By Etienne Chevreau, Member of the SIA Document Security Working Group. 

In an era where digital identity is rapidly evolving, one might wonder if physical documents still hold relevance. With passports, national IDs, and other credentials increasingly available in digital formats, it may seem like we are moving towards a fully digital future. However, the reality is far more nuanced. Physical documents continue to be essential, not only as a root of trust for digital IDs but also as a reliable and universally accessible form of identity.

The Strength of Physical Documents

For centuries, physical documents have served as the backbone of identity verification. Their enduring value stems from several key characteristics:

1. They are centered on the person – We hold, manage, and control them without relying on external digital systems.
2. They are accessible – Anyone, anywhere, can issue, receive, and use them, regardless of technological infrastructure.
3. They are varied – From passports to driver’s licenses, they come in diverse formats to serve different needs.
4. They work across contexts – A single document can be used for travel, banking, healthcare, and more.
5. They are private – Unlike digital identities that may leave traces if poorly implemented, physical documents do not inherently track users. 
6. They can be combined for greater trust – Multiple documents can be used together to provide stronger identity verification.

These attributes have made physical documents the most trusted and widely used form of identification worldwide. But as digital identity systems advance, the question arises: will they be replaced by digital credentials?

The Digital Shift: A Complementary Evolution

If you’re overwhelmed by the vast number and types of optical features available to add security to identity documents, you’re not alone. In this paper, a group of experts from the Secure Identity Alliance (SIA) clarifies the options—and when and how to apply them.

The 2024 edition of "Giving Voice to Digital IDs" takes a closer look at the challenges and successes faced by several African countries in deploying digital identity systems since 2021.

While technology is an important enabler, successfully implementing the end-to-end seamless border vision is a complex proposition that involves multiple stakeholders and requires supporting common standards alongside harmonised regulatory frameworks.

Having explored the vision and the technology innovations and advances being utilised today to support the implementation of seamless border programmes around the globe, we’ll now look at what’s involved in making this happen ‘for real’.

One thing is for sure. Initiatives currently underway highlight how implementation is a complex and multi-faceted proposition that goes way beyond simply planning to deploy new standalone systems and technologies and ‘hoping for the best’.

For a start, building a successful IT system that supports seamless travel involves deep collaboration between multiple stakeholders including border authorities, air and sea ports, land-based border points and carriers – including train and bus operators – and deep integrations with a multitude of other systems.

All of which will entail the redesign of business processes, the training of personnel in these new protocols, and careful planning to manage the operational impact of these changes. Plus, systems will need to be backwards compatible and future-proofed to support potential further technology innovations on the horizon. The discipline of change management and engaging comprehensively with stakeholders should include travellers, who need to be able to use the new solutions. Good two-way communication will all be important for achieving a successful outcome within planned timeframes.

But that’s not all. As technology increasingly forms an essential part of border control and international travel processes, the need for excellent cyber resilience and highly reliable IT systems and infrastructure will grow. Contingency plans need to be in place to handle unexpected downtime events, which could cause major disruption.

Imagine being denied entry to a foreign country because the electronic chip in your travel document is considered vulnerable and you would have to request a visa before traveling there? Because travel documents usually have a 10-year validity, this is a valid concern and is the reason why we consider micro-controllers (often called chips) in secure documents to be high value components.

As one of the most basic instances of the advanced IT solutions available in the industry, secure software embedded in ePassports and keeping them safe from their Cyberattacks are the object of deep concern and attention, especially with the increased adoption of digital ID, often derived from a secure electronic document such as a passport.

Cybersecurity is an ever-evolving concern. Setting up a secure identity document project relying on highly certified products is a necessary practice but not sufficient for protecting identities from future Cyberattacks. Active monitoring and anticipation of Cyber threats is critical to protect sensitive assets. Such threats include eavesdropping, cloning, or extracting highly confidential fingerprints from the electronic chip.

