Confusion about Electronic Signature

Just finished reading Part 11 and gokeeffe’s ‘Electronic Signature Explained’ dated 03-01-2007, and now a little bit confused.

According to PART 11 and gokeeffe, when user multisigns electronic records during a single, continuous session, for the first time, user has to enter userID and password components; and from the second time on, at least password(s).

While I think it a little bit reduntant, since before user makes any change to record, they have to log into system using USERID and passwords first. So why again entering password and/or USERID for each record signing?

Currently what my company doing is: electronic signature is composed of USERID, 2 passwords (both static) and user’s real name.

User uses USERID and 2 passwords to log into system, and when they sign electronic record, system automatically displays user’s real name (normal context, not signature picture) on the record without entering USERID or passwords and we take that automatically recorded real name equal to manually signed signature.

Will this be fine? If not, what mechanism do we need to implement to make electronic signature regulated?

Another concern of my company’s signing is that, there might be two employees share same real name, we can’t be sure who’s who from the electronic record itself, though from other information in the system we will finally know who’s who.

[quote=lnda]Just finished reading Part 11 and gokeeffe’s ‘Electronic Signature Explained’ dated 03-01-2007, and now a little bit confused.

According to PART 11 and gokeeffe, when user multisigns electronic records during a single, continuous session, for the first time, user has to enter userID and password components; and from the second time on, at least password(s).

While I think it a little bit reduntant, since before user makes any change to record, they have to log into system using USERID and passwords first. So why again entering password and/or USERID for each record signing? [/quote]

To prove that they performed this action and not someone else, while they were logged in, for example if they left their work station to go to the bathroom whats to say someone else couldn’t use the system.

Whats the point of two password here?

The usual method is that user has to provide a user_id or password on signing off an electronic record once logged, perhaps this is also correct but I haven’t seen this before, perhaps someone else here can provide insight

[quote=lnda]
Another concern of my company’s signing is that, there might be two employees share same real name, we can’t be sure who’s who from the electronic record itself, though from other information in the system we will finally know who’s who.[/quote]

The real name should not be used anyway, only the user_id should be used and this should be totally unique for that person

To make sure that it’s the signing person is exactly the person who logged into system and is the person sitting before computer, SOP is not enough? SOP defining that people should never lend their USERID and passwords, and people should log off when they leave the computer, etc.

I asked the IT guy, and he told me that two passwords would give more security against password thief.

Inda,

Graham is right - FDA will expect that folks re-enter their password for each approval step. Keep in mind that the more passive a process or system is, the more likely is will be susceptible to fraud. The active step of re-entering the password each and every time helps to ensure the credibility of the action taken within the system is taken by the authorized and responsible person.

Regards,

Kevin

I have seen this debate raging on and on…Is there really a huge risk here or are people just creating work for the sake of creating work. What is the intent? The intent is that the true person is signing off, so does it matter if the login identifies the person and then only a password for signatures. There are a zillion other more significant Part 11 concerns than whether a login should be considered a signature. Of course in a risk adverse world, just require a user name and password every time. Then you don’t even have to worry about continuous session. Just don’t go crazy with having e-sigs everywhere…only have them where needed.

Hi, All, we decided to employ electronic component entry when signing. But as we go on with URS and FS, more questions arise, hope that you’ll offer a hand.

QUESTION 1:
situation: our system requires user ID and passwords for logon and System requires electronic signatures when signing.

1.1 What’s the relationship between user ID & password combination and electronic signature? Can User ID & password combination = electronic signature, Or they the two be different?

1.1.1 if the two must be different, the electronic holder must sign during his own logon session, Or can he sign during other’s logon session?

1.1.1.1 if electronic holder must sign during his own logon session, isn’t ELECTRONIC SIGNATURE = UserID & password combination + electronic signature?

1.2 During single logon session, for the 2nd signing, if user signs with a password, must be the password unique?

1.3 after the electronic record is signed electronically, apart from (1) time and date (2) PRINTED NAME of signer (3) meaning, must a handwritten signature picture be shown on the record either? (since two people might have the same name, so no difference in (2)PRINTED NAME, we can’t tell at instant from the record, who’s the exact signer)

more questions will be coming soon.

