Digital disruption continues to reinvent our expectations on how we transact and interact with the world around us. In our increasingly digital world we reasonably expect that the travel systems we encounter or engage in will ‘auto-magically’ adapt or immediately sync to the device we are already holding in our hands – mainly our smart phones. We know the drivers for transformation, such as changing behaviours and expectations of travellers, and growing global passenger volumes, but the absence of consistency in the international deployment of digital representations of travel documents in response to these drivers has limited the opportunities to harmonise and build a global approach to traveller facilitation.
Through a framework provided by the International Civil Aviation Organization (ICAO), civil aviation actors could work with common tools towards an internationally recognised digital travel credential or DTC that could be used in emerging traveller facilitation and data exchange schemes in order to increase throughput capacity at controlled checkpoints.
In June 2016 the ICAO New Technologies Working Group (NTWG) established a specialised Sub-Group and tasked the International Organization for Standardization (ISO) with standardising travel credentials that would be issued or applied in a purely digital format, such as on smart devices or servers. Such a DTC could temporarily or permanently substitute a conventional passport by a digital representation of the traveller’s identity. A DTC therefore has to provide functionality and security features that are at the very least comparable to those of a current e‑Passport.
The e-Passport as a gold standard
It is estimated that to date approximately 139 countries have issued more than 1 billion e‑Passports. The growing number of e‑Passports presents many opportunities for key actors in the travel system, including enhanced facilitation for travellers and improved security for border management.
The time is right for a shift in thinking about digital authentication and how we share information to validate identity. One particular advantage of the e‑Passport that has the potential to revolutionise the way travellers are processed is the digitisation of the traveller’s biographic and biometric data stored in an integrated circuit or a chip embedded in the document. The chip data have already generated many benefits, including the verification of the passport bearer’s identity through facial recognition and providing authorities with the tools to authenticate the travel document.
In creating a DTC, the e‑Passport must be used as the benchmark; it offers a secure, portable, verifiable and unclonable token. Any DTC created must match this offering, while maintaining a balance between security, interoperability and facilitation.
In achieving this balance, there are a number of key attributes that must be maintained. The DTC should:
- be able to be authenticated by verifying entities;
- include means to protect against cloning;
- be capable of accepting and storing pertinent holder and/or travel data;
- protect the privacy of the user; and
- have verification processes as least as secure as those that apply to e‑Passports.
Using existing data
There are a lot of opportunities in this concept to make use of the data that are already contained in the e‑Passport. There is great potential to significantly improve passenger flows by allowing travellers to provide their data in advance of travel and engage in more self-service. Additionally, a DTC could allow airports and airlines to link additional data such as boarding passes, and aviation stakeholders could obtain the passenger’s data in advance to support biometric matching through controlled checkpoints, to contribute to biometric boarding and to assist in improving pre-arrival security and/or risk assessment. To support these functions, wide acceptability of the credential, globally-interoperable features, and an issuer’s ability to control the credential would be paramount.
Passport or data file?
We think of a passport as a booklet; a universally recognisable document first standardised almost 100 years ago by the League of Nations. The challenge here is to consider the passport not as a book to hold and examine, but as a data file to authenticate. For example, a DTC stored on a smart device, such as a mobile phone, would not need to be a visible representation of the passport data in order to meet the requirements and serve the functions expected, but could rather be just a file consisting of the biographic and biometric details of the holder, as well as features to electronically authenticate that file. Indeed, recreating the passport on a device just for visual inspection would do little to achieve the envisaged benefits of streamlining passenger flows.
There are four basic but essential criteria needed for a DTC to generate efficiencies for aviation industry and border management authorities. DTCs must be:
- produced from a Travel Document Issuing Authority;
- capable of being provided unaltered to verifying entities in advance of the traveller’s journey or arrival;
- globally interoperable to ensure that they can be used in different environments, i.e., from domestic airports to international airports;
- adopted by the traveller. This requires creating trust in that the DTC is as or more secure than an e‑Passport, and biographic and biometric data will be handled in such a manner that the protection of the traveller’s personal data and privacy is ensured.
A DTC as a data file could function as a reliable and globally interoperable e‑identity, integrated into a platform and supplemented with additional data. The benefits here extend beyond that of the interests of the airline industry and authorities, with broad potential across commercial entities involved in a traveller’s journey, from duty-free purchases to hotel check-in all pushed from the traveller themselves.
