RFID Technology for Identity Verification: A Comprehensive Guide

The use of radio frequency waves for transferring data and identifying objects is known as Radio Frequency Identification (RFID). This wireless technology enables receiving information about an item (say, a bottle of water with an RFID tag attached) from a distance using an RFID reader or scanner. 

The data is stored on a small electronic device—a tag or microchip embedded in or attached to the item—and is transferred through antennas, which both the item and reader have. While the tag is a passive asset that transmits information “upon request,” the chip is composed of components with different functions and roles organized in a logical structure. That enables the chip to interact with the reader in a “dialog" manner.

The data exchange between the item and reader can occur at different frequencies. Here are the three most-used ones:

• Low frequency (125 KHz): Applied for access control systems involving key fobs, pass cards, etc., and for animal tracking.  

• High frequency (13,56 MHz): Used in electronic identity documents, like passports, ID cards, and driver’s licenses, as well as in payment systems.

• Ultra-high frequency (840-960 MHz): Used in logistics, manufacturing, retail, electronic toll collection systems, etc.

The frequency also determines the read range, the data transmission speed, and the data exchange protocols available for application. For example, the read range of the high-frequency RFID chips embedded in electronic IDs is 1-10 centimeters, while ultra-high frequency RFID tags can achieve a range of up to 100 meters.

The versatility and adaptability of RFID technology have made it an indispensable tool across various industries since the 1970s. Initially, it found its footing in logistics, transportation, agriculture, and other sectors that required precise handling of large data volumes. Businesses relied on it to manage product inventory, track vehicles, tag livestock, and perform other operations that demanded accuracy and efficiency.

Later, RFID technology has also been introduced in identity verification.

The first attempt to use RFID technology in identity documents was a Malaysian electronic passport issued in 1998. However, that was a test sample rather than a historic breakthrough. 

Later, ICAO updated Doc 9303, the standard for countries that wish to start issuing MRTDs, including electronic passports. The document uses the term "contactless integrated circuit" (CIC) to refer to an RFID chip. This semiconductor device stores the data and communicates with a reader through radio frequency energy according to the ISO/IEC 14443 standard. 

There are also separate standards defining the use of CICs in other types of electronic identity documents. For instance, the ISO 18013 series is dedicated to driver’s licenses. 

Interestingly, some electronic identity documents, such as driver’s licenses and ID cards, can support two communication channels—contact (through contact terminals) and contactless (based on RFID technology).

According to current guidelines, the "chip inside" emblem must be visibly present on either the front cover and/or the personal data page for all electronic identity documents.

The technical part of RFID technology is the same for all e-documents. Simply put, the chip is a data medium. It includes an operating system to access this data and applications like ePassport, eID, eDL, eSign, and others. 

Under the ICAO standard, biometric passports, ID cards, residence permits, etc., may contain RFID chips with the ePassport application.

The content of RFID chips varies depending on the type of identity document. However, different data is always stored separately, and each file has its own unique identifier used to provide access to it. This segregation contributes to RFID chip security.

Typically, there are informational and service data packages. For instance, a biometric passport’s chip includes the following data groups (DG):

• DG1—The data, also encoded in the document’s machine-readable zone (MRZ): name, date of birth, nationality, sex, etc.

• DG2—The holder’s photo

• DG3—The fingerprints

• DG4—The iris scans

• DG5—An additional photo of the owner in better quality

• DG7—The image of the holder’s signature

• DG11—Extra details on the holder beyond data from MRZ, date of issue, their name, place of birth, etc.

• DG12—The information on the issuing body: by whom, where, and when the document was issued

• DG13—Additional details reserved for use by the national services of the issuing state

• DG14—Information about cryptographic algorithms and a public key used for Chip Authentication

• DG15—Information about cryptographic algorithms and a public key used for Active Authentication

• DG16—Information about persons to notify in case of emergency

The DG6 data set, as well as DG8-DG10, are reserved for further standard development.

This logical structure makes it possible to set certain access levels to the data recorded on the RFID chip. For instance, the DG2 file with the document holder’s photo is checked during an ordinary verification session, say, the customer onboarding procedure in a bank. However, only authorized entities like border control or police officers are permitted to check biometric data such as fingerprints locked in DG3. In some countries like Germany, reading all biometrics encoded in the chip is restricted to authorized entities. 

The service data groups contain files for secure data access procedures, digital signatures, and chip authentication algorithms. One of the core files from this cohort is the Document Security Object (SOD).   

Generally, the SOD holds the issuing authority certificate (Document Signer Certificate), a digital signature generated during the document personalization stage by its issuing body, and hashes of all DGs—the values of the hash function—that map data of any size stored on the chip to fixed-size values.

Hashing helps turn data from informational DGs into impersonal unique values that don’t expose any sensitive details. For example, DG1’s hash may look like “8743b52063cd84097a65d1633f5c74f5.” Since hash strings have a specified length, a data group can be even shorter than its hash. 

