Passwords, electronic signatures

The first draft of the new requirement had draconian security requirements, softened (as is common) after a comment period Demands for biometric identifiers were replaced with password control options. But the revised final regulation was still broad in scope and necessitated extensive documentation and testing for all systems used in the industry (with even stronger controls if the user opted for electronic signatures). 

Demonstrate that electronic signatures employ at least two distinct components (user ID and password). 

Demonstrate that user ID is displayed at the time of application of the password to execute an electronic signature (i.e., at least one electronic signature component that is only executable by, and designed to be used only by, the individual). 

Demonstrate that passwords (one of the two components of electronic signatures) can only be known to the genuine owners, and cannot be viewed by anyone, including administrators of the account (at operating system and application level). 

Refer also to demo that use of invalid password does not allow access to system or permit electronic signature. 

Demonstrate that the system includes controls to detect multiple attempts at unauthorized use (e.g., repeated login attempts/failed password entry on login and electronic signature). 

Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include ... 

Test identification code/password or biometric electronic signature/de-vices (as applicable)... 

In combination with PINs, Part 11.300 allows the use of password-based signatures. As stated in Chapter 15, there are two PIN/password based authentication schemes static passwords and dynamic passwords. The same PIN/password combination used for authentication may also be used for an electronic signature. The affixing of a signature to... 

Systems that use a password/ID code-based nonbiometrics electronic signature are common, and use both a PIN and a password as authentication and as an electronic signature. The combination of the PIN and password must be unique. Generally, companies and organizations ensure that the PIN is unique so that if, by coincidence, two persons create the same password, this does not result in two identical electronic signatures. Furthermore, firms generally establish unique (but not confidential) PINs. 

The records/signatures linking using password/ID code-based signatures is either based on the use of software locks, on storing the electronic signature in a database table... 

Administration of electronic signatures based on the combination of user-ID and password must be designed in such a way that the misuse of an electronic signature requires the cooperation of at least two people (e.g., divulging of one s password to a eolleague). Only the owner of the signature must know the eombination, whieh typieally means only the owner knows their seeret password. 

It must be ensured that the rmauthorized use of a user-lD/password combination for an electronic signature is deteeted by the system and that the company s relevant authorities are notified immediately. It must always be ensured that the system design does not permit such misuse — this must be verified as part of the validation. 

The following Table 10 summarizes the organizational requirements for the use of electronic signatures based on user ID and password. 

Table 10 Organizational requirements for electronic signatures using ID and password...

With this I recognize the electronic signature used in [Company] know that the electronic signature is intended to be the legally equivalent of traditional and handwritten signature. I confirm that I pass on my password used for electronic signature to... 

Demo that user ID (an essential element of user ID/ password combination comprising the electronic signature) is not reusable by deletion/recreation, overwrite, or other means. 

Witnessing of electronic data is accomplished by routing electronically the file to the witness. That person will access the file, review its entire contents, and indicate that he read and understood the content by applying an electronic signature. The process is similar to the authentication performed with a unique user ID and a password. The system will automatically and independently provide a date and time stamp and will log this event. The file will then be routed back to the authoring party or the author will be sent an electronic notice confirming that the signature has been completed. 

Access to the system must be limited to authorized persons. The type of security will depend on whether the system is open or closed. Electronic signature technologies include identification codes (user names, passwords) or more sophisticated biometric systems (based on measurement of physical features such as palm prints, finger prints, or iris or retinal pattern scanners). The latter is expensive and less likely to be implemented, especially for multiple users. User names and passwords must be unique and never reassigned. Passwords should be changed periodically. 

Verify management, record, periodic revision, renewal, and misuse detection controls for password authority to electronic records Verify (for open systems) the use of document encryption and appropriate digital signature standards to ensure record authenticity, integrity, and confidentiality... 

---