Digital travel credentials: Looking beyond the book
Travellers’ behaviours and expectations are changing. In our ever-increasing world of digital transactions, it is hard to imagine a future where we will still need to present a traditional, physical passport in order to cross a border. Increasing international traffic volumes are placing pressure on airport passenger facilitation, and the need for secure and trusted traveller identification remains ever present in the face of global turmoil. How can border authorities and the airline industry adapt to meet the changing needs, and manage traveller facilitation without compromising security, all while maintaining interoperability?
Taking these challenges into consideration, ICAO’s New Technologies Working Group (NTWG) established a specialized sub-group to begin work on standardizing a digital travel credential (DTC). In developing these technical specifications and policies, the ePassport is used as the benchmark given that it offers a secure, portable, verifiable and unclonable token.
Opportunity for change in the travel continuum
An estimated 139 States have issued more than one billion ePassports to date. The growing number of ePassports improve the travel network by enhancing facilitation for travellers. They also improve security for border management. One particular advantage of the ePassport that has the potential to revolutionize the way travellers are processed, is the digitization of the traveller’s biographic and biometric data that is stored in an integrated circuit (IC or chip) embedded in the book.
This chip data has already generated many benefits. Not only does it verify the passport bearer’s identity through facial recognition, but it has also provided authorities with the tools to authenticate the travel document. While these processes have made significant contributions to the security and facilitation of traveller movements, the ePassport has yet to be fully leveraged to provide all of the possible benefits to change the way travellers clear checkpoints during departure and arrival.
The DTC envisioned by the NTWG uses the technology available in the ePassport to create a credential that can bring these additional benefits, while maintaining a balance between security and facilitation.
Leveraging the key attributes
For a DTC to be effective and practical it needs to maintain the key attributes already contained in the ePassport, namely:
- verifying entities must be able to authenticate the credentials supplied;
- inclusion of a means to protect against cloning;
- capable to accept and store pertinent holder and/or travel data;
- protection of the privacy of the user; and
- verification processes must be at least as secure as for ePassports.
A DTC essentially serves the same functions as an ePassport in reliably confirming the identity of the traveller. Additional benefits to those in the travel continuum include:
- An improvement to passenger flows by allowing travellers to provide their data in advance and engage in more self-service;
- The ability for airports and airlines to link additional data, such as a boarding pass, to the DTC; and
- Advance provision of passenger data to aviation stakeholders to support biometric matching through controlled checkpoints, to facilitate biometric boarding and assist in improving prearrival security and/or risk assessment.
In order for these benefits to be realized, wide acceptability of globally-interoperable features, and an issuers ability to control the credential, are paramount.
The challenge of balance
Creating a secure and reliable form of electronic identification that can be used to enhance facilitation is perhaps the simpler part of this work. Not only are there a number of established and emerging e-Identity schemes around the world, but airports and airlines have an increasing number of stand-alone traveller facilitation schemes. These solutions all leverage off a range of differing technologies and use a variety of form factors. What is important for travel is that there is a balance in security, facilitation, and interoperability.
While considering this, the sub-group examined and considered a range of technologies, or ‘form factors’, such as smart devices, closed servers, remote servers, and distributed ledgers. The form factors were evaluated against these four basic criteria to ensure the credential could be:
- Produced from a Travel Document Issuing Authority.
- Capable of being provided unaltered to verifying entities in advance of the traveller’s journey or arrival.
- Globally interoperable to ensure that it could be used in different environments.
- Adopted by travellers. This requires creating trust that:
- The DTC is as, or more secure, than an ePassport, and
- Biographic and biometric data will be handled in a manner ensuring the protection of the traveller’s personal data and privacy.
Each form factor considered had a number of positives, but each also presented limitations that would result in a solution less secure than an ePassport. While these different form factors would mostly work well for facilitation, few would be globally interoperable, and all would present security concerns that would be unacceptable for most, if not all, border authorities.
However, all is not lost! By combining one or more of the form factors with the existing technology already available in the ePassport, there is an opportunity to create a hybrid credential that would meet all the basic criteria and key attributes, and bring the additional benefits without losing the balance between security, facilitation, and interoperability.
The preferred solution – a hybrid DTC
A hybrid credential is a combination of a virtual token (credential) that is linked to one or more physical tokens (authenticators). The credential could be stored in a remote system, such as a database or webserver, and the authenticator could be an ePassport, smart card, or mobile phone. This combines the virtual and the physical in a way that merges the advantages of both approaches, while minimizing the disadvantages.
When defining options for the issuance of these tokens, the sub-group determined that the virtual credentials would have to include many of the same security elements of the current ePassport, including authentication, when required by inspection authorities.
Authentication currently takes place when the chip in the ePassport is electronically validated by the border authority – a simple electronic check that ensures the ePassport is authentic. This check verifies the digital signature in the chip and that the digital certificate was used by a bonafide authority when the data in the chip was sealed. It confirms that the biographic and biometric data endorsed in the document when it was issued has not been altered. The authority can then confidently rely on the information in the chip to compare against the information printed in the physical passport book, and if need be, against the traveller themselves.
So how can a hybrid credential match this level of confidence?
Creating a secure and reliable form of electronic identification that can be used to enhance facilitation is perhaps the simpler part of this work. Not only are there a number of established and emerging e-Identity schemes around the world, but airports and airlines have an increasing number of stand-alone traveller facilitation schemes.
By linking the virtual travel credential to one or more physical tokens, it enables the verifying entity, such as a border agent, to perform additional active authentication of the credential when required for increased security. The physical token can be used to retrieve the data from the remote system by authenticating the holder of the virtual credential to that system.
This model is preferred by the ICAO NTWG because the credential is already securely linked to the Issuing Authority. The physical token allows the verifier to select the correct virtual credential which was potentially provided in advance. It also provides the verifying entity the flexibility to decide whether the virtual credential is sufficient, or the physical token, the authenticator, is additionally required. Or, put simply, whether the traveller can pass through controlled checkpoints without having to physically present their passport.
One of the advantages in the DTC is that it provides several options for creation and form, without losing the benefits of interoperability. The DTC itself could be derived from an existing ePassport by the holder of that ePassport. Or the issuing authority could create the DTC and has the option to store the virtual component on a remote system or securely on a smart device.
When booking or checking in, travellers could send their virtual component in advance to the border authority, in an electronic system for travel authorization (ESTA) process or using API/PNR etc. When they arrive at the airport, they could use their token, whether it is a physical token such as their phone, or purely virtual token, such as their facial biometric, to pass through the different check points in the airport journey.
If it is not sent in advance, the virtual component must be able to be read in a standardized method using passive authentication.
On track for 2020
Development of technical specifications, proof of concept and testing methodologies for the Hybrid DTC are underway. The Working Group continues to work towards resolving policy issues, such as issuance, revocation and inclusion of additional travel data. Their aim is to have the DTC technical specifications presented for endorsement by the ICAO TAG/TRIP in 2020.
About the Author
LOUISE COLE is the Manager of Information Partnerships for the Department of Internal Affairs, New Zealand Department of Internal Affairs (DIA)