In 2013 and 2014 we published two articles in this Journal on current aspects in machine authentication of security documents. Since then, the results presented have been digested and utilised for two international standardisation activities: the ‘Best Practice Guidelines on Optical Machine Authentication’, accepted recently as Technical Report by ICAO, and the Technical Guideline ‘TR-03135 – Machine Authentication of MRTDs for Public Sector Applications’. In this article we first dwell on the evolution of the Technical Report, and illustrate its content by prominent examples. Secondly we discuss the practical international impact of the Technical Guideline TR-03135 providing a standardised XML scheme for logging detailed optical machine authentication results in line with the aforementioned Best Practice Guidelines.
The use of automated systems inspecting machine readable travel documents (MRTDs) according to ICAO Doc9303, such as automated border control gates, has been increasing over the past decade. However, the strong demand to improve the overall performance, especially utilising optical/physical security features, remains. In two previous articles we reported on the results of our research projects into the topic of machine authentication of security documents.  We also pinpointed the most significant holistic deficit responsible for this imperfect situation: the lack of communication between document designers and authentication system manufacturers. As a consequence, on the one hand optical security features are often designed without having the authentication systems’ capabilities in mind, and on the other hand authentication systems are trained without the involvement of document design experts. To improve this situation we therefore followed our own recommendations proposed in the first of those articles:
- A methodology was developed to investigate the performance of inspection systems.
- This methodology was successfully deployed in FRONTEX IDCheck activities.
- The gained insight was utilised to push international standardisation in order to assist future developments:
The ‘Best Practice Guidelines on Optical Machine Authentication’ were initiated by the ICAO New Technologies Working Group (NTWG), and meanwhile accepted as Technical Report by the ICAO Technical Advisory Group on the Traveller Identification Programme (TAG/TRIP) in April 2018.
The Technical Guideline ‘TR-03135 – Machine Authentication of MRTDs for Public Sector Applications’ (hereafter BSI TR-03135) was published by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) and co-authored by the German Federal Police and Bundeskriminalamt.
What happened since 2014?
In 2014 we showed – based on real fraud cases – that machine authentication systems at that time did not reliably detect counterfeit documents. As this deficit revealed that the development of a suitable test methodology was required in order to systematically assess the performance of document inspection systems, the research project IDEAL was initiated addressing the following issues:
- the performance of commercial document inspection systems;
- the definition of our own inspection processes to analyse and optimise the performance of commercial systems;
- the generalisation of successful strategies for machine authentication and their potential for standardisation;
- independence of hardware and software of commercial document inspection systems.
For reasons of reproducibility the approach consisted of feeding inspection systems with real specimen documents and corresponding self-made reproductions in order to test their performance. In the course of the project several key components for successful machine authentication were identified: the MRTD itself, the reader hardware, the software, the authentication database, and combinations thereof.
The findings were very heterogeneous and showed a broad spectrum of performance. They also showed that our laboratory testing process was somewhat artificial and thus suboptimal. This led to the follow-up project ‘Applied Research on Optical Machine Authentication’ – in short: AROMA. The first goal is to assess the performance of inspection systems under real-life conditions by transferring the test field to Frankfurt Airport. The second aim is to compile a guideline for the evaluation of inspection systems describing several evaluation methods – IDEAL and the first AROMA goal being two of them.
Besides the research work, the above described laboratory methodology has already been successfully utilised to assist decision-making in the field of procurement processes in official tenders (such as for e-Gates for the German border authorities) and private sector applications (secure identification inside a nationwide network of retail outlets).
In Figure 1 the relationship between the research and standardisation activities is illustrated. In the former project IDEAL the main outcome with respect to standardisation was to define Generic Check Routines and Unique Model Identifiers to allow for the development of a detailed vendor-independent logging of inspection process results. This led directly to upgrading BSI TR-03135 from version 1.2 to version 2.0 in November 2014. At the same time as the subsequent project AROMA was initiated, the findings of the first research activities were compiled to a first draft of the ‘Best Practice Guidelines on Optical Machine Authentication’ (BPG), part 1. These BPG were introduced as a discussion paper to ICAO NTWG in 2015.
