’t strictly true; a system which stores the private keys in another system relies on the security of that other system. Looking at this another way, for a system to be secure and high quality all parts must be secure and high quality.

In our experience:

Electronic Signature systems usually do not use personal digital certificates. In the past, many relied on a single certificate issued by the vendor, often validated through Adobe’s trust lists. However, Adobe is moving away from being the central authority for validation. Modern e-signature platforms now increasingly depend on global certificate authorities (CAs) or blockchain-based verification, which avoids locking security into a single vendor. In practice, this means the certificate effectively says: “this document was signed by Acme Corp – if you trust them, the document was signed by Fred”.

Digital Signature systems generally do use personal digital certificates, but they still often require trust in the system provider, since private keys are frequently stored within their infrastructure. Newer approaches mitigate this by using hardware-secured keys, zero-knowledge proof (ZKP) techniques (to validate a signature without exposing the private key), or decentralised identity frameworks such as W3C Verifiable Credentials and Ethereum-based signing. In this model, the certificate says: “this document was signed by someone called Fred”, and the provider confirms: “and Fred is Fred Green Jr.”

We’ve found that some suppliers of online signature systems continue to market witness-style solutions as fully secure when they are not. By 2025, stronger assurance is increasingly expected: biometric-backed signatures (facial recognition, liveness checks), AI-driven compliance checks, real-time audit logs, and blockchain notarization are becoming standard to ensure non-repudiation. This makes it harder for vendors to misrepresent their security posture, though users may still be swayed more by polished marketing than by the underlying technical safeguards.

Private Prescriptions

For Private Prescriptions, the “Human Medical Regulations 2012” controls how prescriptions work, and the key points can be found in section 5 of the act, which states:

document-signature.png

“Advanced electronic signature” means an electronic signature that is –

a) uniquely linked to the person (“P”) giving the prescription;
b) capable of identifying “P”;
c) created using means that “P” can maintain under “P’s” sole control;
d) linked to the data to which it relates in such a manner that any subsequent change of data is detectable.

Although these regulations are written without specific reference to public key cryptography, most experts now assume that these regulations require a personal, per-prescriber digital signature to be used to sign 
the prescription PDF.

Note: public/private key technology can be used to sign any document or file, but PDFs are the most familiar, and now have built-in support for signatures.

We Can Help With Private Prescription Software

If you have a requirement for a software system that allows doctors and other prescribers to create online prescriptions safely and securely, please contact us. We have years’ of experience supporting online pharmacies. And all our software is designed to integrate with other healthcare data sources, such as PAS, GP address data and drugs databases.

Get In Touch

What Our Clients Say

Terminology

Public / Private Key
Certificate Authority
Root Certificate
Signature Company
ATL
Digital Signatures
Digital ID / Certificate
Digital IDs / Private Keys
Electronic Signature

We're Easy To Talk To - Tell Us What You Need

Contact Us