In recent years, identity document issuance solutions have undergone significant advances, incorporating a wave of new technologies that enable photo identity documents to be more secure and more durable. Although on the surface most solutions appear to offer similar capabilities, closer inspection reveals that they vary in terms of the performance they deliver, particularly with regards to security and durability. In this article, Nick Nugent describes how the science of security can help an identity document achieve a lifetime performance. In a future issue the science of durability will be discussed.

So what are the key criteria that define the overall performance of the identity document and the system that issues it? An excellent place to begin is to consider the QSDC properties: the Quality, Security, Durability and Cost of the document. These properties are critically important whatever the intended use of the identity document, whether it is a national ID card or a passport, or a second tier document such as an employee badge or health card, and it is worth defining them here.

QSDC properties
Quality
A high‑quality document will be consistent in appearance and closely match all other identity documents issued in the same programme. It will look and feel authentic and
make the bearer and the issuer proud.
Security
The security of a document is a measure of how well the document resists deliberate attack, typically counterfeiting or alteration, and additionally how clearly any attack is seen to have taken place.
Durability
The durability of a document defines its resistance to change during its life.
Cost
The cost of a document is the cost for production, including hardware, materials, labour, administration, storage and shipping.

These key performance characteristics are inter-connected, and limited budgets put pressure on decisions regarding priorities, trade‑offs and compromises.

Lifetime performance: The Six Steps
The security and durability elements of an identity document need to be designed and built to last. Unlike Quality and Cost – whose performance is largely known on the day the issuance system goes live – Security and Durability need to perform in an uncontrolled and potentially hostile environment, day after day, for many years. So how can science help the document achieve a lifetime performance?
Science can be defined as “the systematic knowledge of the physical or material world gained through observation and experimentation”. Essentially, as applied to identity documents, the knowledge and expertise gained through multiple implementations, hundreds of test programmes and thousands of component combinations can be reapplied in the form of best practices. These can be summarised as the Six Steps to Success (see Figure 1).

• Step 1: Seek expert knowledge
Countless forms of identity documents have been designed and issued over the last 150 years and many lessons have been learned along the way.
In the last decade, the technology revolution has harnessed holographic ultrathin films, modified substrates (for example laser markable poly-carbonate), high‑resolution personalisation engines, high‑speed issuance systems, contactless integrated circuits (CICs), biometrics and Public Key Infra-structure (PKI). These technologies have added significant benefit, but also huge complexity, to the overall solution. As well as seeking the assistance of external industry experts, it is extremely valuable to hold dialogue with internal stakeholders who are best placed to understand any risks and vulnerabilities – security and durability – of the existing documents.

• Step 2: Identify the threats
Fraudulent attack of identity can be by means of document attack (simulation or alteration) or process attack (when someone applies for an identity document under a false identity or when a ‘lookalike’ uses a stolen identity document). A useful summary of threats is shown in the Threat Tree in Figure 2, with document attack shown in red and process attack in blue. Awareness of the particular security threats faced by existing documents is important in the design of cost‑effective security into the next generation.
Threats to the durability of a document are many and varied. In addition to the wear and tear of harsh environments that an identity document might encounter in ‘normal use’, misuse and accidental damage may also befall identity documents.

• Step 3: Design the defences
When designing protective elements into the document it is necessary to consider security and durability together, and not each in isolation, as the selection of technology to deliver one characteristic will likely impact the other. For example, a document that needs to last ten years will lead the designer towards long‑life components which may restrict available personalisation technologies and thus compatible security features. Similarly, a desire to include certain security features may also require particular materials or engineering which could impact durability.
The key to a secure identity document is to utilise layered defences against the identified threats. These security features – be they electronic or physical – need to work in unison. They should allow easy, quick and confident verification of a genuine document, and it should be straightforward to train authorities who will need to verify the document. To get all features working together can be challenging, as the technologies used may come from several different vendors, whose components need coordinating into a fully optimised system.
Durability design involves the selection of substrates, personalisation and laminates to meet the ID card’s required longevity in the environments in which it will be stored, carried and used. Understanding and utilising the latest developments in chemistry and construction will help a document to perform throughout its required validity period, without compromise to quality, security or cost. ISO/IEC standard 24789 promotes dialogue between issuer and vendors to agree on an appropriate durability specification for the document.

