Digital signatures
Transaction signing methods and digital signature validation for secure payment authorization
Introduction
Digital signatures provide secure authentication and non-repudiation for transactions in LYNKS. When users sign payments and other operations, the system validates certificates, maintains complete signature history, and ensures compliance with eIDAS regulations.
The legal status of signatures depends on the authentication method used. Only qualified electronic signatures (LuxTrust) provide legal equivalence to handwritten signatures under eIDAS regulations. Other signature methods provide advanced electronic signatures with contractual validity based on the terms agreed between parties.
This section covers the signature methods available in LYNKS, the signing workflow, certificate validation, and the distinction between "signing" and "approving" operations.
Signature methods
LYNKS supports multiple signature methods to accommodate different security requirements and user preferences.
User-based signature methods
LuxTrust
LuxTrust provides qualified electronic signatures using digital certificates compliant with eIDAS regulations. Users can sign transactions using:
- SmartCard - Physical card with card reader
- Signing Stick - USB device authentication
- LuxTrust Mobile App - Mobile-based signing
LuxTrust is the only signature method that provides qualified electronic signatures with legal equivalence to handwritten signatures under eIDAS regulations. These signatures are legally binding and suitable for high-value transactions, regulatory filings, and situations requiring the highest level of legal certainty.
For detailed authentication setup, see LuxTrust - Qualified electronic signatures.
LYNKS mobile app
The LYNKS mobile app provides advanced electronic signatures using INCERT certificates stored in the secure enclave of mobile devices. Key features include:
- Push notifications - Users receive signing requests directly on their mobile devices
- Biometric authentication - Face ID or Touch ID for signature confirmation
- Offline approval capability - Review and sign transactions without continuous connectivity
- Device binding - Certificates are tied to specific mobile devices
- Remote deactivation - Administrators can remotely disable compromised devices
INCERT is a Luxembourgish certificate authority owned by the Chamber of Commerce and the Luxembourg government, providing the same authority used in national identity documents.
Legal Status: LYNKS mobile app signatures are advanced electronic signatures under eIDAS. While they are not qualified electronic signatures with automatic legal equivalence to handwritten signatures, they constitute a contractual engagement between parties. The legal validity is based on the agreement between the parties using the platform, providing strong authentication and non-repudiation within the contractual framework.
For detailed authentication setup, see LYNKS Mobile App - Mobile authentication and push notifications.
Single sign-on (SSO)
SSO authentication provides simple electronic signatures through identity provider authentication. When configured with identity providers (Microsoft Azure AD, Google Workspace, Okta), SSO offers:
- Simple authentication-based approval - User identity verification through SSO login
- Centralized credential management - Integrated with corporate identity systems
- Redirect-based authentication flow - Browser-based authentication process
Technical Note: OAuth2 and SAMLv2 protocols do not define electronic signature mechanisms. SSO authentication in LYNKS functions as a simple electronic signature under eIDAS, equivalent to a user clicking to confirm an action after authentication. This authentication-based approval is suitable for low-risk operations and routine approvals where higher levels of signature assurance are not required.
Legal Status: SSO-based approvals are simple electronic signatures under eIDAS (Article 3.10), representing user intent through authenticated consent. They do not provide the technical guarantees of advanced or qualified electronic signatures and should only be used for operations where this level of assurance is acceptable within the organization's risk framework.
For detailed authentication setup, see Single Sign-On - OAuth2 and SAMLv2 authentication.
Custom signature solutions
LYNKS supports integration of custom signature solutions to meet specific client requirements. Organizations with existing signature infrastructure or specialized needs can implement additional authentication methods:
- Certificate-based authentication - Integration with client-specific PKI infrastructure
- Hardware security modules (HSM) - Support for dedicated cryptographic devices
- Custom certificate authorities - Trust chain configuration for client-managed CAs
- Specialized signature protocols - Integration of industry-specific signature standards
Custom signature solution implementations are configured on a per-tenant basis to meet regulatory, operational, or security requirements specific to the organization.
For information about implementing custom signature solutions, contact [email protected].
Automated signature methods
Auto-Approve
Signatory rules can be configured to automatically approve payments meeting specific criteria. When a payment falls under an auto-approve rule, the system:
- Automatically signs the transaction using a system certificate
- Bypasses manual signature requirements
- Immediately submits the payment to the bank
Auto-approve is suitable for low-risk payments, recurring transactions, or scenarios where manual review is not required.
