Digital signature with SMS authentication legally valid?

Is a digital signature by email/SMS authentication legally valid? On October 7, 2020, the Court of Zeeland/West Brabant made a ruling on this subject that creates doubt. Therefore, given the speed at which digitalization is developing, especially now, this ruling cannot go unmentioned.

Why this ruling? A company takes out a loan, whereby the (presumably) sole shareholder enters into a surety agreement as security. The company goes bankrupt, the guarantor does not pay and invokes the invalidity of the digital signature. The subdistrict court weighs its options and finds in favour of the guarantor.

The digital signature involves an e-mail combined with an SMS. It concerns, in jargon, a 'two-factor authentication' (or: '2FA'). This form of authentication is based on the principle 'something the user knows and something the user has'. In the case of an e-mail combined with an SMS, this can be applied in this way: The user knows his or her e-mail login credentials and has a cell phone on which SMS messages are received. This form of 2FA has recently been accepted by both Supreme Court (HR 14 June 2019, ECLI:NL:HR:2019:957) as well as Council of State (RvS 30 April 2019, ECLI:NLRVS:2019:1400) as sufficiently determinable, provided of course that it is technically correctly set up.

The subdistrict court emphasizes the importance of the agreement at issue, a surety agreement. It also indicated that potential abuse in digital signing should not be taken lightly. This line of thinking is (literally) inspired by an earlier decision of the District Court of Amsterdam of December 11, 2019 (ECLI:NLRBAMS:2019:8755). There is also certainly something to be said for it, given the major personal consequences and jeu for a guarantor. Crucially different from the "Amsterdam" case, however, is that there, it involved a "copy-paste" of a picture of a signature, and thus no two-factor authentication at all. Nevertheless, the district court does not consider the 2FA sufficient. Because it is not satisfied, it is not an advanced digital signature but an ordinary electronic signature, the subdistrict court said. The question is whether the manner in which the subdistrict court analyzes this is sufficient to stand up in proceedings on the merits, also given that higher authorities have already approved this form of 2FA.

There is no final word on this, it is expected. Adobe is a reputable party and the design of the digital signature may be assumed to be sound. Thus (in a technical sense) the (cryptographic) requirements set for an advanced digital signature have been met. If the reliability level of the authentication is labeled as insufficient, it does not automatically mean that there can no longer be any question of an advanced digital signature.

The Subdistrict Court had doubts about the reliability of the 2FA, because the mobile phone to which the SMS was sent could have been read by someone other than the owner of the mobile phone (Ground 4.7). In that case, no direct link can be made between the signatory and the surety agreement, signed in this case. As a result, this deed will not have a compelling evidential value, but will be freely admissible. However, the creditor has not made any further claims in this regard, for example that the agreements have been executed. This discussion will only be able to reach a conclusion in proceedings on the merits. It may well be that if all circumstances of the case are considered, the effect of this judgment will be limited.

Although not discussed, there are significant interests at play for creditor as well. In doing so, practitioners may also use other means of authentication. For example, the use of iDIN in loan agreements is a common means. But also a qualified digital signature (on the basis of a qualified certificate which, according to Article 3:15a of the Dutch Civil Code, is in any case equal to the wet signature) can offer a solution in special agreements. Think for example of an employment contract, insurance contract or surety bond. Especially since it has recently become possible to call up a digital qualified certificate via the cloud and sign via your mobile phone.

 

You can read the full judgment via this link.