• Step 4: Set the requirements
Once security and durability threats are known and technology options are understood, informed dialogue can then be used to set performance specifications. It is difficult to rank the performance of security features and there can be many opinions on the matter. It is useful to specify the number and type of security features needed to defend against the identified threats. 
Durability is a little easier to specify than security, but is still a complex task with many stakeholders and numerous variables. There are over 20 commonly used standardised durability tests for identity documents and many more obscure ones. ISO/IEC 24789 provides many useful test specifications and helps the document designer understand and set durability requirements.

• Step 5: Test the solution
As stated earlier, identity documents are becoming increasingly complex, as are the systems that produce them. With so many separate components from multiple vendors, and in an ever‑evolving, innovative industry, it is likely that untried and untested combinations of components will come together in the finished design. However familiar these constituents, it is still critical that the combination is tested prior to the system going live. This involves producing examples of documents – using components as close as possible to the actual ones – then personalising and testing against the durability and security requirements set previously. Such testing should also confirm that throughput and quality requirements are being met.

• Step 6: Issue and monitor
The time and effort spent on the previous steps will have increased the likelihood of the new generation of identity documents fulfilling all requirements highlighted in the QSDC methodology, not just Security and Durability. It is recommended that, as the programme is rolled out and volumes increase, performance is closely monitored and stakeholders are approached to give feedback regarding all aspects of the new system and the new document.

figure 1
The Six Steps to Success.

The Six Steps are applied to defend the identity document against fraudulent attack, starting with an assessment of security threats and defences.

Security threats
Criminals are imaginative and resourceful. They rarely use the genuine process or actual job materials when counterfeiting an identity document and instead simulate the outcome. Experience has shown that different types of attack can trend and may show regional variation. Once criminals discover a vulnerability, they will exploit it relentlessly until it is defended, when their focus will then shift to a different weakness, or even a different document. The internet is a valuable tool for criminals to share information on design flaws, as well as on the techniques and sources of materials and equipment used in fraud. The illicit use of this instantaneous and global communications network reinforces the need to identify threats and fix weaknesses before they happen. 

The threats are summarised in the Threat Tree in Figure 2. The diagram illustrates how a holistic design of layered defences is required for effective protection. It should be noted that not all features are strong against all threats, and need to be selected to work together to block all forms of criminal attack. Equally as important as protecting against simulation and alteration the security feature needs to be easy to verify. 

figure 2
The Threat Tree.

Security defences
So, what technologies are available to a secure identity document designer, and which should be used? First, let us consider the five different ‘layers’ in which the security features can be placed:
1. Substrate: various polymers are used, depending upon durability and personalisation needs.
2. Security preprint : utilises similar printing methods and inks as used on banknotes.
3. Personalisation: the technology used to apply the portrait(s) and variable biodata.
4. Laminate: provides durability protection and, if tamper evident and/or holographic, significant additional security.
5. Chip: provides opportunity for yet more layers of electronic security, including PKI and biometric matching against the bearer and/or a database.

Each of these layers is vulnerable and needs defending. Modern substrates are frequently specified with embedded DOVIDs (Diffractive Optically Variable Image Devices), lenticular lens structures and, more recently, windows. Traditional anti‑counterfeit features for identity documents have been incorporated most heavily into the security print and laminate layers. Specialised security printing presses apply inks with unusual characteristics in tight registration onto the substrate or laminate, to provide a multitude of banknote‑like security print features. In addition, thin film holographic laminates and overlays contain a multitude of optical features that defeat commercial equipment and enable confident verification.

figure 3 ID document layers.

Many of these features provide excellent anti‑counterfeit protection to the identity document by challenging criminal simulation or reproduction of the document from scratch. However, we must be mindful of the additional threat posed by alteration of the data within the identity document. This is partly addressed by anti‑tamper laminates that tear or stretch when attempts are made to lift them, and further defended against by additional anti‑tamper features.

STOP features
The strongest anti‑tamper features are applied using variable data during personalisation which are unique to the cardholder, and are from the category Security at Time Of Personalization™, or ‘STOP’ features. Security added during the personalisation process is particularly powerful as it: 

1. Inhibits tampering
The variable data are difficult to alter when they are locked inside security features. For example, the portrait can be personalised in multiple forms – such as UV fluorescent or visible ‘ghost’ photos and digitally stored on the chip – thereby challenging fraudulent photo substitution.

2. Resists mass attack
Personalisation data are variable and are different on every document, so the criminal needs digital processes to reproduce fake documents in high volume.

3. Reduces the value of stolen components
In addition to these components, specialist engineering and know‑how are required to produce the personalisation features of the genuine document.

 
4. Strengthens verification
Strong personalisation security features encourage inspection by field officers and can improve the confidence of the verification process.