Decades of security progress have been framing an always-improving environment focused on a single objective: defining and maintaining a Cybersecurity framework to deploy secure embedded solutions in electronic ID documents.

The next step is to look beyond Cybersecurity and focus on Cyber resilience, which refers to an entity's ability to continuously deliver protection, despite adverse events. This combines information security, business continuity, and organizational resilience. This is particularly relevant for governmental programs, who should continue to issue secure identity documents to their citizens at any point in time.

Concretely, the future Cybersecurity of ID documents like ePassports depends on the ability to update, in the field, the secure embedded software (for example algorithms used for the various security mechanisms) protecting the data stored in the chip – with no need to issue a new document.

How does Cybersecurity work in an ePassport scheme?

Post pandemic, international traveller numbers are ramping up and are expected to continue to surge. Meanwhile, staff shortages, stricter travel processes and additional document checks and pre-travel enrolment requirements have all had an impact on how quickly travellers are processed at air and sea ports as well as land borders and crossing points. Combined, these can result in long queues at points of departure/arrival as travellers wait to be processed and undergo entry and exit checks.

For border control agencies, admitting genuine travellers as quickly and efficiently as possible while identifying travellers who may not be welcome is a top priority. Meanwhile, port authorities need to optimise passenger flows in order to boost throughput and minimise congestion and passenger wait times. Creating the additional capacity needed to support the anticipated future growth in passenger numbers.

The good news is that in recent years, advances in digital connectivity have spurred governments and private sector organisations on to introduce technology-based and secure-by-design solutions that both boost the efficiency and security of border control processes while elevating the traveller experience.

Let’s take a look at some of the technology advances already making an impact when it comes to enabling a frictionless journey experience for passengers, while reducing the cost and complexity associated with capturing accurate and verifiable data before a visitor arrives at a border – and ideally before they even leave their country of origin.

Long term shifts in traveller numbers are driving governments around the globe to rethink how to manage the smooth and compliant movement of a growing number of travellers through ports and across international borders. According to the World Tourism Organisation, more than 900 million tourists travelled internationally last year – a figure that is predicted to hit 1.8 billion by 2030 and 8.2 billion by 2037.

Facilitating the seamless movement of vast numbers of people in the most efficient way possible is just the start of the challenge. Ensuring the security of national borders and citizens is another top imperative—seamless borders aims to deliver an easier passenger journey and improved security, benefiting all stakeholders. This can be a challenge given constraints on space, time and resources. Efficient, seamless borders will be more able to handle high passenger volumes to avoid overloading capacity at ports which can quickly become apparent in long queues inconvenience for everyone.

This is driving industry bodies and governments to press ahead with digitalisation initiatives. Because, as IATA, the trade association for the world’s airlines, notes: “Passenger traffic is projected to double by 2037. We will not be able to handle this growth or satisfy evolving customer expectations with existing airport capacity, current processes, facilities and ways of doing business.”

Debora Comparin, Chair of OSIA Initiative, SIA and Standardisation Expert, Thales

Thanks to co-author Yiannis Theodorou, Head of Digital ID, Tony Blair Institute for Global Change for his contribution to this commentary.

As governments continue to build inclusive digital-ID ecosystems to unlock the value of digital transformation for their people, many are facing the challenge of which related technology solutions to adopt.

In markets that encourage competition and innovation, it is common to see the creation of proprietary, closed and non-interoperable systems when a new industry is formed; remember the days when the phone you bought in Europe could not be used to make or receive calls in the United States? Eventually, though, the forces of supply and demand drive the industry towards harmonised, optimal solutions and common standards.

Today’s identity market is an environment of siloed foundational and functional ID systems, partly built on proprietary technologies. But, as the market matures, new tech solutions are drastically redefining the landscape. Mobile-ID solutions, sophisticated biometrics, cloud computing and other technologies have made it possible to develop integrated national ID ecosystems that are efficient, cost-effective and secure, without necessarily involving centralised databases.

