Each year more and more business, leisure and personal transactions move online. Yet the handwritten signature continues to have an almost mystical power in the minds of lawyers, organisations – and many of us who are asked to sign forms.
This article, originally written for UXMatters as ‘Signatures and Signing Ceremonies’ in August 2012, challenges the designers of forms to ask whether a signature is really necessary, explores the tricky area of authentication, and makes some suggestions for alternatives to signing on the dotted line.
Nobody checks the signature
Does your signature look like one “drawn by an unusually talented chicken”?
That’s how John Hargrave described his signature, and he started to worry about it—particularly when thinking about using his credit card:
In my lifetime, I have made nearly 15,000 credit card transactions. I purchase almost everything on plastic. What bugs me about credit card transactions is the signing. Who checks the signature? Nobody checks the signature.
He tried increasingly bizarre ways of signing his credit card receipts in a vain attempt to persuade someone to check the signature. Here’s an excerpt from an early episode:
“So far, I had tried altering my signature in a number of ways, but what if I didn’t even sign my own name? First, I lobbed a slow ball.” [He signed the credit card slip as Mariah Carey.] “The waitress at the restaurant didn’t say anything, probably because I am mistaken for Mariah Carey all the time. Except for the goatee and the back hair, we are like twins.”—John Hargrave, in The Credit Card Prank.
Signatures are still important for some transactions
While the Hargrave prank was fun, he mainly showed that by 2010, most credit card transactions in the US no longer require a signature. But there are many other transactions where signatures live on.
Spoiler alert—If you read right to the end of the Hargrave story, in the last episode, he tries, tongue firmly in cheek, to purchase the most expensive flat-screen TV he could find using the signature ‘Not Authorized’. Foiled at last, he’d found an example that required a real signature.
Recently, I’ve had to sign documents for a couple of transactions:
- telling the vehicle licensing authority that I’d sold a car
- authorising some changes to my pension plan
But if we think about it, both the paper form and the signature have become rather outdated, haven’t they? Think of all those steps:
- Get the paper form.
- Fill it out.
- Sign it.
- Find an envelope.
- Address the envelope.
- Insert the form.
- Seal the envelope.
- Get a stamp.
- Affix it to the envelope.
- Post it off.
Sounds almost as quaint as traveling by horse and buggy, doesn’t it? It’s slow, prone to error, and creates expense and delay for both the user and the organisation that has to deal with all that paper.
But it’s that signature step that stops many organisations from replacing paper forms with speedier and more convenient online transactions.
A real signature needs authentication
One thing that fascinates me is that organisations often dogmatically insist that a paper signature is essential, but have no process whatsoever for authenticating that signature. My view is that, if you’re not taking steps to check the identity of the signer and making some effort to assure yourself that the signature belongs to the signer, the signature on the paper could be from Mickey Mouse and no one would ever know—just as in the Hargrave prank.
So the first question to ask when exploring whether a signature is really necessary is: “What steps do you currently take to ensure that a signature is authentic?”
A signature on paper has mystical power
Given that paper signatures rarely get authenticated, they’re really somewhat worthless. But they still seem to have some mystical power in the minds of lawyers and organisations and, I believe, in the minds of users who sign forms.
When testing the usability of paper forms, I’ve certainly had plenty of participants who were reluctant to sign a form during a usability test—whether as themselves or as made-up people whose story they happened to be enacting—which I, of course, completely respect. They sometimes put an X where they would ordinarily sign, but generally they prefer to stop and discuss signing the form, which is fine by me.
Dan Ariely discusses the mystical power of signatures in his 2012 book The Honest Truth about Dishonesty. In one example, groups of MIT and Yale students took a test that was set up in a way that made cheating easy. The students who were asked to sign a pledge to abide by their institution’s honour code immediately before taking the test cheated less than those who were not asked to sign—even though neither institution actually has an explicit honour code. The researchers got similar results during a much larger experiment with the general public, requiring participants to sign insurance forms before filling them out rather than at the end. It seems that signing a declaration of honesty before performing a task can help to improve the honesty with which people perform that task.
More typically, the signature signals completion or the end of a user’s turn in the conversation that a form embodies. Ariely reports that he suggested to the IRS—the USA tax authority—that they move signatures from the end of their forms to the beginning, with the aim of reducing taxpayer dishonesty. He says they turned him down flat without articulating their reasons. I wonder whether they may have been considering the usability problems that occur if the signature comes before the end of the form, which they have discovered. For example, the old IRS 1040X form, shown in Figure 1, had the signature box at the end of page 1 of the two-sided form. Many people signed it, then failed to realise that they needed to turn the form over to complete its reverse side.
Other questions to ask when exploring whether a signature is really necessary focus on the task and who has control of the task. For example:
- What task is happening here?
- Do users need to signal the end of the task?
- Do users want to show that they are handing over control of the task to the organisation?
An electronic signature needs authentication
In the electronic world, the ideal signature needs authentication—some attempt to identify that the person filling in the form is actually the person he purports to be.
The true digital signature includes cryptography and provides both authentication and nonrepudiation—that is, it proves both that the person who has signed a form is who they say they are and that they did actually sign it, so can’t claim later that they didn’t sign it. It also offers integrity—that is, that no one has altered the document itself since it was signed.
Some technical- or security-minded people have adopted digital signatures, and some types of applications—for example, those for the pharmaceutical industry—appear to be quite keen on them. But they haven’t been widely taken up.