The SOD is also digitally signed to prevent fraudulent alterations.

Let's take a closer look at the security measures that safeguard the confidentiality of data within the chip.

The backbone of these procedures is cryptographic algorithms, transforming plain text into a ciphertext that looks like a jumbled mess to anyone who might intercept it. This can be done using symmetric or asymmetric cryptography. Both mechanisms are involved in protecting RFID chips.  

Symmetric cryptography is based on the use of the same key (a shared secret) for “packing” and “unpacking” incoming and outgoing messages. The secret key is available for both the sender and recipient, which makes this method less secure.

Asymmetric cryptography implies the use of two pairs of mathematically related keys: a private one for encryption and a public one for decryption. While the public key is available to both sides, only a recipient of the message has access to the private key. For this reason, asymmetric algorithms are considered more reliable.

Generating digital signatures in RFID chips is also not possible without asymmetric cryptography. In this case, the private key is used to create a unique signature attached to the message. The corresponding public key, which is available to the recipient, enables verifying the signature authenticity, namely whether the owner of the private key generated it.

The identity document issuing bodies— the country's authorities—cryptographically sign all chip content in newly issued items with the digital signature using the private key. Certificates containing the public key required for verifying data are distributed to the relevant parties.

The RFID verification flow looks fast and simple from the user’s perspective. You scan the RFID chip with a specialized reader or NFC-enabled smartphone. The device sends a radio signal to the chip to activate it. Then, the chip “replies” with the requested information. Finally, you can see the results via the application you use. 

However, the technical side of the process is much more complicated.

In order to safeguard the privacy of the electronic identity document holder, information stored on the chip is secured with an access control mechanism. The access control mechanism prevents reading data from the chip unless the inspection system, such as a passport reader at an airport, can demonstrate its authorization to get the chip information. 

This helps prevent eavesdropping on a “dialog” between a chip and a reader and skimming the data. Otherwise, wrongdoers might snatch personal data from an RFID chip by connecting to it with a third-party scanner.

The ICAO identifies four forms of access control currently used in electronic IDs:

• Basic Access Control (BAC)—As one of the first attempts to develop an access control mechanism for eIDs, this method of securing the communication between chip and reader is still in use today. The reader obtains the secret key for encryption/decryption of transmitted data from the MRZ code of the document. It is derived by combining some lines. This mechanism allows the terminal to access the chip only if it confirms the physical presence of the document. Specifically, it verifies if the MRZ data in the visual inspection zone matches the data stored on the chip. Since BAC relies on symmetric cryptography, it can be vulnerable to attacks if the key is compromised. Moreover, the MRZ is not so unique that it cannot be guessed. For this reason, some countries like Germany stopped issuing biometric documents compatible with the BAC/BAP protocol, giving preference to PACE.  

• Password Authenticated Connection Establishment (PACE)—Unlike BAC, this mechanism uses asymmetric encryption, providing stronger protection. Following the logic of BAC, the process remains similar. However, to generate a public key, either MRZ code fragments or CANs can be used.

• Supplemental Access Control (SAC)—This term indicates the presence of both BAC/BAP and PACE protocols on the chip. The reader may choose any of these paths to securely connect to it, which makes SAC-enabled IDs more compatible with different inspection systems, including older ones. This enhancement was mandatory for electronic passports until January 1, 2018.

• Extended Access Control (EAC)—This mechanism provides extra security for sensitive biometric data like fingerprints and iris scans stored on the chip, and permits authorized terminals with confirmed rights to use the chip data. Introduced as an additional security layer to BAC, it’s optional for inspection systems if reading of biometric data is not in place during identity verification procedures. Typically, EAC is addressed through the combination of two specialized authentications known as Chip Authentication and Terminal Authentication (we’ll describe it below).

The RFID chip verification procedure includes particular tasks to be performed. All involve cryptographic algorithms. 

The RFID authentication flow is determined by the issuing country, the specific use case, and the IDV software in use. All of these mechanisms may be utilized in business operations, except for Terminal Authentication, which is available only to authorized entities such as law enforcement agencies. Regula Document Reader SDK can be used to execute any of the four procedures.

Let’s see them in detail.

Passive Authentication

The purpose of this check is to confirm the integrity and authenticity of the data. The mechanism engages the service data package (SOD), where the hashes of the other data groups are located. The SOD is cryptographically signed with a digital signature generated at the ID document issuance stage. The document issuing authority does it with the use of the DSC and the corresponding CSCA certificate; both are also digitally signed. 

In this scenario, the DSC holds a public key used to validate the SOD, while the CSCA holds a public key used to validate the DSC. Since the CSCA is self-signed, its signature can be verified using the public key contained in the certificate itself. The certificates are available in the ICAO PKD, as well as other trusted sources.

Ultimately, the authenticity of the information data groups is verified by comparing the computed hash values with their respective counterparts stored in the SOD. If all components, including the cryptography algorithms and SOD structure, are consistent, the data in the RFID chip is considered genuine.