For signatory rule configuration, see Signatory Rules - Approval workflow configuration.
Auto-Reject
Signatory rules can be configured to automatically reject payments meeting specific criteria. When a payment falls under an auto-reject rule, the system:
- Automatically rejects the transaction
- Prevents the payment from being sent to the bank
- Records the rejection in the audit trail
Auto-reject is useful for blocking prohibited transaction types, enforcing payment policies, or preventing payments to blacklisted accounts.
API-based signing
External systems can create and sign transactions programmatically using the LYNKS API with X.509 certificate-based authentication. The API validates:
- Certificate validity - Ensures the certificate is not expired or revoked
- Trust chain verification - Confirms the certificate is issued by a trusted authority
- Signature validation - Verifies the JWS detached signature in the X-Signature header
API-based signing enables automated payment creation from enterprise systems (ERP, treasury management systems) while maintaining signature validation and audit trail.
Transaction signing workflow
The transaction signing workflow ensures proper authorization before payments are submitted to banks.
Transaction creation and signature request
When a user creates a payment, LYNKS validates the transaction against signatory rules to determine authorization requirements:
- Parameter validation - The system checks the transaction against all signatory rule parameters (account, amount, currency, payment category, counterparty)
- Rule matching - The first matching signatory rule is applied to the transaction
- Signatory selection - The rule determines which users or user groups are eligible to sign
- Status transition - The payment moves to "Waiting for signature(s)" status
- Notifications sent - Eligible signatories receive notifications via email and push notifications
If no signatory rule matches the transaction parameters (a gap), the payment is automatically rejected.
For signatory rule configuration, see Signatory Rules - Approval workflow configuration.
Single and multi-signature requirements
Signatory rules define how many signatures are required from which user groups:
- Single signature - One signatory required (e.g., "1 signature from Group A")
- Multi-signature from one group - Multiple signatures from the same group (e.g., "2 signatures from Group A")
- Multi-signature from multiple groups - Signatures required from different groups (e.g., "1 signature from Group A AND 1 signature from Group B")
- Mixed requirements - Combination of users and user groups (e.g., "1 signature from User X OR 2 signatures from Group A")
Bulk signing
Users can sign multiple transactions simultaneously instead of signing them one by one. Bulk signing:
- Allows selection of multiple pending transactions
- Creates a single signature request covering all selected transactions
- Applies the same signature to all transactions in the batch
- Improves efficiency for high-volume signing scenarios
Signature validation and completion
When a user signs a transaction, LYNKS performs comprehensive validation:
- Certificate validation - Verifies the signing certificate is valid and not expired
- Trust chain verification - Confirms the certificate is issued by a trusted authority (LuxTrust, INCERT, or configured CA)
- OCSP check - Validates the certificate has not been revoked using Online Certificate Status Protocol
- Signatory eligibility - Confirms the signer is authorized according to the signatory rule
- Signature recording - Stores the signature with timestamp and certificate details
- Status update - Updates the transaction status based on remaining signatures required
Once all required signatures are collected, the payment transitions to "Pending Delivery to Bank" or "Authorized" status and is queued for submission.
Certificate validation
LYNKS performs rigorous certificate validation to ensure signature integrity and compliance.
X.509 certificate validation
All signatures use X.509 certificates validated against the following criteria:
| Validation Check | Description | Consequence of Failure |
|---|---|---|
| Certificate validity period | Certificate must be within its validity dates (not before, not after) | Signature rejected |
| Trust chain verification | Certificate must be issued by a trusted certificate authority | Signature rejected |
| Certificate revocation (OCSP) | Certificate must not be revoked according to OCSP responder | Signature rejected |
| Signature algorithm | Certificate must use an approved signature algorithm (RSA 2048+, ECDSA) | Signature rejected |
| Key usage | Certificate must have appropriate key usage flags for signing | Signature rejected |
Trust chain verification
LYNKS validates that signing certificates are issued by trusted certificate authorities:
- LuxTrust certificates - Validated against LuxTrust's public CA certificate
- INCERT certificates - Validated against INCERT's public CA certificate (for LYNKS mobile app)
- Custom CA certificates - Organizations can configure additional trusted certificate authorities for custom signature solutions
OCSP certificate revocation checking
LYNKS uses Online Certificate Status Protocol (OCSP) to verify certificates have not been revoked in real-time:
- OCSP responder query - System queries the certificate authority's OCSP server
- Revocation status check - Verifies the certificate is "good" (not revoked or suspended)
- Signature time validation - For historical signatures, validates revocation status at the time of signing
- Fallback handling - If OCSP is unavailable, the system applies configured fallback policies
OCSP validation prevents signatures using compromised or revoked certificates from being accepted.
