ePassport derived credentials could power online identity
NXP white paper outlines opportunities from ICAO's new travel document specs
24 January, 2017
category: Biometrics, Contactless, Digital ID, Government
ICAO and NXP have some pretty major plans for the future of the passport and it goes well beyond border crossings. With 730 million of the chip-enabled ePassports already in circulation, they see it as the future of online ID. As Peter Schmallegger, NXP’s Director for the Secure Identity Sector explains, the key is ePassport derived credentials.
Think of it like this, place your government issued passport next to your NFC-enabled smart phone, click some buttons and have an ePassport derived credential stored to your handset. Next time you need to migrate through a border checkpoint, perhaps you could use your phone rather than the booklet. Even more significantly, imagine that next time you need to login to government web service, a bank or commercial site, click another button to verify your identity online.
“Governments and ICAO did a great job of making the passport a digital document, making it accessible to databases, and accessible to automated border systems,” says Schmallegger. “It may be the most secure electronic credential to prove identity, and it is certainly the most checked.”
He says it would be a pity if the industry missed the opportunity to make this available in other form factors. In other words, why leave it in the passport booklet if we could extend it to the mobile and online.
It may be the most secure electronic credential to prove identity, and it is certainly the most checked. It would be a pity if the industry missed the opportunity to make this available in other form factors.
This is the concept of a derived credential, and it is not only the passport that is talking about it. US government’s PIV and PIV-I cards are exploring derived credentials for convenient online authentication to secure services. In this case, the idea is to take the chip-based, cryptographically secure PIV card and derive a mobile credential – in essence a mobile child to the chip parent – and use that in locations where smart card readers are not available.
There is a fundamental similarity between passports and PIV cards and it is key to where derived credentials make the most sense. The similarity is strong identity vetting. Both documents are among the strongest issued in terms of the identity vetting required prior to issuance.
Thus, the derived credential has the advantage of being trustable. Unlike self-asserted user name and password combinations that make up most online credentials, passports and PIV cards require breeder documents, in-person verification and at least some level of biometric enrollment. This gives them a major head start on virtually all other existing credentials.
Thus explains Schmallegger, they are ideal for not just for border crossings, but other applications – both government and private sector — as well. “For us this Virtual Mobile Identity is a very exciting exercise being driven forward by ICAO,” he says.
The work on Virtual Mobile Identity is occurring within ICAO’s New Technologies Working Group (NTWG), the same group that is defining the new data structure for electronic passports, which is known as Logical Data Structure 2 (LDS2). In the original ePassport data structure, LDS1, only the first data page containing the individual’s personal information was digital. LDS2 will make the entire document digital, enabling storage and transfer of visas, stamps and other non-static information in the chip.
This effort is also key to ePassport derived credentials and Virtual Mobile Identity. “From a technological perspective – cryptography, datasets, etc. — it is actually quite straight forward,” says Schmallegger. “The challenge is to define procedures to securely use it, and our guiding principles is to make sure it is to the best and good of the citizen and consumer.”
In the past, any international, open mobile initiative met with a major challenge: there are many handset models, many operating systems and many new versions of each released all the time. How do you troubleshoot and support them all?
Schmallegger says the industry has made substantial advancements in the past five years in terms of NFC and embedded secure technologies. “I have confidence when I look at how much complexity we have been able to move that we now have all the building blocks at hand.”
Schmallegger and NXP released a white paper, The future of ePassports and border crossings: A look at where technology might take us, covering this future of the travel document. It provides an exciting vision – both from a technical identity standpoint and from the view of a normal global citizen – and is well worth the read. Download it here.