Electronic and Digital Signatures
Need a web application with digital signatures? We’re the right people to talk to.
Contact UsSecure Software Systems for Healthcare
We have strong expertise in building high quality software for the healthcare sector with cryptographically secure digital signatures.
Digital and electronic signatures are a complex area, often clouded by poor marketing and user misunderstanding. Many people assume all systems are cryptographically secure, when in fact real security depends on the entire package of measures in place, as explained below.
One common area of confusion is the difference between an electronic signature and a digital signature. An electronic signature is an on-screen representation of a written signature attached to a contract or record, used by a person with the intent to sign. Its security often relies on the signer logging in securely to the provider’s system, where their identity is verified. The signature itself may be digitally signed, but typically with a company-issued certificate rather than a personal one.
In contrast, a digital signature explicitly uses a personal cryptographic key to validate both the individual and the document. In the past, these certificates were expensive, but today many governments issue them at low or no cost - for example, through the EU’s eIDAS 2.0 framework. Regulations such as eIDAS 2.0 in Europe and the updated US ESIGN Act now encourage the use of qualified electronic signatures (QES) with personal cryptographic keys for higher assurance.
Looking ahead, newer models like Decentralised Identity (DID) and Self-Sovereign Identity (SSI) are giving users more control over their own credentials, with standards such as W3C Verifiable Credentials gaining traction internationally.
E-signature platforms are also evolving to include AI-driven behavioral biometrics (e.g., keystroke dynamics, mouse movements) and deepfake detection to reduce impersonation risks. In addition, many now leverage blockchain technologies (Ethereum, Hyperledger) or decentralised storage solutions (like IPFS) to provide tamper-proof audit logs, ensuring that signed records remain secure and verifiable.
Different Mechanisms for Signature Verification
Electronic signatures are some combination of the mechanisms shown below. The weak ones omit step No.2, but as long as you have a good provider, the whole system should work as intended. Digital signatures use mechanisms No.5 or No.6. For electronic prescriptions, either will do.
Simply pasting an electronic picture of a signature onto a document offers no real security or authentication. Modern systems now require cryptographic proof or strong identity verification to ensure the signer is genuine.
Requiring the signer to log into an online system is stronger, especially if combined with multi-factor authentication. However, while traditional 2FA methods (SMS or email codes) are still used, they are now considered vulnerable to phishing and SIM-swapping. The gold standard is phishing-resistant authentication, such as WebAuthn, FIDO2 passkeys, or hardware tokens.
Manual identity verification - such as uploading a passport or official document - is still used but is increasingly being replaced by AI-driven automated checks. These include biometric liveness detection (e.g., confirming someone is physically present) and government-backed digital IDs (such as those enabled by the EU’s eIDAS 2.0).
Applying a centrally issued cryptographic signature (sometimes called a witness signature) is useful when combined with the steps above. For example, if you receive a document with a cryptographic signature from a provider such as DocuSign, it represents their assurance that the signer’s identity has been verified.
Issuing an individual cryptographic key but storing it in a centralised online system is less secure, as it creates risks from hacking or insider threats. Modern systems instead use hardware-secured keys (e.g., HSMs, TPMs) or decentralised key management to reduce those risks.
Issuing an individual cryptographic key and storing it locally provides stronger control, but local PC storage is vulnerable to malware. Today’s best practice is to use hardware wallets (e.g., YubiKey, Ledger) or secure enclaves built into devices (e.g., Apple Secure Enclave, Android StrongBox) for maximum protection.
Some Of Our Projects
We build high quality healthcare applications to ensure digital electronic signatures are automatically secure.
Still Have Questions? We’ve Got Answers
In our experience:
Electronic Signature systems usually do not use personal digital certificates. In the past, many relied on a single certificate issued by the vendor, often validated through Adobe’s trust lists. However, Adobe is moving away from being the central authority for validation. Modern e-signature platforms now increasingly depend on global certificate authorities (CAs) or blockchain-based verification, which avoids locking security into a single vendor. In practice, this means the certificate effectively says: “this document was signed by Acme Corp – if you trust them, the document was signed by Fred”.
