What kind of factor is a physical signature?

I would consider a physical signature a biometric, albeit a pretty weak one. It isn't really something you have, since unlike a physical token, it cannot be stolen, or given to another (or, under most common circumstances, lost). It isn't really something you know either, even if an attacker knows exactly what your signature looks like, he cannot necessarily reproduce it.

The idea behind a signature is individuals have different idiosyncrasies in their handwriting that is relatively difficult to replicate. Unfortunately "relatively difficult" is very far from impossible.


Some of the other answers to this question make a good point: Most of a time a signature isn't actually used as a for of authentication (in the usual security jargon sense). When it is used as an authentication factor, however, it would be a biometric.

The prime usage of signature is to signal intent.

Properly verifying if some signature A 'matches' some signature B is something that requires a lengthy and costly expertise and generally isn't done outside of significant court cases, so in most cases it actually doesn't function as authentication factor at all. For example, when accepting credit cards at a point-of-sale terminal, employees are often instructed to accept any (non-empty) signature as matching any other signature. Check verification does include some signature verification and can catch low quality forgeries; in this case it's "something you know... but distribute occasionally" as the forger has to have access to some samples of your signature in order to make a suitable replica; but doesn't need any access to you personally for this attack (so not 'something you are').

However, the signature indicates your acceptance and intent of the transaction - the general authentication is performed through other factors, but only your signature indicates that you authorize the deal as opposed to simply being present.

It's not a factor at all because a signature is not primarily an authentication mechanism. In a credit card transaction the possession of the physical card is used for authentication.

A signature is primarily used to ensure there is no ambiguity about the intent of the person using the card. For example:

  • A signature ensures there is no misunderstanding between the vendor and the cardholder about whether they intended for a transaction to take place.
  • If a card is used fraudulently then there can be no doubt that the perpetrator did so with fraudulent intent and not by accident.

This is why stores commonly ask to see photo ID, so they can check to ensure the name matches and the photo on the ID matches. In effect they are authenticating you using something you have (the card) and something you are (your appearance) but the signature rarely plays a part in the actual authentication process.