 

Traditional examples of STOP features include the  secondary ‘ghost’ portrait, variable UV‑fluorescence, lens effects such as Changeable Laser Image (CLI) and Multiple Laser Image (MLI), data hidden within the portrait and revealed by a decoding lens or magnifier, tactile and micropersonalised text, and various perforation features. Newer STOP features include extreme tactile markings laser ablation of foil and print, novel pigments applied from ribbon systems and various window features. These innovative new variable data features further utilise personalisation technology and better address the need for real‑world verification.

Tactile features
It is well known that police and other examiners of identity documents rarely have ideal conditions for verification. Viewing a driving licence in the dark, in the rain, at the side of the road, is difficult. For this reason tactile features are very popular as they can begin to be verified by touch, quickly and in poor lighting. Tactile features added during personalisation give additional protection, as theft of substrate or laminate does not enable the criminal to make a complete counterfeit. Laser personalisation provides a means of adding such tactile security features and, like all STOP features, laser tactile marking provides defence against counterfeiting and alteration, as well as being readily verifiable. New developments in the laser marking of specialised substrates have recently enabled more extreme tactile features, which are more difficult to compromise and easier to verify. Another technique for adding a readily verified tactile feature is by the use of an impression tool during personalisation. The tool creates an impression on the card substrate, using specialised engineering and a unique die. The die design is faithfully reproduced in the surface of the card, producing a unique tactile effect (see Figure 4).

figure 4.
tactile impression

This differs from the embossing, indenting or laser tactile technology available today. Furthermore, when used with a patch laminate, the impression feature improves the identity document’s tamper resistance by the deliberate introduction of small areas of weakness in the area of impression, and further challenges the criminal to accurately replace any pieces of laminate, even if they could remove it. 

An alternative tactile feature, with similar strengths to the impresser, is secure indent. This feature is available on high‑throughput Central Issuance systems and utilises alphanumeric characters which strike the card surface during personalisation. This modifies the substrate and improves tamper evidence. Again this overt and tactile feature is verified by sight and touch, and is variable as 78 different standard characters exist, with custom design characters also available.

Secure laminate
We have seen how identity document designers are utilising new features delivered at personalisation. The pace of secure laminate development has not slowed either. Designers of holographic security have come to realise that complexity is not the answer to simulation. Instead, simple design, confident verification, and the use of multiple origination technologies are critical characteristics of new strong holographic defences. It is not just holographic technology which has evolved over recent years; the chemistry and material science used in the production and adhesion of these sophisticated multilayer structures have also advanced to improve quality, security, durability and cost.
 Not all identity documents are equally valuable or equally threatened. A level of threat requires an appropriate level of defence, and the laminate or overlay should neither be vulnerable nor over‑engineered and costly. It is important for an issuer to be able to select a solution from a broad portfolio of tiered offerings. A secure laminate vendor will typically offer holographic designs that are either generic or customised, and registered or non-registered, with the option to include sophisticated premium security elements.

For example a high‑security solution will be a customised design, probably registered, contain a mix of features designed to defeat re‑originated counterfeits and be verifiable at several levels (by eye, by magnification and by specialist device). It may also have additional security added in the form of print, for example colour‑shift or UV‑fluorescent inks. 
Serialisation, where every laminate or overlay has a unique number associated with it, is now an option. Component theft can be a problem, and can aid the criminal to construct a counterfeit or improve the appearance of an altered document. Just as numbering the individual substrate pieces helps keep track of them, so the use of serialised laminates significantly reduces the threat of loss within the identity document manufacturing process, and provides an additional security feature at verification.

Control of components
A detailed analysis of the importance of securing the manufacturing, issuance and shipping environments is beyond the scope of this paper, however reference to the Threat Tree in Figure 2 indicates that stolen components are one way by which a criminal may create counterfeits or supplement alterations. The effective control of all components is therefore an integral part of the defence of the document.

Summary
When designing a secure identity document there is much to consider. By breaking down the design process into steps it is possible to follow well‑proven best practices and minimise the risk that the document will be compromised. Some of the more important best practices are as follows:

• Consult stakeholders and assess threats.
• Understand security requirements.
• Consider defence of all five ‘layers’ and think holistically.
• Personalised security features are especially effective.
• Tactile features offer quick and easy verification.
• Keep the design simple and combine origination technologies if required.
• Restrict access to components and equipment.
• Remember that criminals tend to simulate the outcome, not the process.

In a future issue, this article will conclude with a look at the science of durability.