Digital Signature systems generally do use personal digital certificates, but they still often require trust in the system provider, since private keys are frequently stored within their infrastructure. Newer approaches mitigate this by using hardware-secured keys, zero-knowledge proof (ZKP) techniques (to validate a signature without exposing the private key), or decentralised identity frameworks such as W3C Verifiable Credentials and Ethereum-based signing. In this model, the certificate says: “this document was signed by someone called Fred”, and the provider confirms: “and Fred is Fred Green Jr.”
We’ve found that some suppliers of online signature systems continue to market witness-style solutions as fully secure when they are not. By 2025, stronger assurance is increasingly expected: biometric-backed signatures (facial recognition, liveness checks), AI-driven compliance checks, real-time audit logs, and blockchain notarization are becoming standard to ensure non-repudiation. This makes it harder for vendors to misrepresent their security posture, though users may still be swayed more by polished marketing than by the underlying technical safeguards.
Private Prescriptions
For Private Prescriptions, the “Human Medical Regulations 2012” controls how prescriptions work, and the key points can be found in section 5 of the act, which states:
“Advanced electronic signature” means an electronic signature that is –
a) uniquely linked to the person (“P”) giving the prescription;
b) capable of identifying “P”;
c) created using means that “P” can maintain under “P’s” sole control;
d) linked to the data to which it relates in such a manner that any subsequent change of data is detectable.
Although these regulations are written without specific reference to public key cryptography, most experts now assume that these regulations require a personal, per-prescriber digital signature to be used to sign
the prescription PDF.
Note: public/private key technology can be used to sign any document or file, but PDFs are the most familiar, and now have built-in support for signatures.
We Can Help With Private Prescription Software
If you have a requirement for a software system that allows doctors and other prescribers to create online prescriptions safely and securely, please contact us. We have years’ of experience supporting online pharmacies. And all our software is designed to integrate with other healthcare data sources, such as PAS, GP address data and drugs databases.
What Our Clients Say
Terminology
– a cryptographic system that uses complex mathematics to make it possible to verify a digital signature. A secret private key (owned by a person or company) is used to make the signature. The public key is visible to everyone and is used to check the signature is valid.
– a central organization that issues public/private keys and also provides a way for an end-user to verify a signature. A CA needs to be a highly trusted and secure organisation, because the CA effectively provides a guarantee that someone signing a document is who they say they are.
– a digital certificate typically stored on users PCs which allows software to confirm that a signature is valid – if the Root Certificate is missing, users can be prompted to install it, and can do this with no loss of security.
– a company that provides a set of tools for implementing electronic/digital signatures, like DocuSign, HelloSign and SigningHub. Usually, the main purpose of these tools is to make the process of signing easy enough that end users will do it – but they also take a role in making sure the signature is valid, possibly by validating the user. These tools may support either Electronic Signatures and/or Digital Signatures. The company may also offer to check the identity of people making signatures too.
– Adobe Trusted List – a list of trusted CAs whose Root Certificates are built into Adobe PDF Reader. Being built-in gives these CAs a huge advantage: PDF documents which are signed with certificates linked to these CAs will show as valid with no further user action, which makes them more trusted by users.
are an online method of signing documents that is based on personal cryptographic keys. There are two main options:
- A system where the personal signature is created and managed personally as a PFX file. The prescriber must provide this file to the prescribing software each time they want to sign something.
- A system where the personal signature is created and stored within a web application. Obviously, there is a security risk – if the web application is hacked, someone might get access to the private key and use it. This can be partially resolved by encrypting each private Key inside another secure file which prompts for password on each use.
– two of the many names used to refer to a personal private key, which can be used to sign documents. If issued directly to a person, these keys are usually wrapped in a PKCS12 or .pfx file – and an extra layer of encryption is often used to protect the key – the signer has to type in the passphrase before signing.
can be created privately without a link to a CA, or they can be created through the CA. Only keys created through a CA linked to the ATL will validate immediately in Adobe Reader – other keys need more steps. Keys linked to a CA vary in price depending on the “standing” of the CA and other factors. Typical prices for document-signing certificates are around $300 per year for the top-end CAs.
is an online method of signing a document that generally does not include an individual, personal cryptographic key – because these are expensive. Instead signature security is based on the signer logging on securely to the suppliers’ system, and maybe on the supplier checking their identity. Electronic Signatures are still often digitally signed, but instead of using a personal digital certificate, they sign using a company issued certificate.