After several years of intense discussion, numerous amendments and comments, the BPG were finally accepted as Technical Report by ICAO at the meeting of TAG/TRIP on 25 April 2018 (see Box 1).
Best practice guidelines on optical machine authentication
While previous work on the subject in the ICAO Technical Report ‘Machine Assisted Document Security Verification’ discussed general inspection possibilities of security features of MRTDs, the BPG focus especially on full-page readers with their limited imagery scope in order to provide specific recommendations for all key components involved in the inspection process.
Whereas BSI TR-03135 describes the electronic aspects of (e-)MRTDs, the BPG focus on the optical part of the authentication of MRTDs only. Furthermore, the BPG do not distinguish between first, second and third-level inspection as full-page readers can be used in each of those scenarios. Altogether, mobile phone devices are (so far) not taken into consideration due to their limited optical capabilities with respect to different light sources (neither UV nor IR are available), as a result of which they are unable to meet the proposed requirements.
The BPG are meant to support practitioners in the design and development of authentication systems. However, it is important to bear in mind that the authentication system should be used to facilitate adjudication for its operator, and should not be regarded as a decision maker by itself. This is significant as for example wear and tear may lead to a false rejection of an otherwise genuine document. Additionally, some security features are exclusively designed for verification by a human operator and cannot be checked by machines.
The BPG address the key components involved in the process of automated machine authentication: recommendations are given for efficient and effective design for the document itself, for the full-page reader, for the authentication software (including its database) as well as for the reference database. These recommendations are mapped to exemplary usage scenarios in order to support the planning and operation of such systems.
The BPG firstly introduce a consistent terminology. This begins with the definition of a generic document model identifier: (ICAO 3-letter-code, type, integer counter, year of first issuance), for example: (GBR, P, 1, 2015) for the current British passport series. Properties and features are then categorised into a catalogue of generic spectrally selective check routines, such as pattern checks. An early version of this catalogue was already discussed in our 2014 publication. Following the input received from ICAO and ISO working groups we added new features such as the Card Access Number (CA), Barcode (BC), Secondary photo (SP), other additional features (AF) and additional properties including ‘FR’ for frequency-dependent appearance including so far missing entries in the existing fields (see Table 1).
Table 1: Catalogue of generic check routine identifiers. The properties are denoted as follows: AB (absorbing), TR (transparent), TL (translucent), LU (luminescent), BR (brightness) and FR (frequency-dependent). The colours refer to the categories denoted in Council Regulation (EC) No 2252/2004: Material properties (dark purple), Security printing techniques (light purple) and Personalisation techniques (grey).
In addition to human inspection, security features in travel documents should be applicable for machine authentication. Therefore, the BPG define suitable features, for example, for unambiguous identification of the document model (such as a 2D barcode, which was already recommended by Interpol as far back as in 1992) and for the verification of security features under all three light sources. Ideally, the categories Material, Security printing technique and Personalisation techniques are all covered by the verification process. Composite check routines are logical combinations of unique check routines, as previously discussed in our 2013 publication, giving the example of the passport of the Czech Republic (see Figure 3).
We do also consider the presence of potentially interfering features, such as overlapping features, or features near the upper edge and/or without any spatial confinement, as well as features for which the optical appearance depends on individual handling or on illumination geometry of inspection devices (see Figure 2).
The BPG also contain recommendations for full-page readers, as the quality of images not only depends on functional requirements but also on practical issues. Functional requirements are, for example, a stable illumination with proper wavelength spectra, a minimum resolution, and standard image formats resulting in homogenous and glare-free images for all areas of a document. Handling issues are also addressed, for example to allow for single-handed operation and to provide interactive user guidance through a live video stream.
With regard to the software of the inspection systems we propose to perform a mandatory minimum number of spectrally selective checks: (IR, AB, MR) and (UV, BR, FU). If the document model can be identified, the ‘complementary’ checks (IR, TR, ZZ) and (UV, LU, ZZ) should also be mandatory, with ZZ being any one of the features of the matrix.