Hybrid form factor
A number of form factors for hosting a DTC have been considered, and the preferred one is a hybrid model that would consist of a virtual component (credential) that is linked to one or more physical components (authenticators). The ICAO NTWG has tasked ISO with the development of technical specifications, proof of concept, and testing methodologies for the preferred form factor.
A hybrid travel credential is a combination of a virtual and a physical travel credential in a way that the advantages of both approaches are merged while the disadvantages are minimised. This is achieved by linking a virtual travel credential to one or more physical devices that perform additional ‘active’ authentication of the credential when required for increased security. A hybrid travel credential may be used as virtual travel credential alone where copy prevention is arranged differently and database lookup performance is no issue. In use cases where a stronger binding is required, it may additionally be verified that a linked physical token (the e‑Passport) is in possession of the traveller.
In this definition, an e‑Passport can be considered as an example of a hybrid travel credential using the logical data structure as virtual travel credential and active authentication or chip authentication implemented on the e‑Passport chip as the physical token. The virtual credential may also consist of the data stored in a remote system, for example a database or a web service, with the physical authenticator being a smart device that can be used to retrieve the data from the remote system by authenticating the holder of the physical credential to the remote system.
This is preferred as the credential is already linked to the issuer by passive authentication. The physical token allows the verifier to select the correct virtual credential, with the added benefit of this being potentially provided in advance. It also provides the verifying entity with the flexibility to decide whether the virtual credential is sufficient or the physical authenticator is additionally required.
A potential use case – Emergency Travel Documents
A digital representation of an Emergency Travel Document could be a straightforward use case for the DTC used across the traveller’s journey without the physical e‑Passport being in their possession. The New Zealand Passport Office is interested in exploring this concept as a potential means of facilitating travel for citizens who are in need of urgent travel when in a location where delivery of a standard e‑Passport is either impossible or unfeasible.
With the ability for New Zealand citizens to renew their passport online, a stranded traveller could apply for an urgent renewal via the online service enabling the Passport Office to issue a hybrid DTC: essentially a virtual credential with a linked verified physical authenticator provided remotely to a smart device in the holder’s possession. The citizen could then travel back home or to a location where the physical token, the standard e‑Passport, could be collected.
This would of course require that the DTC is acceptable for traveling (exit and entry for all crossed borders) without the physical passport in the traveller’s possession. Limitations with this potential use case extend beyond interoperability and would include the need for bilateral agreements between New Zealand and countries frequently transited en-route to New Zealand.
Other use cases – seamless travel flow
There are other use cases/traveller facilitation models and programmes being examined that would also work with the hybrid form factor. While the DTC would take a similar form (i.e. digital identity) and could be applied similarly in each model, its creation could result in different obligations for different actors in the system.
The key here is that the DTC is always derived from an existing travel document. The issuing authority creates a DTC and has the option to store the virtual component in a remote system (e.g. database, web service) or store it elsewhere (e.g. smart device). The DTC must be signed by the issuing authorities’ PKI system. The physical authenticator of the DTC may be supplied by the issuing authority or by the holder. The issuing authority should provide security and interoperability requirements for the physical authenticators.
So what does this actually mean? A traveller, on checking in either at home or at an airport kiosk, could use their e‑Passport as a physical authenticator to create a DTC. Or, in another model, a DTC could be sent to the verifying entity in advance, for example in an ESTA-like process or as API/PNR. If not sent in advance, the virtual component must be able to be read in a standardised method and in either model the verifying entity will need to use passive authentication on the virtual component. However verifying the virtual component with the e‑Passport becomes optional for the verifying entity, greatly improving the traveller flow through the airport and border journey.
Where to from here?
There is still much work to do. While ISO are working towards the development of technical specifications, proof of concept, and testing methodologies, the NTWG DTC Sub-Group continues to resolve challenges in the management of a DTC from issuance to its end-of-life. The Sub-Group also currently explores how to best use LDS2 to add additional biometrics, visa, and travel history to a DTC, and how to manage revocation of a physical authenticator other than an e‑Passport. The working group continues to work with emerging traveller facilitation schemes and use cases where the e‑Passport is used to create a digital token in order to inform and shape the technical specification and policy development.