[quote=lnda]Hi, All, we decided to employ electronic component entry when signing. But as we go on with URS and FS, more questions arise, hope that you’ll offer a hand.

QUESTION 1:
situation: our system requires user ID and passwords for logon and System requires electronic signatures when signing.

1.1 What’s the relationship between user ID & password combination and electronic signature? Can User ID & password combination = electronic signature, Or they the two be different?
[/quote]

The user_id is a number and the signature associated with the user_id is a name, the electronic signature so for example the username gokeeffe might have a user_id of 15454545

He must sign in his/her own session

YES

Yes they should only have one password

[quote=lnda]
1.3 after the electronic record is signed electronically, apart from (1) time and date (2) PRINTED NAME of signer (3) meaning, must a handwritten signature picture be shown on the record either? (since two people might have the same name, so no difference in (2)PRINTED NAME, we can’t tell at instant from the record, who’s the exact signer)

more questions will be coming soon.[/quote]

Each username has to be unique so for example if there were two people in the company named Jack Bauer, one might have a username of JBAUER1 and the other might be JBAUER2. The point is they will be unique!

Hi, Graham, thanks for your response, but would you please clarrify the following:

Must be the logon user-id a number and the signature id a name? I was thinking that the two could be swapped, as long as they are unique.

I think that one electronic component can be JBAUER1 for one and JBAUER2 for the other, but how about the PRINTED NAME on electronic record? I was thinking that it should be JACK BAUER for both of them. If it was JACK BAUER displayed on electronic record, then is it a problem that we can’t tell which Bauer solely from the record?

So you mean that password should be unique? Or do you mean, electronic components have ONE password?

According to PART 11: 11.300
(b) Ensuring that identification code and password (electronic signature components) issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

Electronic signature can be revised, but by whom? By a specific department within the company , or by the holder himself? Besides, can both identification code and the password(s) be changed, or just the password?

[quote=lnda]Hi, Graham, thanks for your response, but would you please clarrify the following:

Must be the logon user-id a number and the signature id a name? I was thinking that the two could be swapped, as long as they are unique.[/quote]

Usually this is the way it is set up, perhaps the other way is also ok but I haven’t come across that way yet.

[quote=lnda]
I think that one electronic component can be JBAUER1 for one and JBAUER2 for the other, but how about the PRINTED NAME on electronic record? I was thinking that it should be JACK BAUER for both of them. If it was JACK BAUER displayed on electronic record, then is it a problem that we can’t tell which Bauer solely from the record?[/quote]

The printed signature sould be unique to that person, if not there is no way to tell the difference

QUESTION 2:
According to PART 11: 11.300
(b) Ensuring that identification code and password (electronic signature components) issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).

Electronic signature can be revised, but by whom? By a specific department within the company , or by the holder himself? Besides, can both identification code and the password(s) be changed, or just the password?

QUESTION 3:
Part 11, 11.200 (a)(3)
Be administered and executed to ensure that attempted use of an individual’s electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.

What does this paragraph mean? Can B & C sign for signature holder A? Or, B & C should collaborate to stop the alarm in system caused by mis-entering A’s electronic signature?

Hi Inda,
Though there may be two users that have the same first and last name in one company, the chances are they don’t have the same title. and by the signature requirements, if one is in quality and the other is in recieving for instance, the role/title of the user signing should help determine who has signed this document electronically.
Two as per the idea of having a scanned or image of a hard copy of a signature, this makes the whole electronic signature purpuse useless. The idea of electronic signatures is to reduce the timeline of document approval process. If you add to that a hard copy image of the signature, you will be helping the economy by creating new jobs, but you are defeating the purpose of electronic signature.
Three, from my experience with Log-ins and “Electronic Signatures”, no two users could actually review/approve the same document at the same time. Depending on what documents management software is used by your company, most likely a document could only be reviewed and approved by one person at a time. Good luck.