Add Another Layer to Authenticity Checks
Today, almost every country issues electronic identity documents such as e-Passports, e-Driver’s licenses, and e-ID cards. These types of documents are widely used and considered to be the most secure.
They help to securely identify the owner and provide protection against identity theft. Their key feature is an RFID (radio frequency identification) chip: a reliable security element that makes counterfeiting such documents a much harder task.
The biographic and biometric data—vital personal and biometric information, such as name, gender, photo, signature or fingerprints—is cryptographically secured and signed with a certificate of the country of origin.
Usually, reading RFID chips entails using NFC technology built into mobile phones or passport readers. Regula is on the cutting edge of RFID reading and verification, and leverages complete server-side verification to additionally confirm the genuineness of a chip.
Types of RFID Chip Authentication
All RFID chips are standardized in accordance with ICAO and BSI recommendations. Regula’s RFID reading technology is fully compliant with ICAO, is certified by BSI, and supports ISO/IEC 14443-2, ISO/IEC 14443-3, and ISO/IEC 14443-4 RFID chip standards.
Regula RFID reading technology is backed up with the world’s largest document template database with over 12 000 templates of IDs issued in 248 countries and territories. This lets Regula know what data an electronic document should contain, where it is located, what data groups the RFID includes, what language it is in,
whether the data is in the local language (e.g., the name, at the discretion of the issuing country) and transliterate it if needed, and even if a document should have an RFID chip or not and detect if a chip is absent.
To securely access an electronic chip and its various data groups with encrypted information, the technology uses BAC/BAP (Basic Access Control/Protection), PACE (Password Authenticated Connection Establishment), or EAC/EAP (Extended Access Control/Protection) with a password from the MRZ or CAN.
There are 4 types of authentication used in NFC-based verification—Chip, Active, Passive, and Terminal—to authenticate an electronic chip and its encrypted data.
- Passive Authentication (PA)
Uses a digital signature to confirm the authenticity of the data, and detects whether the signed RFID data has been illegally changed, but does not protect against fully copying it.
- Active Authentication (AA)
Makes the device send randomly selected data fragments (known as a “challenge”) to the RFID chip. The chip generates a digital signature of the data using the private key and returns its value (“response”) to the terminal. The terminal verifies the validity of the digital signature using the public key, determining thereby the authenticity of the private key used by the chip, and hence the one on the chip itself.
- Chip Authentication (CA)
Sets up a secure communication session based on a static pair of cryptographic keys, which are stored in the chip memory. Successful CA ensures that the public and private keys stored in the RFID chip memory comply with each other and thus confirms that the chip has not been cloned.
- Terminal authentication (TA)
Requires certificates that make it possible to access data groups and read sensitive biometric data (fingerprints and other biometrics) from electronic identity documents, but only via an EAC/EAP connection.
*Regula does not provide any Country Signing Certification Authority (CSCA) certificates for authentication, as they are originally provided by the issuing country.
Complete Server-Side Verification
Despite the fact that all RFID authenticity checks can be successfully completed on smartphones/edge devices, they are not enough, as there is a risk of verification results being intercepted and modified by fraudsters directly on the same device.
In the “zero trust to mobile” approach, Regula adds another layer of protection against such fraud with complete server-side RFID chip authentication. Now, a server in a customer’s secure perimeter takes part in chip verification and reverifies the chip and its authentication session to ensure the information in the physical ID is trustworthy and the chip is not cloned or its data manipulated. Also, the results of the verification session are stored on a server so it is possible to check them afterwards if required. All this is done strictly on the client's premises, and Regula gets no access to any data.
Regula Technology Highlights
Supported RFID chip standards
- ISO/IEC 14443-2 (type А and B)
- ISO/IEC 14443-3 (MIFARE® Classic Protocol)
- ISO/IEC 14443-4
Data access modes
- ePassport (DG1–DG16)
- eID (DG1–DG21)
- eDL (DG1–DG14)
- reading RFID chips in compliance with ICAO 9303, LDS 1.7, and PKI 1.1 data formats
- certified by BSI TR-03105 Part 5.1 and BSI TR-03105 Part 5.2
- supports ISO/IEC 18013
More Regula Technologies
Interconnected Regula in-house technologies, such as RFID chip reading, OCR, and barcode and MRZ scanning, come together to ensure a high level of speed and accuracy when it comes to identity document verification. They thoroughly examine every detail in every ID, cross-checking all the data to spot any illegal alterations. Learn more about what’s under the hood of the comprehensive identity verification that Regula solutions provide.