I’m two weeks into my business development role at Inverid and it still amazes me that it’s a brilliantly simple proposition that a billion people can do. There are over one billion NFC-chipped documents in circulation worldwide and over a billion smartphones capable of reading them with many more to come. So, the chances are if you’re reading this that you’re one of the people who can.
In fact, before reading on, download the ReadID Me app now to see the embedded data in your passport or ID card – it’s useful to know your chip still works after you jumped in the hotel pool fully clothed, or if you’re technically inclined, you’ll see the metadata hashes and signatures that prove its authenticity.
The dog chewed my passport. Does the chip still work?
So now you see how easy that is, why can’t all the services that need to know who you are use it too? Banks, employers, lettings agents, airlines, dating services, and more - the possibility for using this data goes far beyond travel and identity proofing in account onboarding. You could use it in all aspects of the identity lifecycle: authentication, authorisation, and account recovery.
It’s taken me 25 years to get to this point, but timing is everything.
I’ve seen the future many times in my career - being early is just as bad as being too late! Retrospectively I can see how my experience aligns with where Inverid is now and where it’s going in the very near future.
The rest of this blog is about what got me here and some insights I’ve gained along the way. The next blog is about where I see Inverid’s ReadID going.
The passport is the OG Verifiable Credential
It’s worth gaining some perspective and thinking why passports have chips. It’s all about constraint - the air travel industry is constrained by throughput - planes, runways, gate slots, baggage handling, and immigration controls. Training and employing staff to spot forged documents is expensive, and considering the number of nationalities and passport documents they are likely to encounter, also prone to error. Each document generation has different overt and covert anti-counterfeiting technologies and knowing “what good looks like” was especially challenging. Over 25 years ago, The International Civil Aviation Organisation (ICAO) defined the biometric chip passport that would use cryptography to guarantee integrity and authenticity of documents and identity claims in a fast machine-readable way. With built in crypto-security it also prevents covert surveillance and eavesdropping. You could call this the “Original Gangster” verifiable credential (The OG VC). It says so in the front page of my passport - Her Britannic Majesty’s Secretary of State requests and requires in the name of Her Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as may be necessary.
But 25 years ago, I was involved in a different kind of identity - the original RFID powered “Internet of Things” (IoT), a phrase coined by MIT that stemmed from digital identity in the Auto ID barcode industry.
What's the Radio Frequency of ID?
Fresh out of university I joined an RFID reader start-up - we won contracts to embed tag readers in luggage label printers for tagged baggage handling tests, and combined RFID and barcode scanner modules in handheld scanners.
There were three main frequencies - 125kHz used in pet and livestock chips, 868 or 915MHz for long range (10m) scanning which are now found in most product labels in the sports goods store Decathlon, and 13.56MHz for baggage tags. 13.56MHz works in the “near field” - well below its 22m wavelength - a mains-electricity powered reader could barely achieve a reliable 50cm range. These tags benefit from being cheap to produce and embeddable in almost anything - except conductive materials like metal foil. But there were growing concerns from privacy advocates of their use in covert surveillance - simple RFID tags give up their contents to any reader and allow anyone to start correlating identifying data about you without your knowledge. Passport Chips are not RFID tags - they are contactless smart cards just like the bank cards in your wallet, and they don’t start talking unless you’ve scanned the visual inspection zone on the photo page to get the initial password.
The NFC Forum and contactless card payments
Around 2005 I was representing an NFC Silicon IP vendor in the NFC Forum. This was years before the iPhone launch, when Nokia and BlackBerry were on top of the market, and Symbian or Windows Mobile powered “Smartphones”. Contactless payments hadn’t even rolled out, and yet visionaries within the forum saw the possibility of using phones to emulate contactless smart cards, read RFID tags, and communicate peer-to-peer over short range. It was exciting to be there and I couldn’t quite believe a much older and wiser person who said, “it’ll take 20 years for all this to play out”. They were right.
It’s only recently that my iPhone can swap contact cards through NFC, and a few years ago it became able to read NFC passport chips in addition to its well-established card emulation mode used in Apple Pay.