Yet many countries still have a long way to go before they can realise this vision, and their ability to easily switch to new technology partners or providers is severely hampered by the complexity of existing systems or contractual arrangements. For example, if a newly procured digital-ID provider must deal with encrypted biometric templates in an existing database, it would need to access the raw biometric images captured and stored by the previous provider’s systems. If the unencrypted raw images are not available or reliable, the government will likely be forced to re-register the entire population.

Vendor lock-in constrains development because any change is subject to considerable costs and the risk of operational failures. At the same time, to benefit from the latest technologies, governments need to update, adapt and upgrade their legacy systems while having the freedom to choose the most appropriate solutions to meet their needs.

Two main approaches have emerged that offer governments the flexibility and freedom they need: open standards and open-source software.

Secure ePassport chips result in trust and efficiency

What is ‘PKI’? An introduction

This article can be downloaded   default HERE(2.26 MB)

Trust in passports is essential. PKI technology gives strong evidence that information on a secure passport chip can be trusted. This helps authorities issue more secure passports, increase security and throughput at the border, increase automation and catch identity cheats. It can help airports, airlines and commercial parties to check documents and carry out KYC (Know Your Citizen or Know Your Customer). Genuine passengers are more able to demonstrate their true identity quickly. Conversely, identity cheats stand more chance of being discovered.

Threats of passport fraud are real! A genuine document can be lost, stolen or borrowed and used by someone who is not the holder (an imposter or lookalike). A criminal might try to change the photograph or other data about the holder, to turn a passport into his own travel document (a forgery). A false passport might be manufactured (a counterfeit). Someone may make a false application to obtain a passport (a Falsely Obtained Genuine (FOG)). Or someone may steal blank passports which have not yet been personalised (had the holder’s details applied).

Great care is taken to defend passports from such attacks. This includes strong security on the manufacture, storage and delivery of documents; rigorous testing of new passport applications; and advanced security features in passports so that false documents are difficult to produce or use. See Passport Fraud Trends and Ways to Combat Them (Secure Identity Alliance (SIA), 2021); and ICAO 9303 Part 2: Specifications for the Security of the Design, Manufacture and Issuance of MRTDs (see references).

Secure chips improve security and convenience

Many passports and ID cards contain a chip, holding key data about the document and the holder, including the holder’s facial photograph. All of this data is protected by the issuer who includes a cryptographic digital signature on the chip. This signature, when verified, shows that data on the chip comes from the right source and has not been changed. Only the issuer can produce this signature, but everyone who needs to can verify that the signature and the data match. If so, it can be trusted; if not, it can’t. The complete picture is called a Public Key Infrastructure (PKI).

 By Joachim Caillosse - Chair of the SIA Document Security Working Group, Frank Smith, Advisory Observer to the SIA and Thomas Poreaux - Member of the SIA Document Security Working Group. 

The use of false identities is a problem that goes far beyond the area of border control. Though fraudulent identification documents are commonly associated with issues like immigration, they can also be used to aid serious organised crime, terrorism, fraud, and a range of other threats. As a result, accurate verification of identity documents is now a major concern in additional contexts including areas such as financial services and digital retail.

'Authentication: Are You Who You Claim to Be?'is a new guide from the SIA that addresses the challenge of identity authentication. Discussing the inherent difficulty in validating someone’s identity, as well as some of the solutions that are currently available, the report also provides detailed use cases and recommendations for anyone who may be looking to improve their understanding of this critical practice.

“It is very useful and highly informative report providing answers to questions concerning the Optical Machine Authentication (OMA) and in turn highlighting its increasing role in document authentication. The report will help practitioners expand their understanding of benefits and challenges linked to the increased use of optical authentication technologies.”

Malik Alibegovic, INTERPOL CCSD

In this blog, we provide a summarised view of some of the key themes covered in the guide.

Facial Recognition (FR) has evolved considerably in recent years and has many important potential benefits such as ease and security of use, privacy protection, and the detection and deterrence of crime. However, it can also be used excessively and intrusively and needs to be used appropriately, in circumstances that are justified and in accordance with good privacy laws and principles.

