Non-Biometric Signatures—11​.200 (a)

"(a) Electronic signatures that are not based upon biometrics shall:

(1) Employ at least two distinct identification components such as an identification code and password.

(i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual.

(ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components.

(2) Be used only by their genuine owners; and

(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals."

Procedures should be established to define what distinct identification components are considered valid for use in an electronic signature. These procedures should also define what is considered a continuous period of controlled access for the purpose of identifying when only one electronic signature component is required for subsequent signings.

These procedures also need to ensure persons only use or apply their own electronic signature and they do not share or distribute any components of their electronic signature such that others cannot falsely sign electronic records for them.

Finally, the procedures need to define and manage signature components such that a single person cannot attempt to use another's signature. For example, if the system administrator, who knows the user identification codes assigned, can also reset a person's password to a known value then that individual could falsify signatures for others without requiring any assistance form others.