Document features that are behaving differently under exposure to different light sources, do help to considerably reduce the success probability of counterfeiters. For machine authentication, the BPG require the software to employ these features during the inspection. The example in Figure 3, a so-called ‘IR-split’, is therefore checkable by the composite routines (IR, TR, IS) ° (VI, AB, IS), as well as by (IR, TR, IS) ° (IR, AB, IS).
Another recommendation addresses variable (personalised) patterns, such as the primary and secondary facial image: (VI, AB, PH) ° (UV, LU, SP), as can be seen in the example of the Estonian passport in Figure 4. Furthermore, redundant check routines on multiple positions or multiple colours (for example for UV overprint) are suggested.
ID cards pose a novel challenge for machine authentication as they become increasingly popular: here, the BPG propose to check personal data across both sides during inspection.
Although reference or expert databases are not directly part of authentication systems, they can nevertheless be used as complementary information sources if the authenticity of a certain document cannot be clearly determined by machine inspection. For such cases, reference databases support the operator with detailed information on the document model, such as high-quality images of features, textual explanations, and information on common counterfeits (usually aimed for second-line/back-office inspection). An example of an official reference database provided by the European Union is the so-called FADO system (False and Authentic Documents Online) with its publicly available counterpart PRADO (Public Register of Authentic Documents Online). The BPG also address practical implications for such databases, such as unambiguous links between the inspection system and corresponding database entries, as well as the possibility to manually select a particular dataset.
If the result of the inspection system is unexpected, it is crucial to analyse the reason for the potentially wrong decision. To facilitate this process, the BPG require logging of the information gained during the inspection in conformance with the Technical Guideline BSI-TR-03135. Furthermore, this logging enables the establishment of a permanent feedback loop allowing for several benefits:
- operational monitoring and statistics (supervising current operation);
- feedback to authorities and inspection system manufacturers (improving inspection process);
- investigative approach for inspection stability of certain security features (improving document design).
The BPG also provide recommendations to meet privacy requirements in this context.
Logging results of machine authentication using BSI TR-03135 – a success story
BSI TR-03135 was initiated in the draft version in early 2012 and formally reached version 1.0 in September of the same year, in German. The document was a collaborative effort of three German federal agencies: it was edited by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and co-authored by the German Federal Police (Bundespolizei) and the German Federal Criminal Police Office (Bundeskriminalamt, BKA). The content of this guideline is a normative description of the requirements and procedures that are required for a holistic check on modern electronic identity documents. Its focus is to determine if a given travel document is:
- authentic (i.e. genuine, originating from the governmental issuer);
- valid (for example, not expired, nor reported as lost or stolen);
- of integrity (complete and unmanipulated).
Already during the initial draft phase there was a huge resonance from manufacturers of inspection systems, which was incorporated into the guideline to a high degree. This document was set up to define and therefore harmonise the structure of inspection processes, and to subsequently log their results. This unique interoperable management and parameterisation of information allows for a systematic analysis and examination of the generated log files. For this purpose a corresponding XML scheme is provided with the guideline.
Interest by industry and governmental entities
Since the publication of the document there has been broad interest by industry and governmental entities. The second generation of German automated border control installations was procured demanding a compliance with BSI TR-03135. The FRONTEX IDCheck projects demanded logging of the generated results and recommended the format of BSI TR-03135, which was implemented by two of the provided inspection systems. A number of international tenders also referenced BSI TR-03135 as a mandatory requirement. Hence, this guideline can be considered proven in practice.
In early 2014, the work on the follow-up version began. Version 2 – written in English – also contained results and insights from BKA R&D projects as well as the experience gained from German border control logs created in conformance to the first version.
Conducting inspection processes according to BSI TR-03135 requires a number of individual steps, accounting for an array of testing sequences that are processed depending on the application. This complexity in the inspection process poses a significant challenge for software applications of inspection systems. The number of checking processes performed depends on the operational scenario. At the end of the inspection process, all individual checks are accumulated to intermediate results and additionally to an overall result for each category as a basis for the final decision.
BSI TR-03135 can be used, in particular, to optimise the process of machine-assisted document inspection, to adapt to new situations and to ensure reliability and transparency. It is the ideal basis for an effective feedback loop as mentioned above.