The SIA believes that recent moves to ban facial recognition technologies in a number of US states are premature. Similarly, in the EU, recent proposals regarding the development and use of artificial intelligence (AI) systems classify those intended to be used for remote biometric identification as ‘high risk’. If adopted, these systems would require a stringent ex-ante conformance assessment.

Pressing the pause button without a reasoned debate on privacy and civil rights, or on the potential IP and sovereignty issues of greater regulation, represents a potentially backward step for public safety that also limits the abilities of companies to transact securely with consumers in the digital world. See our blog on artificial intelligence here.

Facial recognition technologies have proved invaluable during the COVID-19 pandemic, making it possible for citizens to enrol remotely for services and verify their identity.

The SIA believes it is up to the authorities to play their role as regulators and to define the limits and conditions of use of facial recognition technologies, working with the industry to put in place governance frameworks that address the concerns of all stakeholders.

As governments and NGOs look to health certificates as a response to the challenge of safely reopening borders and reinstating freedom of movement for citizens, there is now a very real urgency in consolidating approaches, agreeing standards and achieving interoperability. Failure to do so will reduce international acceptance and threaten to derail these important initiatives. Here, we take a look at the key issues.

Health certificates schemes promise to streamline how people demonstrate they are unlikely to either catch or spread a particular disease, or diseases. While not a new concept, the COVID-19 pandemic has brought discussions of wider adoption and standardized adoption into sharp refrain.

In today’s context, these schemes use physical and/or digital certificates to make it easier for airlines, airports, border control agencies and others to verify whether a certificate holder has been vaccinated against COVID-19, has tested negative for the virus, or has recovered from it.

The increasingly widespread introduction of these certificates has allowed governments to lift a number of pandemic-related restrictions – from cross-border travel to attending large public gatherings such as sporting events.

 

On April 21, 2021, the European Commission proposed new rules and actions on the development and use of artificial intelligence (AI) systems with the stated objective to “turn Europe into the global hub for trustworthy artificial intelligence”.

Following a risk-based approach, the proposals will ban those AI systems considered a clear threat to the safety, livelihoods and rights of people. Others will be rated on a risk scale from high to minimal. In particular, all remote biometric identification systems are considered high risk and subject to strict requirements.

Secure Identity Alliance (SIA), whose members are European and global leaders in this fast-emerging space, are supportive of the principles to ensure excellence and trust in AI systems, and believe a fit-for-purpose framework has the potential to become an adopted standard around the world – as has been the case with the General Data Protection Regulation.

However, SIA believes that the rules governing the development and provision of AI systems should be proportionate.

As the proposals stand today, there is a concern that some rules threaten to stifle innovation and therefore undermine the stated goals of the Commission and the position of Europe as a leader in this critical field of technology.

By Joachim Caillosse, Chair of the Secure Document Working Group of the Secure Identity Alliance

An in-depth new guide to help tackle passport booklet fraud

Document fraud is a serious crime, one that has implications that stretch from personal identity theft all the way through to national security. Moreover, document fraud often serves as the foundation upon which other threats are built – human trafficking, drug smuggling, and terrorism amongst them.

Passport fraud is a key part of this landscape, and a growing problem. While Covid-19’s debilitating affect on international travel has helped to slow the rise of passport fraud over the past 12 months, the longer-term picture tells a different story altogether Some 100m travel documents were reported lost or stolen in 2020^₁ and according to Frontex Risk Analysis, passports represented 47% of the fraudulent documents detected at European Union external borders in 2019, leading some commentators to decry a growing passport fraud “epidemic²”.

Ever keen to raise awareness of identity-related threats and provide guidance on the latest defences and countermeasures, the Secure Identity Alliance (SIA) has this week launched its “Passport Fraud Trends and Ways to Combat Them” report – a comprehensive overview of the current travel document security landscape.