Certificate lifecycle management
Organizations must manage certificate lifecycles to maintain signing capability:
- Certificate issuance - Users onboard with LuxTrust or LYNKS mobile app to obtain certificates
- Certificate renewal - Certificates are renewed before expiration to maintain continuity
- Certificate revocation - Compromised certificates can be revoked immediately via the certificate authority
- Remote deactivation - Administrators can disable user authentication methods to prevent signing
For authentication method management, see User & Groups - User management and access configuration.
Sign vs. approve terminology
LYNKS uses specific terminology to distinguish between bank operations and platform operations.
"sign" - bank operations
When authorizing bank operations or instructions, LYNKS uses the term "sign" to reflect the legal weight and accountability:
| Entity Type | Description |
|---|---|
| Credit transfers | Outgoing payments sent to banks for execution |
| Standing orders | Recurring payment instructions to banks |
| Batches | Grouped payments submitted to banks as a single file |
| Cash concentration rules | Automated liquidity management creating bank transactions |
| Direct debits | Incoming payment collections from customer accounts |
Signing these entities triggers bank instructions and carries financial risk and regulatory accountability.
"approve" - LYNKS operations
When authorizing LYNKS platform operations, the system uses the term "approve" for operations that exist within LYNKS but don't directly instruct banks:
| Entity Type | Description |
|---|---|
| User authentication method onboarding | Activating LYNKS mobile app for a user |
| Tenant settings changes | Modifications to signatory rules and configuration |
| Counterparties | Creating or modifying payment beneficiary records |
Approving these entities follows the four-eyes principle but does not directly create bank instructions.
Concurrency handling
LYNKS prevents race conditions and duplicate signatures through concurrency controls.
Simultaneous signature prevention
The system prevents conflicts when multiple users attempt to sign the same transaction simultaneously:
| Scenario | System Behavior | User Experience |
|---|---|---|
| Same user signs twice | Second signature attempt fails with error | Error message displayed, transaction not authorized |
| Two users from same group sign simultaneously | Second signature attempt fails with error | Error message displayed, only first signature recorded |
| Users from different groups sign simultaneously | Both signatures accepted if rule requires both groups | Both signatures recorded successfully |
Batch transaction locking
When signing transactions in a batch, individual transaction locks prevent conflicts:
- Each transaction in the batch is locked independently
- If one transaction fails signature validation, it does not impact other transactions in the batch
- Successfully signed transactions proceed while failed transactions remain pending
Signature history
LYNKS maintains a complete audit trail of all signature activities.
Transaction signature records
Each transaction stores comprehensive signature history:
- Signatory identity - Username and certificate subject details
- Signature timestamp - Exact time when signature was applied
- Certificate details - Certificate serial number, issuer, and validity period
- Signature method - LuxTrust, LYNKS mobile app, SSO, or auto-signing
- Signature status - Success or failure with reason codes
- OCSP validation result - Certificate revocation check outcome
Audit log integration
All signature events are recorded in the LYNKS audit log:
- Signature requests sent - When signatories are notified
- Signature applied - When a user signs a transaction
- Signature rejected - When signature validation fails
- Bulk signing operations - Consolidated records for batch signatures
- Auto-signing events - Automated signature application by rules
For audit trail details, see Compliance & Audit - Security features, audit trails, and regulatory compliance.
eIDAS Compliance
LYNKS supports electronic signatures compliant with the EU eIDAS regulation (Regulation (EU) No 910/2014).
