Blogpost by Maarten Wegdam and Martijn Oostdijk
We believe that there is a bright future for the combination of smartphone and digital identity, which we refer to as mobile-centric identity. The question is, of course, how and when, and probably also who (which organisations) will benefit from this. To contribute to making mobile-centric identity happen, we are experimenting with how we can use a smartphone to get access to our ‘offline identity’, i.e., our passport / ID card. More specifically, we developed an Android app, called NFC Passport reader, that uses NFC to read the chip embedded in a passport / ID Card (aka ePassport). This app is now available from Google Play.
What did we do?
A long time ago (in 2009) Novay developed and experimented with software that could read the chip embedded in a passport or ID card. This software is based on the ePassport Java library JMRTD, ran on a PC, and required a reader to be attached to this PC.
We now made a mobile app, that can run on any (recent) NFC capable Android smartphone. This is possible because the contactless technology in ePassports, ISO-14443, is fully compatible with NFC. We show what information is embedded in the ePassport (including photo) and make it explicit what security checks the app does. We made the app user friendly and nice looking (at least, for a prototype), and hope it will be used a lot.
More information on the app is here.
What are opportunities?
Now we have shown the technical feasibility, what are the opportunities for usage? Below we list examples.
Improving current practice:
- Consumers can use the app instead of an offline identity verification process in which they have to make a copy of a Passport and mailing this (or a scan and email/upload, which is similar). This is, at least in the Netherlands, quite common and IMHO not a good idea since there are privacy and security risks, and in addition is quite user unfriendly and expensive.
- Consumers can use the app instead of a PC/laptop with a USB smart card reader attached. The latter is expensive and user unfriendly (and therefore not-very-common).
- Professionals that need to verify the identity of someone in a face2face situation, e.g., a car rental organization or a public notary, can use the app instead of more expensive dedicated hardware-based solutions (mobile or not-mobile).
- Use the app as part of an enrolment process when installing a new app on a mobile phone, e.g., a mobile banking app, to verify that whoever installs the app has access to a correct (and valid) passport/ID-card.
- As second factor authentication, e.g., for step-up authentication. Comparable to the above, but for a specific transaction or session.
- In case of a eID contactless smartcard solution (based on similar chip technology), to authenticate the user towards some online service. This is than typically combined with a PIN code (something you have). Germany has such an eID card, and the Dutch government is planning one.
What is next?
We’d like to stress that the current app should be considered a prototype, which shows the technical feasibility and demonstrates the user experience. Apart from maturity, for ‘real use’ there are some missing features including:
- Checking if a passport/ID card wasn’t stolen. In the Netherlands this could be done through BKR VIS.
- Checking whether the document signing certificate was revoked and updating the list of country signing certificates. This can be done through the ICAO Public Key Directory. Some, but not all, countries publish their country signing certificates and CRLs (the German authorities regularly publishes a master list that contains 54 countries, including DE, BE, US, UK, CN, DK, EE, JP, IT, CN). In the first version of our app we only embedded the certificates for the Netherlands, for other countries the app will not be able to do the “Country signer” check.
- Using the camera of the smartphone in combination with OCR, to read the so-called Machine Readable Zone, so that the user doesn’t need to type the document number, date of birth, and expiration date. In the current app the user has to do this manually (once per document, but still).
There is of course much more to say about the (im)possibilities, challenges and threats of using a smartphone with NFC to read ePassports or eID cards. And apart from technology assessment, that is exactly what we want to accomplish, to get people thinking about this.