By Michael Brandau, Chair of the Secure Identity Alliance's Border Working Group.

With technology, Covid-19, and a number of other factors driving major change at the border, the Secure Identity Alliance has updated Strong Identity Strong Borders, a guide designed to help anyone who wants to understand the subject more, but who is not an expert.

Strong Identity, Strong Borders introduces the key concepts and explores the evolution of border control, and how those responsible for safeguarding their territory can embrace new approaches around identity in order to create secure, seamless, and streamlined passenger experiences.

Today the refreshed Principles on Identification for Sustainable development were published. Secure Identity Alliance is proud to have once again been asked to contribute to this important body of work to ensure that these updated Principles reflect today’s changing world and its own vision of supporting the provision of legal, trusted identity for all.

Five years ago the Secure Identity Alliance, along with other organisations committed to the development of ID systems that are inclusive, trusted, and accountable and supported the development of a set of shared ‘Principles for Good Identification’.

by Kristel Teyras, Chair of the Digital ID Working Group of the Secure Identity Alliance

With governments poised to accelerate national digital ID programs, the SIA commissioned a study to uncover lessons learned from innovative, real-life digital ID deployments around the world.

Providing unprecedented ‘on the ground’ insights and perspectives, the study produced in partnership with onepoint gives a unique voice to stakeholders from 25 innovative sovereign digital ID schemes. Their shared learnings highlight the guiding principles and good practices that are critical for driving usage, adoption, and success – regardless of the digital ID model adopted.

In the modern world it’s easy to characterize physical ID documents as outdated and irrelevant. But to do so would be to overlook the practical realities, and ubiquitous adoption, of these durable physical credentials.

We live in a world where the movement towards mobile and digital formats for a wide variety of identity documents – such as national IDs and driver licenses – is already underway. Indeed, the COVID-19 public health crisis has served to propel Governments to accelerate digital (mobile) ID adoption so locked-down citizens could still securely access a range of digital public and private services. Everything from registering a child’s birth to collecting pension payments, and using their digital ID to prove their ‘key worker’ status and permission to travel.

But that doesn’t mean that the physical ID document is no longer needed. Rather than simply being replaced by new digital formats, they continue to be the pre-requisite for the overall success of many schemes.

While domestic and international restrictions imposed to combat the spread of the COVID-19 virus have a tremendous impact on cross-border passenger volumes, and the longer-term picture remains unclear, it is no less important to continue to leverage the latest technologies to both strengthen borders and improve traveller experiences.

Over recent years, the technology has radically evolved in fields such as identity, security, biometrics and mobile applications to do exactly this. Technology has already transformed the world of border security and efficient processing of passengers, for example through secure ePassports (also known as electronic Machine Readable Travel Documents or eMRTD), automated eGates, biometrics used to assure visa regimes, and mobile boarding passes.

However, the story is far from complete. A newer generation of secure and efficient solutions are just beginning with the development of the Digital Travel Credential (DTC).

An immediate analysis of the coronavirus crisis highlights, among other things, the significant and growing role of technology in general, and digital identity in particular, in helping citizens, businesses and government agencies adapt and respond.

With citizens in many countries forced into homeworking and home-schooling, most at incredibly short notice, many millions turned to digital tools to communicate, collaborate, work and transact online. While these proved helpful for knowledge workers and those businesses with flexible (and often cloud-based) IT infrastructures, the crisis uncovered huge areas for improvement.

This was particularly clear when it came to access to the provision of public services – many of which lacked a cohesive digital alternative to face to face interactions. At the heart of the issue was the lack of a digital identity that would allow citizens to securely access services remotely.

For those citizens unable to access basic public services and social protections in a digital context, this lack of a digital identity and a connected ecosystem of digital service caused considerable problems.

This, Secure Identity Alliance (SIA) believes, is one of the key learnings to take away from the crisis. A secure and universally trusted digital identity, based on a government root and sourced from civil registries, is fundamental to the development of a wider ecosystem of both public and private services.

