The Face of Travel Today: Smart Airports, Biometrics, ePassports and Defining a Secure Identity Token


This past year, there has been a surge of activity across the travel continuum trying to enhance traveler facilitation and engagement, while at the same time implementing stronger identity assurance and security measures.  In fact, over the next three years, 77% of airports and 71% of airlines are planning major programs or R&D in biometric ID management to smooth curb-to-gate passenger flow. While Dubai has plans for a biometric tunnel – Government, industry, and aviation partners have been pushing for technologies that will allow travelers to move throughout the travel continuum (booking – airport check-in – baggage drop – security screening – airport vendor services – boarding – arrival – customs – hotel check-in – return trip) without the need for the presentation of an identity document.  Many of the solutions being considered in proof of concept demonstrations involve the use of biometrics in combination with a derivation of the traveler data from an e-passport; some of these populate and protect the token within a secure container on a mobile device.  The traveler simply presents the token at the start of their journey to prime the continuum with their identity and travel authorization data. After that first encounter, all subsequent identity validation processes will be satisfied through facial recognition matching of the traveler at various points. The end goal has been to establish a biometrically-enabled, securely vetted, traveler-controlled, identity assertion token that can facilitate traveler interactions throughout the travel continuum.

The Current Situation

All the partners see the value of such a frictionless approach.  They also agree that the identity proofing, and secure token generation/enrollment processes on the front end are critical to the mitigation of the risks that these new techniques introduce to the well-established security controls that are currently in place.  To that end, international standards for the security controls and interoperable data format are being developed to allow the e-passport data to be presented as a “Digital Travel Credential (DTC)” or identity assertion token, that is derived from the authoritative data.  These controls ensure that the DTC can be authenticated with the same level of assurance as the source e-passport document.

Several token enrollment/delivery models have also been reviewed, and some have been implemented in both vendor-specific technologies and other self-sovereign identity solutions.  One model has the government providing and maintaining the DTC, with the traveler contacting the government whenever they were going to travel to have the DTC published to the travel continuum directly by the government.  In another model, the government securely provides the traveler with the DTC when they receive their e-passport document, and the traveler then controls when the token is used and who can access the data.  A third option directly derives the data from the e-passport during an enrollment of the token into the travel continuum.  As this may be a traveler self-service enrollment, or possibly an enrollment at an airline counter, the enrollment must incorporate the performance of the ICAO required Passive Authentication (PA) process to ensure the authenticity of the source document, as well as its cryptographic binding to the traveler.

While the enrollment and backend processing capabilities vary, both government and industry capabilities are being deployed today to support this biometric facilitation concept.  The US Department of Homeland Security (DHS) has been investing in the establishment of biometric capture and assessment capabilities with its Homeland Advanced Recognition Technology (HART) suite which includes a multi-modal biometrics database and supporting services.  Identity proofing vendors across the industry have also established biometric-only, facilitation capabilities that are currently being deployed both domestically and internationally.  CLEAR provides a biometric alternative for security screening at airports and event facilities, while Vision-Box has implemented biometric border control and traveler facilitation (entry/exit) kiosks in several countries.

The Challenge & The Future

The challenge at hand is harmonizing these capabilities across an interoperable fabric that can leverage the standards-based DTC data format, as well as any proprietary formats being used within leading edge deployments; and that can be incorporated into existing commercial, government, and/or public/private partnership initiatives.  This fabric will ensure the interoperable delivery of the identity token across the travel continuum in support of reliable party systems and programs, such as:

  • CBP Entry/Exit Tracking
  • European Entry–Exit System (EES)
  • European Travel Information and Authorization System (ETIAS)
  • SITA iBorders Border Automation
  • IATA One Identity
  • Trusted Traveler Programs, including NEXUS, SENTRI, Global Entry


All these efforts can benefit from and would be enhanced by an investment in the connecting fabric that allows the individual capabilities of each to be extended and leveraged in support of the biometrics-only facilitation of the traveler.

The required security controls related to the underlying identity proofing, token generation, and token transit processes have been defined.  Interoperability across the travel continuum can be supported by standards-based interfaces between the entities.

The day that a traveler can show up at an airport and board a plane without providing anything other than a biometric is coming soon.



Meet us at upcoming events such as ICAO or NAPHSIS




Increasing Secure Traveler Facilitation via e-Passport Passive Authentication

Electronic Passport (e-passport) technology, when implemented correctly – issued and validated in accordance with ICAO specifications and recommended processes – provides the highest level of assurance that the traveler is actually whom they claim to be.  The electronic security features encoded within the chip of the e-passport both protect the data from tampering or modification, as well as provide a cryptographic binding of the document to its Issuing State, and a biometric binding of the traveler to the document.  A global fabric of trust, the ICAO PKI data and processes underlying these documents, makes authentication of these security features relatively simple while ensuring that fraudulent documents are easily identified.

Incorporating these authentication processes into efficient, automated, self-service capabilities readily supports the facilitation of ever-increasing volumes of travelers without negatively impacting border queues – and actually increases the security posture of the transit point without the need for additional border personnel.

e-Passport processing not done according to specifications and guidance leaves the relying party to simply guess if the person presenting the document is who that document asserts that they are.

Sometimes this is inconsequential, sometimes it is a matter of national security.  Whether this document review is done as part of the check-in process at a hotel, to prove an identity for a financial transaction, or to support a border crossing, it is imperative that document authentication processes do not facilitate identity fraud or fraudulent cross-border movement.  If not properly validated, fraudulent documents can easily be used to transit borders for nefarious means, or to assume whatever identity that a person desires.

e-Passports were introduced in 2006 and now comprise the majority of travel documents in circulation.  However, since not all borders implement processes to properly authenticate these tremendously secure identity documents, fraud has also been facilitated.

