Is There a Secure Way to Scan Passports Remotely?

Mike Engle

What is passport scanning? Is there a convenient way to securely scan passports remotely? Our CSO, Mike Engle, joins our CMO, Michael Cichon, to answer these questions and more in their recent vlog.

 

 

Michael Cichon:

This is Michael Cichon, the Chief Marketing Officer at 1Kosmos. We’re here today with Mike Engle, our Chief Strategy Officer to discuss passport scanning. Welcome to the vlog, Michael.

 

Mike Engle:

Thank you. Lovely to be here. I think this is my third time.

 

Michael Cichon:

So passport scanning. I have a little personal experience here, but let’s just start off at the basics. Why are we talking about passport scanning? What is it?

 

Mike Engle:

Well, there’s only a couple ways for you to prove who you are in the real world, in the physical world. The most common are your state or country issued license. And then of course, there’s your federally or country level issued document, like a passport. And so when it’s time for us to prove who we are, those are the most common that are used out there. So we’ll talk a little bit today about the mechanics of that.

 

Michael Cichon:

All right. So I get that. We all are familiar with passports, but why do we have to scan them?

 

Mike Engle:

Well, similar to when you walk up to a police officer or a TSA agent at an airport, you have to give them a credential. They inspect it and they match your face. Well, this now is happening in a digital channel, but the challenge is you’re doing it over potentially thousands of miles. So the only way to get the data from this and to a trusted referee or a system is by extracting the data from the document that you’re trying to interact with. And we call that document verification, or DocV is sometimes an acronym that’s used.

 

Michael Cichon:

Okay. All right. Great. So what are the issues here? I kind of have a little bit of experience with this, Mike. I recently was traveling internationally with my kids. The airline, major airline, gave me an opportunity to check in advance. So 24 hours before flight, I was just giving the opportunity to check in, and they asked me to scan my passport. It did not go well.

I tried my passport, it wouldn’t scan. I got different messages, different points in time that it did scan. It didn’t scan, tried both of my kids’ passports, which were brand new. Those didn’t work. So this idea of scanning passports isn’t new, but a little bit problematic, at least from my experience.

 

Mike Engle:

Yeah, no. It’s very difficult when not done right, and even when you do it right, there’s still challenges with all the environmental factors that can go on. But I know exactly what you’re talking about. I had tried it with one of the big three USA airlines. I had seven people ready to check in for a flight the next day, and we’re all sitting at dinner and we’re like, “Let’s do online check in.” App pops up and says, “Scan your passport.” And we tried 15 minutes while waiting for dessert to scan, and it did not happen. We didn’t get one successful scan.

 

Michael Cichon:

And so you like me, you got stuck in the long lines at the airport the next day checking in. So how do you solve this?

 

Mike Engle:

Yeah, so there’s a couple of ways. First is a better user experience. So what was happening when you were doing it and it was failing is the lighting wasn’t right. You were holding it too close, too far away, or maybe your camera wasn’t enough quality, probably not because you’re a iPhone rockstar kind of guy, but they should have given you some feedback. So when it goes 10, 20 seconds, something should pop up and say, “Listen, it’s a little, there’s too much glare.” So that simple two way user feedback is not happening in a lot of the applications.

Second is many organizations only rely on the camera when they’re scanning, and there’s a better way you can actually read the little chip inside of the passport. So most passports today support the same type of chip that’s in your credit card, which that goes really well when you tap your credit card to the little terminal, it’s pretty reliable. Your Apple Pay, same concept.

So it’s really just adoption of the latest technologies and being able to use all of the tools at your disposal that make it go very well.

 

Michael Cichon:

Okay. So what are some of the issues? One issue, maybe for me, is my passport is a few years old. When I took the photo, I had kind of a partial beard. I looked a little bit different, maybe a little bit younger. Is that an issue or what are some of the issues? You mentioned lighting. Yes, I was trying a variety of angles. I was holding it up, I was putting it down on the table. But if you can just summarize the issues here with the passport, why is it so difficult?

 

Mike Engle:

So part of the challenge is if I’m looking at my passport here, I’ve got a photo this big, right? It’s hard to get that photo. And plus it has lines going through it and security water marks to get that and match it to my face, which now you have this big with lots of features. And so that match from little to this larger is hard to do and do right with a high level of confidence. So that’s one of the challenges.

The technology you were using with the airline did not even give you the opportunity to scan the chip. So the way passport chip scanning works is you need to grab a couple of fields from the passport. So this is numbers, there’s birthdays, there’s passport numbers. Those numbers are what’s used to unlock the passport chip. So it’s really a two step process.

What most vendors should be doing when they scan a passport is just grab the little amount that they need. Don’t even look at the photo, that’s where it goes wrong, but grab the two numbers that they need and then ask the user to simply hold the phone up to the passport, unlock it, and now they have all the data that they need to present to you. And that data is cryptographically signed. It gives you a high res photo.

So even though it’s a couple years old, it’s very high quality and now you can match it with the user’s face in a much more reliable way.

 

Michael Cichon:

So when you just said hold it up to the phone and unlock it, what’s unlocking it? Is it the near frequency? What’s unlocking it?

 

Mike Engle:

Yeah. The chip inside of all the ICAO, that’s the issuing authority, I-C-A-O, the chip here is protected with a simple password. So if you walk up to somebody’s passport and try reading it, you can’t. Unless you open it up to the first page and grab the two fields that you would need and then put that into the reading process.