How to address the challenge of enabling the delivery of trusted mobile ID that’s secure, convenient, and easy for citizens to use

Digital identity sits at the heart of economic and social transformation. Around the globe, governments are busy fast-tracking the delivery of streamlined e-services that touch every aspect of people’s lives – from paying tax to accessing healthcare and education.

The SIA’s pioneering new Open Source API will bring interoperability among civil registration and civil identification registries – independent of technology, solution architecture or vendor.

Citizens around the world depend on government issued identities to prove they are who they say they are and to undertake commonplace transactions – from opening bank accounts or registering for school, to obtaining formal employment or receiving social transfers.

It is crucial, therefore, that governments are able to ensure citizens are the same person across all these various registries and issuing agencies, and that an individual’s data – or attributes – are up-to-date. Doing so protects the individual against the risk of identity theft and state agencies against fraud.

To achieve this objective these different registries need to ‘talk’ to one another.

It is this imperative that is currently driving governments around the globe to rollout national ID ecosystems in which multiple identity registries and systems, serving different functions, operate together as a cohesive whole.

Efficient and reliable patient identify management will be an essential element in making the benefits of integrated care a reality. This was the core message at the launch of a joint new publication from COCIR and the SIA entitled ‘Identity in Healthcare’ at the HIMSS Europe and Health 2.0 conference in Barcelona. The publication brings much-needed clarity and key recommendations to the ID challenge facing the health sector.

Ouverte par le Premier ministre de Namibie, la troisième conférence bilingue (français-anglais) du mouvement ID4Africa (1) a réuni près de 1000 des acteurs de l’identité numérique à Windhoek en Namibie, de plus de 30 pays.

While the concept of identity (ID) remains unchanged, the rapid evolution of digital technology has dramatically extended both its application and form factor.

Today, the Secure Identity Alliance has joined the global partnership network on identification and endorsed the ‘Principles on Identification for Sustainable Development: Toward the Digital Age’ which aims to provide a set of guidance in establishing and utilizing legal identification systems for sustainable development.

Today, the World Bank, Secure Identity Alliance, and GSMA have launched a joint white paper, “Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation”.

Ce rapport devrait être d' un intérêt particulier pour les organisations internationales et les organismes gouvernementaux qui sont impliqués dans la création ou la réorganisation de l'état civil et des systèmes d'identité

This report should be of particular interest to international organizations and government agencies that are involved in the establishment or reorganization of civil registration and identity systems.

By courtesy of our Government Observer Member, the National Office for Identity Data, Dutch Ministry of Interior and Kingdom relations.

As the appetite for developing identity-based e-government services grows, Jacques van Zijp, Board Member from Secure Identity Alliance discusses the interoperability challenges now at the heart of cross-border ID discussions.

Identity is going digital, and moving to the mobile. For most, this is a positive step. Identity is proliferating at an incredible rate. From the low level ‘sign-in through Facebook’ variants to high security access to, and usage of, a new range of central government and smart city services, the ability to prove who we say we are (when we’re mobile) is a strategic imperative. And It’s not just about convenience or security.

Presentation given by Jacques van Zijp on eID and Social Protection Programs in the Developing Countries at SDW2014 in London

We have asked Guy de Felcourt, Digital Identity Strategy Advisor and Published Author, who animated the BMI-Secure Identity Alliance eIDAS Workshop to tell us why EU Regulation No.910/2014 represents a major step forward in enabling digital identity in Europe and examines the value this will deliver for member states, companies and citizens.

This quarter, Jacques Van Zijp, Board Member of the Secure Identity Alliance looks at how eID is helping secure social protection and unlocking a sustainable, empowered future for communities around the globe.

Opening keynote speech at Secure Document World 2013 by Frédéric Trojani, Chairman, Secure Identity Alliance

Highlighting the continued importance of cost and citizen experience drivers, the report highlights the role of trusted digital identity in enabling effective and secure eService deployment.

And with this change come some serious issues.