From NFC, I dived into the world of ARM powered smart cards as that’s where I saw the need for high performance security chips that could handle multiple applications.
Smart cards are amazingly smart
SIM cards, payment cards, embedded secure elements and now even integrated secure elements within IoT chip packages and silicon - these small computers protect keys from some highly advanced forms of attack. Whether it be laser beams, power glitches, power analysis, acid etching or other forms of electronic torture and interrogation designed to make them give up their secrets. They are tiny computers with one input and one output, memory and a processor to a run secure operating systems (e.g. JavaCard Open Platform) and applications to deal with highly structured data like passport documents. Some of them do all this through a wire coil antenna, drawing their power from the phone that is interacting with them. They go through rigorous security evaluations and Common Criteria certifications to assure their issuers that secrets are safe from known attacks. Contactless smart card chips pack some processing punch and powerful protection of your private keys, and these are exactly what you’ll find buried in your own passport.
Mobiles trust issues and identity crisis
At ARM and Trustonic I was building ecosystems to make use of ARM TrustZone - a Secure Enclave that could run a small “Trusted Execution Environment” (TEE) that would handle biometrics, touchscreen inputs, and high performance cryptography away from potentially compromised host operating systems. At the root of all the use cases was an identity crisis - knowing who and what device is attempting to access what service. We were trying to figure out how FIDO authentication would fit in the Trustonic mobile TEE. It was all about identity and attestation - the ability to prove you have possession of a private key and prove that it’s protected so that only one device could have it.
Identify all the Things
At all layers of technology, from the intellectual property building blocks of silicon chips, the factories that make them, the software that runs on them and the people that provide and maintain the things, knowing who did what when is the foundation of trust. It was this idea while working for Ping Identity that led to the founding of RKVST - a private blockchain powered software as a service solution. We may have been a very early on IoT, certainly early on Software Bills of Materials, yet the principles of supply chain attestations apply to many trust issues. From connected things to nuclear waste, and many things in-between, blockchains are what some people think of for Verifiable Credentials. The future of this isn’t yet clear, but I have the sense that somehow blockchain will connect again.
Crash and Recovery
After leaving RKVST, I enjoyed a summer break in the Alps downhill mountain biking. It was going well until a crash had me laid up on painkillers for a few weeks. As a British Cycling MTB coach, I say every crash is a learning opportunity and this one uncovered some unexpected insight.
A reminder to take painkillers - crashing hurts.
I broke my phone. It limped on a for a few weeks but ultimately died. The shiny new phone arrived and thanks to my Apple ID and iCloud backup, most apps were faithfully restored. Except my bank’s app.
To get the bank app activated on the new phone I had to deactivate it on the old one. Spot the problem here. So now I had to call the bank to go through the activation process. When was the last time you spoke to someone at your bank? I remember the last time – 2009, when I bought a car and wanted to make sure the bank branch had enough cash. It was a similarly painful experience.
They asked for two letters from my phone banking password - the one I had set ten years earlier, never used, and completely forgotten. After 30 minutes of what must have cost the bank a lot of money and both of us a lot of time, we did the phone authentication dance and the app reinstall process was completed.
There has to be a better way to prove who I am to my bank’s app, I thought.
And then my brother introduced me to Inverid. There is a better way: My passport chip could prove it’s me so I can recover access.
Even better - I know exactly where my passport is, and I’ll always have it with me when out of the country. It’s a very useful second factor.
Verify then Trust
Whoever said “trust but verify” never owned a computer. Always verify first! After all the interviews it was delightful to see Inverid use ReadID as part of their Know Your Employee onboarding process.
Having now worked two weeks at Inverid I have barely scratched the surface of what it takes to build an NFC-Chipped Document Verification service. It’s certainly not easy making it so simple. It takes a deep understanding of government issued identity documents, mobile devices, app development, user experience, accessibility considerations, SaaS operations, orchestration, compliance, analytics, cryptography, security and privacy.
There’s a lot I know I don’t know, and probably a whole lot more that I don’t know that I don’t know.
That’s the story of what got me here.
Verifying identity document data is what will get us there…
To a future free from the pain of proving who we are online.
To allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as may be necessary - as we journey online.
