Leegality's paranoia births The Certificate verifier

August 6, 2024

Summary

It is evident from my last blog post where I talked about Leegality’s epiphany with Workflows and how we re-evaluated the very core of our product, that we don’t build something and sit on it.

Workflows didn’t happen because someone magically thought of it and we did it, there is constant ideation regarding every single thing in the product and this is how we innovate.

The eSign infrastructure, while having security and enforceability built into it, still had some shortcomings. Clients and prospects kept asking us questions about how we could ensure that the Aadhaar eSign is being completed using the Aadhaar of their customer – and not some Aadhaar of a friend and family member.

The Problem

When a Leegality User sends a document for signing, they send it to a particular customer/borrower/partner. They intend for that partner to sign the document using their own Aadhaar or DSC Token. If the signatory signs using another Aadhaar or DSC token then the sign, and the contract, are as good as void!  

In the status quo, the following validations are a part of the signing process

  • Aadhaar: OTP/Biometric/Iris and prior verifications upon issuance of Aadhaar
  • DSC Token: PIN-protected token and KYC upon issuance

While these validations ensure the security of the document and signature, there is a clear gap in identification here. There is no way to ensure that the signature belongs to the person who is supposed to sign the document.

E.g. A renowned bank sends a loan agreement for signing to Ritik Garg, but Ritik tries to be clever and signs the document using his sister – Ridhima’s Aadhaar number.

Here even though the signature is genuine the signer is not.

Introducing Certificate Verifier

Certificate verifier is a system developed by Leegality that ensures the signer cannot Aadhaar eSign or DSC Sign a document unless they are using their own Aadhaar or DSC Token.

Both kinds of electronic signature – Aadhaar eSign and DSC Token-based eSign operate on the basis of ‘Electronic Signature Certificate’. This Certificate is issued by a Certifying Authority – and is a record of the electronic signature itself. More importantly, the certificate contains the public key of the signature – an essential part of the key pair asymmetric cryptosystem that forms the core of the eSign system in India.

This video by PKI India beautifully articulates how digital signatures operate.

The Certificate contains certain information about the ‘holder’ i.e the Aadhaar holder or the person in whose name the DSC Token is issued:

The above parameters are also information that Leegality Users usually collect from signers – be it for KYC or for populating the template of the agreement.

Thus, the above information about the signer – during a signing journey – will be present in two locations. One, with the Leegality User and two, on the Electronic Signature Certificate.

What Leegality’s Certificate Verifier does is that it compares the signer information possessed by the Leegality user with the signer information on the Electronic Signature Certificate.

In case there is a mismatch the signature will not be affixed on the document. If there is no mismatch, the signing journey will proceed unhindered

Let’s take the example of the naughty customer Ritik above. As mentioned above, he is taking a loan from the renowned bank – but is using his sister’s Aadhaar card to eSign the document.

In this scenario, the signer information is as follows:

There is a clear mismatch on the parameters. Therefore, the signature will fail. Ritik won’t be able to eSign the loan agreement using his sister’s Aadhaar card – and the renowned bank is saved a lot of headache.

Ritik will then need to drop his clever act and eSign the agreement using his own Aadhaar.

BUT!

We know what your next question is going to be. We know.

Nothing is perfect. Certainly not in India.

There is an old idiom – “Nothing in life is certain, except death and taxes”. In India, this idiom can be modified to “Nothing in life is certain, except death, taxes, and discrepancies in a person’s ID

The Verification feature, as mentioned above, did not take into account the volatility of one of the core parameters of the feature – the name!

With so much diversity in our country with respect to languages, cultures, attires – names are no different.

Some people take up their middle name in official documents but not in correspondence, some are addressed by their last name. Sometimes official documents spell their names incorrectly!

In the above scenario, it is highly plausible that while Ritik’s full name is Ritik Garg – the name he puts on all forms and KYC documents – his Aadhaar spells his name as “Ritik Kumar Garg”.

In such a scenario, the Aadhaar Verification system, implemented in the manner mentioned above – would reject signatures even if Ritik signed using his own Aadhaar card!

Introducing: Smart Name Verification

To tackle this problem we created a “Smart” verification system. This operates on a percentage based model where the Leegality user will set a minimum percentage match that the comparison (b/w user-provided name and the name in the certificate) needs to qualify in order for the signature to be successful.

Let’s continue the previous example of Ritik only this time he is not trying to be clever. Now the bank has made a mistake and put in his commonly used name as Ritik Garg instead of the “official” Ritik Kumar Garg.

P.S. It was an honest mistake this time.

Now the certificate verifier would see the discrepancy on face value and reject the signature. Although, if the smart name verification is turned on it will check if the given name falls in the allowed range wiz let’s say 60% and if it does the signature will be successful.

Below are some examples of how the Smart name verification rates the percentage matches in various scenarios:-

The algorithm takes into account various factors such as:

  • The practice of having middle names in official names
  • Using the last name as first names
  • Using initials in a name

This ensures that any minor mismatches are passed through and only the blatant mismatches are filtered.

This results in an intuitive and seamless verification and filtration process – taking care of the verification needs of the Leegality User while also ensuring that genuine signatures are not rejected on account of minor discrepancies.

Contact us now to know more about how Leegality can remove the paper out of your paperwork!