Digital signature with SMS authentication legally valid?

Is a digital signature by email/SMS authentication legally valid? On October 7, 2020, the Court of Zeeland/West Brabant made a ruling on this subject that creates doubt. Therefore, given the speed at which digitalization is developing, especially now, this ruling cannot go unmentioned.

Why this ruling? A company takes out a loan, whereby the (presumably) sole shareholder enters into a surety agreement as security. The company goes bankrupt, the guarantor does not pay and invokes the invalidity of the digital signature. The subdistrict court weighs its options and finds in favour of the guarantor.

The digital signature involves an e-mail combined with an SMS. It concerns, in jargon, a 'two-factor authentication' (or: '2FA'). This form of authentication is based on the principle 'something the user knows and something the user has'. In the case of an e-mail combined with an SMS, this can be applied in this way: The user knows his or her e-mail login credentials and has a cell phone on which SMS messages are received. This form of 2FA has recently been accepted by both Supreme Court (HR 14 June 2019, ECLI:NL:HR:2019:957) as well as Council of State (RvS 30 April 2019, ECLI:NLRVS:2019:1400) as sufficiently determinable, provided of course that it is technically correctly set up.

The subdistrict court emphasizes the importance of the agreement at issue, a surety agreement. It also indicated that potential abuse in digital signing should not be taken lightly. This line of thinking is (literally) inspired by an earlier decision of the District Court of Amsterdam of December 11, 2019 (ECLI:NLRBAMS:2019:8755). There is also certainly something to be said for it, given the major personal consequences and jeu for a guarantor. Crucially different from the "Amsterdam" case, however, is that there, it involved a "copy-paste" of a picture of a signature, and thus no two-factor authentication at all. Nevertheless, the district court does not consider the 2FA sufficient. Because it is not satisfied, it is not an advanced digital signature but an ordinary electronic signature, the subdistrict court said. The question is whether the manner in which the subdistrict court analyzes this is sufficient to stand up in proceedings on the merits, also given that higher authorities have already approved this form of 2FA.

Hier is het laatste woord nog niet over gezegd, zo is de verwachting. Adobe is een gerenommeerde partij en de inrichting van de digitale handtekening mag als gedegen worden verondersteld. Daarmee is (in technische zin) voldaan aan de (cryptografische) vereisten die gesteld worden aan een geavanceerde digitale handtekening. Indien het betrouwbaarheidsniveau van de authenticatie als onvoldoende wordt bestempeld, betekent niet zonder meer dat er geen sprake meer kan zijn van een geavanceerde digitale handtekening.

The Subdistrict Court had doubts about the reliability of the 2FA, because the mobile phone to which the SMS was sent could have been read by someone other than the owner of the mobile phone (Ground 4.7). In that case, no direct link can be made between the signatory and the surety agreement, signed in this case. As a result, this deed will not have a compelling evidential value, but will be freely admissible. However, the creditor has not made any further claims in this regard, for example that the agreements have been executed. This discussion will only be able to reach a conclusion in proceedings on the merits. It may well be that if all circumstances of the case are considered, the effect of this judgment will be limited.

Hoewel daar niet over gesproken wordt, spelen ook voor crediteur spelen significante belangen. Daarbij kan de praktijk ook gebruik maken van andere authenticatiemiddelen. Zo is het gebruik van iDIN bij leningsovereenkomsten een veel gebruikt middel. Maar ook kan een gekwalificeerde digitale handtekening (op basis van een gekwalificeerd certificaat welke, zo leze men artikel 3:15a BW, sowieso gelijk staat aan de natte handtekening) uitkomst bieden in bijzondere overeenkomsten. Denk daarbij bijvoorbeeld aan een arbeidsovereenkomst, verzekeringsovereenkomst of borgstelling. Zeker omdat het sinds kort mogelijk is via de cloud een digitale gekwalificeerd certificaat aan te roepen en via je mobiel te ondertekenen.

 

You can read the full judgment via this link.