In 2011, Somalia stated that they will no longer accept their original green passport (which is NOT an e-passport) due to their belief that the persons presenting these passports are likely to be engaging in terrorism-related activities.  The Israelis stated that they had over 135,000 documents stolen in 2010 alone, and they estimate that thousands of these documents are being used fraudulently around the world today.  In fact, they have arrested numerous Iranian and Pakistani nationals attempting to use fake Israeli passports.

While we know that 139 countries are currently issuing e-Passports, based on information available from open source resources, we also know that only a small percentage of countries actually perform Passive Authentication of e-Passports as part of their border control processes.

Passive Authentication (PA) is the process that ICAO requires be performed on the cryptographic security elements protecting the personal data held within e-passport and e-Identification documents. PA unconditionally proves the authenticity of the document by evaluating its cryptographic binding to a trusted issuance infrastructure.

Without this process, anyone can generate an e-passport that meets the electronic encoding requirements and appears to be genuine.

All of the elements protected by cryptographic hashes and the digital signature protecting the document security object may properly validate using the certificate provided within the document.  However, unless the certificate is proven cryptographically to have been produced by a trusted infrastructure, then the document cannot be considered authentic.  In other words, if PA fails, the document should be considered as fraudulent.

As the facilitation of an increasing number of travelers continues to be a top priority for nations, careful consideration must be given to the appropriate implementation of technology to support that objective.

Border processes cannot be cumbersome to the traveler or be perceived as the cause of delays.  Technology is increasingly being implemented to address this critical balancing act; self-service kiosks and automated border controls have been deployed or are being piloted across the globe.  However, with an increased reliance on technology to assess the validity and authenticity of the supporting travel document, the underlying processes MUST be implemented to leverage the significant security and level of identity assurance that is provided by the e-passport.  Many of these pilot implementations are basing an access decision on the comparison of the traveler’s biometrics to those found within the electronic chip of the e-passport.  While biometric comparison technologies are advancing at a tremendous rate, there is no value in performing the comparison unless the document that is being used as the source of the biometric has been proven to be authentic.

PA is a critical security component that must be implemented to truly take advantage of the anti-fraud and anti-tampering security features built into e-passports.  This process not only evaluates the authenticity of the document and its contents, but also facilitates the automation of traveler identity verification and transit throughout their journey.



Ozone e-Passport PKI

Fraudsters Want Your ID Information. What Are You Doing to Stop Them?

In 2016, identity theft amounted to $16 billion and affected more than 15.4 million people in the United States. Your identity is arguably your most valuable asset, but how often are you aware of all the ways that you use it to transact? With the lines of physical and digital identity becoming increasingly blurred, it’s more important than ever to safeguard your identity during transactions.

Are you doing enough to ensure you’re keeping your personal information – and your customers’ information – safe from fraudsters?

Click to download the free infographic: Where Does Your Identity Take You in a Day?

Every day, Americans make transactions by swiping, scanning or chip-reading – from grabbing a cup of coffee to purchasing airline tickets. The convenience of these transactions, it seems, trumps concerns of information falling into the wrong hands. But the time has passed for simply hoping our ID information – and our customers’ ID information – will continue to be safe, simply because you’ve seen no evidence it’s been compromised.

Just a Day in the Life for Identity Thieves

Let’s look at a typical day anyone could have to see how easily one can expose their ID information to considerable security risks.

Mobile banking. Shortly after leaving the office, a person decides to check the balance of their checking account. They use the local coffee shop’s free Wi-Fi, because like 67% of Millennials, they use a mobile app to access their banking information. Though on an open network, they tap in their ID, password and perhaps other Know Your Customer (KYC) information, as required by anti-money laundering (AML) regulations. Did a fraudster track their every keystroke?

Click to download the free infographic: Where Does Your Identity Take You in a Day?

Small business transactions. Because this person is now running late to a doctor appointment, they pull out their credit card to engage one of the 1,000 bike-sharing services across the country, a market that is expected to become a $6.1 billion business by 2020. Are the security measures employed by all 1,000 vendors up to par? How does this one rank?

Medical Insurance. At the doctor’s office, they check in at the front desk, making their co-pay with the same credit card and giving their medical insurance card information which is likely photocopied. Like most people, this person is more than likely unaware that 15.4 million medical records were stolen in 2016 alone, and that 301 people across the country were charged roughly $900 billion in false billing.

Remember, Identity Thieves Never Take a Vacation

Although you’re in a rest-and-relaxation mode, you still know not to leave your hotel room unlocked or your wallet on a car seat. If only you could take similar measures to protect your ID information. Here are some common transactions that require ID information on a typical vacation – and some data associated with their risk of security breaches.

Accommodations. The global vacation rental market is poised to be worth $193.89 billion by 2021. Fully 46% of customers check in using hotel loyalty programs, and loyal customers spend on average 67% more than new ones. Front desks and agencies are mostly taking your identity document photocopying it and storing it somewhere; a very insecure data capture method. All this makes vacation rental businesses likely targets for theft of identity information.

Ground transport. Uber reported that 40 million people used the ride-hailing service in 2016. Incidentally, 8,000 ride-hailing service drivers in Massachusetts failed to pass new state background checks in 2017. Similarly, car-rental agencies routinely require a check of ID documents to complete transactions and mostly use the archaic photocopy method of capturing your ID leaving you vulnerable to a paper file floating around.

The More You Know, the Better

Our free infographic, Where Does Your Identity Take You in a Day , illustrates just how important it is to protect your ID information.

Acuant provides businesses with identity proofing solutions for trusted transactions, for more information contact us here.


Read the Infographic