I think this is partly because, in practice, the way you activate a digital signature is by authenticating yourself to the computer with the signing program on it—or putting this another way, you log in—nearly always with a user name and password. So, in practice, digital signatures may turn out to be no more secure than the good old user name and password combo. Of course, there are fancier ways to authenticate users, but that’s another story for another day.
The third question to ask when exploring whether a signature is really necessary is: “If we have a good way of authenticating a user, could that replace the signature?”
An electronic signature needs mystical power
As I just mentioned, part of the problem with digital signatures is that they’re rather too much like an ordinary log in. Another problem is that a digital signature doesn’t look like a proper, written signature. If it doesn’t look right, it doesn’t feel right—and for many people, that means it lacks that mystical power of the signature.
Possibly in an attempt to increase the mystical power of digital signatures, Adobe lets users change the appearance of their digital signature to something that looks personal, as shown in Figure 2. The first example, for an attorney, is for the US and European markets; the three red circles with characters in them are for the Japanese and Chinese markets, where people sign paper documents with seals rather than written signatures.
Figure 2—Examples of digital signatures from Adobe
Similarly, a scanned image of a written signature falls into the category of mystical signatures. Why mystical? Because who knows whether that image is an authentic image of a person’s actual signature? Who knows who copied that image into the document? Who knows whether someone has altered the image—perhaps Photoshopped it? But many people would consider such an image to be more like their actual signature than any computer authentication scheme.
Signing ceremonies provide a good alternative
If your need for a signature on a paper document is mostly about the mystical power of signatures, you could consider replacing it with a signing ceremony—some sequence of activities that:
- reflects the importance of the task
- signals the end of a user’s part of a task
- hands over control of the conversation, and the task that it embodies, from the user to the organisation that is to perform the next step.
Don’t dismiss the importance of signing ceremonies. A nice little signing ceremony—like asking users to type ‘I agree’ into a box—can be quite a good way of showing a level of commitment.
I know that some signing ceremonies have become completely devalued. For example, it is now rare for users to attach much importance or emotional commitment to the standard ceremony of a website’s asking them to read a ludicrously long page of incomprehensible legalise, then click an I agree button. I refer to these devalued ceremonies as EULA signing ceremonies, for the End User Licence Agreements that often include them.
But leaving those devalued EULA ceremonies aside, I have seen some good signing ceremonies that appear to work very nicely. My favorite example is the UK Money Claim Online, which allows you to sue for up to £5000 in the UK courts by: creating your user name and password, filling in a form that is relatively straightforward—considering that it starts a legal process, typing your name in the Statement of Truth box shown in figure 3 below and paying a modest fee
The fourth question to ask when exploring whether a signature is really necessary is: “Could we replace the signature with a signing ceremony that would offer an appropriate end to a task?”
Does a task warrant a signature at all?
Another way of looking at this problem is to ask whether a task really warrants a signature of any type. If there is no risk to the user or the organisation, why worry?
HM Revenue and Customs, the UK tax authority, has an online form that demonstrates this. It lets you submit a no-payment-due return for PAYE, for any account you feel like making up. PAYE is the tax an employer deducts from an employee’s pay. If an employee has a low income or no income in a particular month, no payment is due.
If the account you make up happens to match a genuine one, there’s not a great deal of harm done. Either, by extraordinary coincidence, no payment really was due, or the genuine employer makes their usual monthly payment and that overrides the false form submission.
But in the opposite circumstance, where an employer genuinely has no payment due, it saves the Revenue and the employer quite a lot of hassle if the employer does indeed send in that no-payment-due return.
A fifth pair of questions to ask when exploring whether a signature is really necessary are: “What is the risk to the user if we drop the signature entirely? What is the risk to the organisation?”
Replace a signature with an email authentication sequence
Whitney Quesenbery points out that many websites have abandoned signatures entirely in favour of an authentication sequence using email. The typical steps:
The transaction asks you for an email address.
- The organisation sends an email message to that address, with a link to click.
- If you want to go ahead with the transaction, your click authenticates you.
This is very similar to an ordinary password retrieval or reset process, but cuts out the extra step of logging in and has the advantage that it’s not necessary to set up any permanent account.
As one friend put it to me, “I just wanted to deal with the issue; I didn’t want a permanent relationship with the organisation.”
I know it’s hard to convince our organisations that they don’t really want to maintain lots of user accounts that users didn’t want in the first place and have immediately forgotten about. But we can try.
So the final question is: Could we use email authentication instead of a signature?
Unfortunately, the need for a signature continues to block our moving from paper to electronic transactions. A good signature process provides authentication—that is, proof that a user really is the person who is agreeing to a transaction.
But signatures also seem to have a mystical power, in the minds of both lawyers and users.
So, if you’re trying to move from a paper signature to an online process, I suggest that you explore these questions:
- What steps do you currently take to ensure that a signature is authentic?
- What task is happening?
- Do users need to signal the end of a task?
- Do users want to show that they are handing over control of a task to an organisation?
- If there were a good way of authenticating a user, could it replace a signature?
- Could we replace a signature with a signing ceremony that would offer an appropriate end to a user’s task?
- What would be the risk to a user if we were to drop signatures entirely? What would be the risk to an organisation?
- Could we use email authentication instead of a signature?
Before taking this advice to a lawyer, please sign here ______________ to say that you agree that any action you take based on this column in entirely your own responsibility.
photo credit: Signature by hierher, creative commons