Summary and outlook
The discussed standardisation activities can be summarised with the words of the G7 Migration Experts Sub-Group in a publication that was recently circulated among the member countries. It summarises the answers of five countries to questionnaires sent to all G7 states and, among others, deduces the following final recommendations:
- Develop/compile best practices for MRTD inspection (usage) at the border. This includes both manual and automated border control.
- Promote and train border authorities to conduct thorough checks of e-Passport security features at ports of entry (POEs). Findings indicate that the security features of e-Passports are not fully utilised at POEs.
- Develop and routinely update a set of minimum functionalities and operational performance tests for automated document inspection systems and passport readers.
- Compile a list and routinely update interoperability/technical issues with specific country passports, other non-standard travel documents and passport inspection systems and share with passport and border officials. […] Lack of reference knowledge, as well as non-standard or unsuitable design and production of travel documents in circulation (passports and also ID cards) significantly affect the effectiveness of inspection processes and weakens confidence in the integrity of inspection systems.
- Develop an international system of document inspection standards […] the continuous development and sophistication of the physical, optical and electronic security features of travel documents currently in circulation brings significant challenges […]
The guidelines discussed so far are fully in line with these international recommendations and even provide first solutions to the raised issues. Some of these aspects, however, have not been addressed in this paper, such as the full utilisation of security features, the definition of a set of minimum functionalities and operational performance tests, as well as inspection standards and the sophistication of security features.
Even though the laboratory style method for a systematic evaluation of document inspection systems developed in IDEAL provided a first answer to one of the open issues, it deemed not applicable to all aspects of machine authentication. Hence, the need for alternative methods initiated further research activities (AROMA) on this topic. The results of this activity shall find their way into a second part of the BPG, which is currently in preparation and aims to define a set of methods and tools for the evaluation of inspection systems and document-related security features adapted to various scenarios.
First insights into AROMA and the second part of the BPG as well as the commercial impact of the recent international standardisation activities with more and more producers of security features recognising the potential and peculiarities of features designed for optical machine authentication will be discussed in a second part to this publication, ‘Future Perspectives’.
This publication is based on results of collaborative research between the German Bundeskriminalamt and the company secunet Security Networks AG. The authors would like to thank the members of the project teams of BKA in Wiesbaden and secunet in Essen as well as colleagues of the German Federal Police and the Federal Office for Information Security for their substantial support. The research work on machine authentication is ongoing and funded by the Federal Ministry of the Interior, Building and Community of the Federal Republic of Germany.
1 International Civil Aviation Organization (ICAO). Doc 9303: Machine Readable Travel Documents. Current version: seventh edition 2015.
2 Schneider, U. and Seidel, U. (2013). Current aspects in machine authentication of security documents, Part 1:
Do we need optical document security? Keesing Journal of Documents & Identity, Vol. 41, pp. 3-10.
3 Schneider, U. and Seidel, U. (2014). Current aspects in machine authentication of security documents, Part 2: Untapped potential and the need for improvement? Keesing Journal of Documents & Identity, Vol. 43, pp. 3-12.
4 Gariup, M. and Soederlind, G. (2013). Document Fraud Detection at the Border: Preliminary Observations on Human and Machine Performance. Proceedings of the 2013 European Intelligence and Security Informatics Conference (EISIC).
5 ICAO Technical Report (2018). Best Practice Guidelines for Optical Machine Authentication Part 1: Recommendations. Accepted 25 April 2018, current status is being endorsed by the internal ICAO process. For a pdf-version please contact the authors of this article for the time being.
6 Federal Office for Information Security (2017). BSI TR-03135 Machine Authentication of MRTDs for Public Sector Applications.(see also our submission).
7 International Civil Aviation Organization (ICAO) (2011). Technical Report: Machine Assisted Document Security Verification. [Accessed 30 July 2018].
8 Council of the European Union (2004). Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States. [Accessed 30 July 2018].
9 Interpol (1992). Resolution AGN/61/RES/7 Travel Documents.
10 PRADO (Public Register of Authentic Documents Online). [Accessed 30 July 2018].
11 G7 Migration Experts Sub-Group (MESG) (2017, Draft). Passport and Systematic Checks at Ports of Entry and Strategies to Combat Document Fraud among G7 Countries.