Digital travel credentials are on the rise – but how to secure identity data?

By Michael Schwaiger, secunet Security Networks AG

Since its introduction, the electronic passport (eMRTD) has become an indispensable proof of identity for border control. With the inclusion of an RFID chip containing the holder’s biometric features, new applications have emerged – for example with Automated Border Control (ABC) Gates, which have significantly reduced long queues at airports.

However, the pressure continues to increase. New regulations are leading to increasingly complex border control processes. The introduction of the European Entry/Exit System (EES) also plays a role, as it means that third-country nationals and their biometric data must be recorded in full. The typical control tasks of a border control officer are therefore becoming more complex, while the time pressure – especially at airports – remains the same despite the additional tasks. Digital travel credentials are now set to pave the way for a future in which the traditional use of passports changes.

The idea of Digital Travel Credentials
Digital Travel Credentials (DTC) were developed by the International Civil Aviation Organisation (ICAO) and accelerate the verification of travelers’ identities. The concept is based on the ICAO eMRTD electronic passport, which contains the holder’s facial image, personal data and selected security features.

DTCs are created in digital form on the traveler’s smartphone before the journey, the passport data is then checked by the relevant authorities in the country of entry. At the airport, the DTCs are only retrieved using biometric facial recognition – without having to fully read the physical passport at border control. If all identity data has been collected beforehand, only a brief check is required on site, without compromising the security of the check.

Multiple benefits for industry, travelers and authorities
DTCs give travelers the opportunity to carry out pre-checks before arriving at the border crossing. In addition, they bundle the necessary travel documents beyond the digital boarding pass on the smartphone without compromising security. They can avoid potential errors and additional costs during travel application processes, such as visa applications, flight bookings or the creation of an Electronic Travel Authorisation (ETA), thanks to automated data transfer. The smartphone serves as the sole data storage device – only the traveler controls where the data is used.

Airports will become more economically attractive for passengers to stay and consume, also thanks to short connecting flights through the digitalization of processes. In view of their already limited resources, the police and authorities can also carry out self-service processes more quickly, focus on higher-risk travelers and reduce false alarms. Less crowded halls enable fewer extensive screening facilities, while the integration of smartphones makes passenger guidance easier, saves money and staff.

Secure Travel Identities: The secunet security triad
The security architecture for the DTC process is a triad: a mobile component, a central component and a border control component. User-friendliness, security and effective process acceleration through the overall system are decisive for the acceptance of the utilization of such components regardless of the user. secunet, Germany’s leading cybersecurity company, fulfils these requirements with its Secure Travel Identities (STI).

Secure Travel Identities need to compensate for the loss of optical document features and guarantee the validity and protection of the biometric data and facial images used while also being user-friendly for all participating parties. To ensure this, travelers need to be enabled to use their smartphones, deciding for themselves which identity data to hand over. A central administration system capable of risk evaluation, which enables reliable, fast and secure access to police background systems and public key infrastructures (PKI), ensures their secure storage and transmission. An ABC Gate then reads the traveler’s facial image and compares the biometric data with their live image.

secunet is meeting these challenges by implementing a consistent DTC workflow across its entire border control portfolio. Proven SDKs enable the creation of DTCs in customer applications, and secure server components like secunet easyserver accept, store, manage and validate DTCs with state-of-the-art technology such as morphing attack detection and face recognition. Border control systems like secunet easygate, easykiosk and bocoa ensure the smooth and secure use of DTCs in travel processes.

What the future could look like
When the traveler has entered all relevant data in a mobile app, i.e. from an airline, before starting their journey, the app can already read the electronic passport, compare it via a selfie and, if necessary, fill out an entry questionnaire. Data is transmitted via a secure cloud platform made in Germany, which allows border control authorities at the destination to check the traveler’s identity in advance and, for example, carry out a risk assessment of the traveler. Once at the airport, ABC Gates take a live facial image for biometric identification of the traveler. After this has been done, the traveler only needs to hold their closed passport up to the RFID reader for a moment.

Modern, digital passenger processes are necessary to ensure the competitiveness of airports and airlines in the future. DTCs offer a solution, as they enable smooth and fast border crossings without compromising security and thus save travelers, airports and border control authorities valuable time. What’s more, they act as a basis for the use of a digital identity – at border control and beyond.