Active Authentication

This procedure, belonging to the first generation of the technology, is aimed at verifying whether the chip is genuine and not a clone. It requires a challenge-response exchange between the reader and the chip, and employs asymmetric cryptography. 

During Active Authentication, the reader generates and sends the chip a random “challenge” (control piece of data). The chip digitally signs the “challenge” using the private key and sends it as a “response”. Stored in the protected memory of the RFID chip, the private key cannot be read from outside. The reader verifies the validity of this digital signature using the public key from DG15 (for electronic passports) or DG13 (for driver’s licenses), and identifies the chip as authentic only if the returned signature is correct.   

Now, Active Authentication is used less, while gradually being replaced by a more reliable mechanism—Chip Authentication.

Chip Authentication

Chip Authentication serves two purposes: establishing secure messaging between the passport and the reader, as well as detecting clones.

The procedure is improved over Active Authentication through the use of more advanced cryptographic algorithms. By using two pairs of public and private keys, it employs a shared secret key accessible to both parties involved in the process, facilitating encryption and decryption of all communications. 

The chip and the reader exchange their public keys to mathematically derive the secret key using their private keys as a required part of the calculation. 

The private key is recorded on the chip during the production of the biometric ID, and is available for reading from “inside” only. If the RFID chip data is copied to another chip, its private key will change as well. As a result, the secret key calculated on the chip’s side won't match the one derived by the reader, which may point out chip alterations.

Terminal Authentication

Terminal Authentication occurs after Chip Authentication under the EAC protocol. The goal of this authentication procedure is to prevent unauthorized terminals (readers) from accessing sensitive data stored on the RFID chip, primarily biometrics. Furthermore, successful Terminal Authentication enables authorized institutions to update the information stored on the chip.

During Terminal Authentication, the RFID chip and the terminal engage in a mutual verification process. The chip sends a challenge to the terminal, which must respond with a calculated response based on the cryptographic keys stored within it to prove its legitimacy. The response is encrypted using cryptographic algorithms and shared keys to ensure secure communication.

During border control procedures or in-person business interactions, the chips in biometric documents are usually verified with specialized devices supporting RFID reading and verification, for instance, passport readers. In remote document verification scenarios involving identity verification apps, mobile devices supporting the near-field communication (NFC) protocol are used as chip readers. 

As a part of a company’s trusted perimeter, passport readers are reliable sources. However, third-party devices are out of this area. This calls for additional security measures to detect fraudulent tricks with biometric ID cards and passports submitted online.

Considering the growth of digital onboarding in Banking, Healthcare, Aviation, and other industries, many verification sessions involving RFID checks are conducted remotely. This is convenient for customers with electronic identities, as many have NFC-based smartphones. What’s more, using biometric IDs for online onboarding or authentication remains a reliable practice in identity verification that many businesses adopt. For instance, UBS, the largest private bank in the world, has excluded non-electronic passports from their interactions with new clients.   

However, there’s a loophole for fraudsters. All RFID chip authentication mechanisms were developed with the idea that the readers used were trusted devices. In the early 2010s, that was true. However, with an increasing number of mobile users, smartphones became an optional part of the inspection process, along with authorized passport readers and ID scanners.    

The problem is, fraudsters can generate positive NFC verification results during a mobile session. 

Scammers can also present a genuine passport equipped with an RFID chip containing information cloned from someone else's document.  

This means that counterfeit documents submitted online might be mistakenly verified as valid.

To address the challenge, server-side RFID verification is based on the “zero-trust to mobile” approach. This additional re-check ensures that the chip is authentic, not a clone, and contains original data. Here is how it works in the scenario involving Regula Document Reader SDK. 

Once all chip checks are completed on the user’s device, the mobile RFID verification results containing the chip data are transmitted to the server, where they are rechecked within a trusted perimeter. If any mismatches or fraudulent traces are detected—such as the use of different cryptographic schemes, or digital signatures based on expired or faked DSCs or CSCAs—there is a possibility that the result data or the chip itself was tampered with during the initial verification. 

You can make server-side RFID verification a mandatory part of your online identity verification flow. However, it also can be a way to conduct additional checks upon request. The outcome of each mobile authentication session is securely saved on your server, giving you the option to revisit them later if needed. 

Importantly, all of this occurs solely within your premises, and Regula doesn’t have any access to your data.

Identity verification involving electronic IDs with RFID chips is one of the most advanced ways to authenticate customers remotely. However, in an online verification flow, chances are you’ll encounter sophisticated types of identity fraud. 

That’s why a reliable identity verification solution should examine each part of the document, providing a complete set of authenticity checks, such as liveness detection and face matching. For instance, you can compare personal information extracted from an RFID chip to the same data in a Visual Inspection Zone, MRZ code, and barcode to ensure it’s consistent. 

Additional checks don't create friction for your customers when automation is involved. As a result, you avoid sacrificing customer experience while keeping your perimeter secured.