You often need to prove you are who you say you are online. Banks need to comply with anti-money laundering regulations. Employers need to know employees have a right to work. Landlords need to know people have a right to reside. Gig economy platforms need to know who are delivering their services. Charities need to know volunteers are not barred from working with vulnerable people. Dating sites need to prove real people control profiles and users are safe.
Looking beyond identity verification, I’d like to know that an account is operated by a human, not a machine. Dave Birch often writes IS_A_PERSON is a key attribute of identity. But authentication, authorisation and account recovery could also benefit from chipped document scanning too.
The problem is we’re now in the hype cycle of generative AI, Machine Learning and Large Language Models. It will get harder to spot what’s real from what’s fake.
Defence against the Deepfakes
The old “trust but verify” approach means there is always the chance of letting in bad actors. Photoshopped or photocopied identity documents, forgeries and video injection of liveness presentation can result in fraudulent accounts. A well-constructed deepfake document scan would even mimic the user taking a picture of their physical document. The vulnerability lies in taking data at face value because attacks are possible when the data is not verifiable.
Remember - the phone’s camera is not better than the human eye, and I don’t know of any phone manufacturers launching models with integrated UV lamps to check invisible security marks. AI and Machine Learning won’t spot the fakes - these only predict outcomes by comparing inputs against models of real and fake documents. They are only as good as the data that trains them. The inevitable outcome is a Cold War stalemate of deepfake generator vs deepfake detector.
And think this through: if a visual check with Machine Learning powered optical verification is enough, then which country’s border force will be first to remove their installed chip readers and put all their faith in machine learning (ML) enabled optical document scanners? Do let me know.
NFC chip scans are deepfake-proof. They make AI irrelevant.
An AI deepfake agent running on a server or computer anywhere cannot:
- Find your passport or ID card
- Open it and scan the Visual Inspection Zone (VIZ)
- Physically tap your phone to the document
- Establish authentication handshakes with the chip
- Pass data verification checks against established chains of trust
With an NFC chip scan, you get very strong signals that a human is interacting with a real passport document. You get a high quality image of that person that you can later use to check likeness and liveness later on in the enrolling process. You get unalterable affirmation of name and date of birth and source of the document.
If the chip is there then use it! It will automatically speed genuine people through the verification process. Deepfakes and bots without passport chips can try their luck passing ML detectors.
Of course, there can be a lot more to identity proofing, for example verifying with external sources, but the foundations are strong with proven document evidence.
The role of Passports in Authentication, Authorisation, and Recovery
Once identity verification is complete, establishing an authentication mechanism enables the user to login again without going through the proofing phase again. Traditional usernames and passwords are being phased out by stronger mechanisms such as Passkeys or other two-factor methods.
This may not rule out further identity verifications after onboarding - for instance if the user is attempting to login from a previously unknown location or attempting to make a high value or risky transaction. It would be comforting to know that applying for a mortgage in my name would be protected by a secure document scan.
The passport would not be involved in the day-to-day authentications but the big events and emergencies when extra assistance and protection is needed, as it says so on the passport document itself.
Your Passport to Recover Passkeys
Passkeys bring a massive improvement in user security by eliminating ‘phishable’ credentials - passwords that are easy to remember but reused across many sites, or password managers that then become a single point of failure. The FIDO Alliance (Fast IDentity Online) broke ground on the technology over ten years ago and it’s now a mainstream capability built into your phone.
So long as the user is on a happy path, Passkeys are great. But the problem now looming with these device-bound credentials is when you break or lose your phone, or perhaps even more unlikely, want to transfer from Android to Apple or vice-versa.
Your Passkeys belong to us!
Whatever mechanism is used to recover the account, it MUST have at least the same level of security as the authentication mechanism itself, otherwise the security properties and promises of the authentication method are inherently undermined.
A typical pattern emerging is the user would recover their account from another registered device, assuming they have a laptop, tablet, or something else. Or appoint a trusted friend or family member to assist with the recovery operation. But what if that device is unavailable or you no longer trust that person? Could this make people under coercive control even more vulnerable? Surely you should be self-sufficient for even greater safety and security.
Your passport is the property of the state and misuse of it is criminal - you have some legal protection. The Passport or ID card chip is a cryptographically strong token that has similar, if not better, security and assurance properties of a FIDO authenticator. It bears a likeness of you for user verification. And here’s the thing - you probably already have one.
A billion people already have FIDO Passkey recovery tokens issued by their governments worldwide.
Your passport chip can recover your passkeys.
Verifiable Credentials from the OG Verifiable Credential
The EU identity wallet and other initiatives aim to solve the personal identifiable information privacy challenge by allowing users to control exactly what data they share with whom, giving away just enough needed to gain access to services. For instance, a bartender only needs to know you are above the legal age to purchase alcohol in the jurisdiction (21 or 18) - not your birthdate or any other information visible on a physical identity document such as your address.
The user’s wallet would store attested claims. These are proofs generated by services that are able to bear witness to shareable information - for instance that they have already proven your identity, your employment status, your credit score, IS_A_PERSON, or other attributes.
All of these claims can be secured with private keys held by you in your wallet. Now of course this results in a key management and access problem - lose access to the wallet and all your identity proofs are gone!
Just like FIDO, recovering access to your wallet must be done in a way that is no less secure than the mechanisms protecting your claims.
Your passport chip is your defence against deepfakes that can recover your bank apps and passkeys today, and your Verifiable Credentials wallet tomorrow. A few of Inverid’s customers already do account recovery with it!
Your passport chip can prove it’s you. And a billion others can do it too.