So it’s a little bit of a screen door to allow you to read it. So then once you do that, it’s just like tapping your phone or credit card to a reader.

 

Michael Cichon:

Got it.

 

Mike Engle:

It takes a few seconds, It takes five, six seconds to get all the data off and then you’re done. And it’s a much more enjoyable experience.

 

Michael Cichon:

So this process utilizing the chip and the few fields of data sounded like it overcomes some of the scanning issues I was having. Is that what we’re doing at one 1Kosmos here?

 

Mike Engle:

It is, Yeah. So the idea is, and we’ll roll a video of it here in just a minute and show you how it works, is you do take a picture of the front, you ask the user to present that with their camera. And of course, if you do that part right with proper privacy disclosures and you don’t store any of the user’s data, you stay out of a lot of trouble, which we do.

So you grab the fields temporarily and then you simply ask the user to hold the passport up to the phone, to the back of the phone where the reader is, and you have to guide them through it. You show them a little cartoon of how to do it. And again, five, six seconds later you’ll see, “Okay, I’m reading, I’m reading, it’s done.”

And then you’re matching it to the user’s live selfie, final step in the process. And you’ve just onboarded an incredibly high, highly accurate, and what we call high level of assurance, factor for proving who you are remotely.

 

Michael Cichon:

And again, these passports last for 10 years. Some of us age in the process, our appearance change, we lose weight, gain weight. Does the facial matching work?

 

Mike Engle:

It works great. Yeah. So that, because it’s a one to one match, if I take your face and any one of your photos from the past 30 years, frankly, today’s technology does a really good job of matching that. Because it’s going by the structures and mathematics of your face. It doesn’t care if you have some hair that you’ve grown or you’re bald now or you’re not, you put on weight, loss weight, So it’s really good.

And try this yourself. Go to Google Photos, upload your 100,000 photos and it’s going to pull your baby pictures out of a lineup. It’s pretty amazing.

 

Michael Cichon:

That’s pretty cool.

 

Mike Engle:

See, when you’re going one to one, it’s highly accurate. If you go one to millions, that’s where you get into all kinds of problems in the industry. That is probably for a topic of another vlog someday.

 

Michael Cichon:

Got you. Okay. Are you going to show us something?

 

Mike Engle:

Yeah, so I’m going to pull this up here. And all right, so what you’re seeing is the 1Kosmos application, of course, we brand this for our customers in their own branding, or they take these pieces and put them into their existing app. Lots of ways to do it.

You’ll see four green check marks. I’ve already enrolled a bunch of other factors. My driver’s license is already in there, my live selfie’s in there. We’re not going to show you that today for the sake of time. This little plus sign on the second line is for my passport to be scanned. So you’ll see me pressing the passport button, given some instructions, the front of the passport is scanned, and now it asks me to hold it up to the passport and read the chip.

And you can see that takes about six or seven seconds, validates the data, make sure the face matches, and if I’ve enrolled the driver’s license, it’ll even check to make sure that all the data matches between the documents and all the faces match and it’s done. So that whole process, of course, that was me doing it. My data was blurred out and I’m really good at it. So I can do it in about 15 or 20 seconds. It would take you about a minute, which isn’t bad, right? Far better than standing in a long line or trying to do it some other old fashioned way.

 

Michael Cichon:

Yeah. Well, if you can spare me from that long line again, I appreciate it. So you, you’re doing the matching, but we’re also doing, is that triangulation what you just described with the validation?

 

Mike Engle:

The triangulation happens between multiple, what we call, sources of truth. So if you present a driver’s license and a passport, there’s photos in both of those documents and your live face is a third photo. So they all have to match. That’s one form of triangulation. And then the first name, last name have to match on both documents. The dates of birth would have to match. Passport doesn’t have an address, so you don’t match that.

So yeah, we do triangulation across a dozen different sources depending on what you’re trying to accomplish. And it really makes it so that one plus one equals three in those scenarios.

 

Michael Cichon:

That’s awesome. Well, it sounds like a much more modern approach, you’ve modern modernized the user experience. So I’m glad to hear that. Anything to add before we wrap?

 

Mike Engle:

No, just today we have to manually scan our passports. The passport community is working really hard to have these go fully digital. So there’s something called DTC, Digital Travel Credential. We’re on level one where there’s a chip inside of it. It’s going to get to the point where your digital version comes first, and then you get it backed up with the paper. The industry’s heading in the right direction, and we’re going to see getting easier and easier for us to prove who we are remotely and keep the bad guys out.

 

Michael Cichon:

That’s amazing. We talked about the airline use model. Just real quickly, briefly, what are the other use cases here? When else would you want to do this scanning?

 

Mike Engle:

It’s really unlimited when you need that level of assurance. So getting a new job, you have to present multiple forms of identity in the US, the I-9 purpose, for example. So why not scan and do it remotely? Privacy preserving, prevent emailing photos of a passport, which is a security nightmare. So that’s one. And then of course, the financial industry needs high levels of assurance for regulatory reasons, anti-terrorism and that type of thing. So that’s a very common use case as well.

 

Michael Cichon:

That’s awesome. All right. Well very good, Michael. Appreciate your time today. Thank you very much. Keep doing the good work.

 

Mike Engle:

Happy to be here. Talk to you soon. Have a good weekend.

 

Michael Cichon:

Thank you.

 

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.