Electronic signature types
LYNKS supports different levels of electronic signatures according to eIDAS:
| Signature Type | Authentication Method | Legal Status | Use Cases |
|---|---|---|---|
| Simple electronic signature | SSO (OAuth2, SAMLv2) | Simple consent-based signature | Routine approvals, low-risk operations |
| Advanced electronic signature | LYNKS mobile app (INCERT certificates) | Advanced electronic signature with contractual validity | Standard payment authorization, counterparty approvals |
| Qualified electronic signature | LuxTrust (qualified certificates) | Legal equivalence to handwritten signatures | High-value payments, regulatory filings, legally binding transactions |
eIDAS Requirements
LYNKS ensures compliance with eIDAS requirements for electronic signatures:
- Signer identification - Certificates uniquely identify the signatory
- Sole control - Private keys remain under exclusive control of the signatory (secure enclave, hardware devices)
- Data integrity - Any alteration to signed data is detectable
- Non-repudiation - Signatories cannot deny having signed the transaction
- Certificate validation - Trust chain and revocation status verified at signature time
Organizations can select the appropriate signature level based on transaction risk and regulatory requirements.
Legal validity considerations
Qualified Electronic Signatures (LuxTrust only): Under eIDAS Article 25, qualified electronic signatures have legal equivalence to handwritten signatures across all EU member states. These signatures are automatically legally binding without requiring additional contractual agreements.
Advanced Electronic Signatures (LYNKS Mobile App): Advanced electronic signatures are recognized under eIDAS but do not automatically carry the same legal weight as handwritten signatures. Their legal validity depends on:
- Contractual agreements between parties accepting this form of signature
- Internal policies and procedures governing their use
- The specific regulatory context and requirements of the transaction
Simple Electronic Signatures (SSO): Simple electronic signatures represent user consent through authentication but provide minimal technical guarantees. They are appropriate for routine operations within organizations where:
- The risk level is acceptable for authentication-based approval
- Internal policies govern their use
- The context does not require higher levels of signature assurance
Organizations should ensure appropriate contractual frameworks and risk assessments are in place when using advanced or simple electronic signatures for legally significant transactions.
Configuration
Digital signature functionality is configured at multiple levels in LYNKS.
Tenant-level configuration
Administrators configure signature methods and policies for the entire tenant:
- Authentication methods enabled - Which signature methods are available (LuxTrust, LYNKS mobile app, SSO, custom solutions)
- Certificate trust chain - Trusted certificate authorities for signature validation
- Auto-signing policies - Whether auto-approve and auto-reject rules are permitted
- OCSP configuration - OCSP responder endpoints and fallback policies
- Custom signature integrations - Configuration for client-specific signature solutions
For tenant configuration, see Tenant Settings - Administrative configuration for users, accounts, and rules.
User-level configuration
Individual users activate signature methods for their accounts:
- LuxTrust activation - Users configure their LuxTrust device (SmartCard, Signing Stick, or Mobile)
- LYNKS mobile app onboarding - Users provision their mobile device with a certificate
- SSO authentication - Automatic activation when SSO is configured for the tenant
- Custom authentication methods - Activation of client-specific signature solutions as configured
For user management, see User & Groups - User management and access configuration.
Signatory rule configuration
Signatory rules define when and how signatures are required:
- Rule parameters - Accounts, amount ranges, currencies, payment categories, counterparties
- Signature requirements - Number of signatures required from which user groups
- Auto-approve conditions - Criteria for automatic approval without manual signatures
- Auto-reject conditions - Criteria for automatic rejection
For signatory rule details, see Signatory Rules - Approval workflow configuration.
Related documentation
Explore these related sections to learn more about digital signatures and authentication:
Core Concepts:
- Approvals - How approval workflows and signature processes function - Understanding approval workflows and signatory requirements
Platform Features:
- Action Center - Centralized task and approval management - Managing pending signature requests and tasks
- Signatory Rules - Approval workflow configuration - Configuring multi-level approval requirements
- User & Groups - User management and access configuration - Managing user authentication methods
Security & Authentication:
- Authentication Methods - Detailed setup and usage of SSO, LuxTrust, and mobile app authentication - Setting up LuxTrust, LYNKS mobile app, and SSO
- Single Sign-On - OAuth2 and SAMLv2 authentication - OAuth2 and SAMLv2 authentication
- LuxTrust - Qualified electronic signatures - Qualified electronic signatures with digital certificates
- LYNKS Mobile App - Mobile authentication and push notifications - Mobile authentication and signing
- Compliance & Audit - Security features, audit trails, and regulatory compliance - Audit trails and regulatory compliance
Support
For assistance with digital signature configuration, certificate management, custom signature solution implementation, or troubleshooting signature validation issues, contact our customer support team at [email protected].
Updated 3 days ago