Remote Signing

User signing keys and certificates are stored centrally, protected via a certified HSM (Common Criteria EAL4+ certified according to EN 419221-5 Protection Profile). No need to deploy expensive smartcards and readers, or even USB tokens. Users can easily sign using any device without installing specialist software.

The signer is requested to authorise all signing transactions involving their signing key via notification to their mobile app. The signer authorises the transaction by using fingerprint authentication built into iOS and Android or mobile device PIN. The mobile app creates a digitally signed authorisation message which cryptographically binds the signed document, user’s ID and registered mobile device fingerprint.

The authorisation message is signed using a private key held in the mobile’s Secure Element tamper-resistant hardware chip. This key pair is created and certified by the relevant SigningHub CA when the user registers this mobile for authorisation purposes.

The user can only authorise transactions from their pre-registered devices. This device locking provides an extra layer of security and assurance.

The signed authorisation response from the user’s mobile is logged by SigningHub as proof the user authorised the remote signing transaction.

Our solution for authorised remote signing was the first in the world to certified against the Common Criteria EAL4+ EN 419 241-2 Protection Profile. This is formal proof of compliance with the eIDAS Regulation for creating remote qualified signatures with “Sole control” Level of Assurance 2.

The authorised remote signing solution can be embedded into any third party business web application by making direct calls to the SigningHub engine. Alternatively the whole SigningHub application can be embedded as well through its REST/JSON API. Authorised remote signing is also available through our mobile browser, iOS/Android apps and through our popular 3rd party business application connectors.

We are able to provide automatic integration with any Microsoft CAPI/CNG enabled applications such as Word, Edge or third part Windows® applications. This is achieved by using our Virtual CSP component which hooks into the Windows® stack and allows user registration, generation of user signing keys centrally and their certification, as well as signing using authorisation from mobile apps.

Use our complete built-in SigningHub PKI system (CA, OCSP, TSA and Archive Authority) or use an existing enterprise PKI or one of our global PKI service provider partners. Either way get automatic key generation, storage and certification – all done transparently without user’s involvment.