For anyone involved in the production of a high-security identification document the risk of the programme is a constant concern. Will the document look good and hold up after years of use? How can it be made affordable? Can it be made easy to verify yet resistant to deliberate criminal attack? In this article, Nick Nugent delivers a new framework for considering and evaluating key trade-offs in selecting and designing a secure identification programme. This framework articulates a step-by-step process for determining the right mix of Quality, Security, Durability and Cost (QSDCTM) to manage that risk.
Quality, Security, Durability and Cost (QSDCTM) are the cornerstones of any successful ID programme. These criteria have trade-offs and compromises, and the relative value of each must be considered when designing the most appropriate ID, whether a driving licence, national ID, passport or other. This article defines critical elements of ID programmes, identifies real-world challenges and provides the reader with the knowledge necessary to overcome these challenges and use proven best practices to minimise the risk to any ID programme.
A high-quality document will be consistent in appearance and closely match all other documents issued in the same ID programme. The security features – in particular, the primary portrait – will be crisp and clearly defined to allow easy authentication. Machine readable features such as chips, optically readable characters (OCR) and barcodes, will read consistently and accurately. Laminates will have the necessary optical clarity. Overall, a high-quality identity document will look and feel like one.
The security of an ID is a measure of how well it resists deliberate attack. Document attack is either by simulation to produce a counterfeit, or by tamper in an attempt to alter the information within the ID. The security of the document depends upon the measure of difficulty to simulate or tamper with it, and also upon the ease with which the genuine document may be verified as being genuine.
The durability of an ID defines its resistance to change. A document is exposed to a variety of environmental hazards during its life, such as light, flex and extremes of temperature and humidity. It may also be subjected to deliberate misuse, such as using a card for something other than intended – for example scraping ice off a windshield – or accidental attack, such as the laundry. An ID with high durability will survive the required validity period without significant visual change, and without compromise to its performance.
The cost of the document refers to the production costs. These will include the fixed and variable costs associated with enrolment, manufacture, personalisation, issuance, shipping, and the many administrative functions necessary to manage and secure these functions.
The elements of QSDC are under constant threat. For an ID to function and survive in the real world, it must be threat-resistant – achieved by careful design with QSDC in mind. Materials, components, features, hardware, software, processes, procedures and training must all play a part in delivering an ID document that successfully meets the performance challenges
It is important to appreciate that QSDC are not simply just linked together, they are inextricably entwined around each other. Any change in the performance of one criterion will have a ripple effect on others. Each of these cornerstones will be examined in turn, with considerations regarding how to effectively produce and manage the right mix.
Quality: Meeting the challenges
A high-security ID is usually a national, or even international, document. Its quality reflects the quality of the issuing authority and the holder ought to be proud of it. However, the quality of an ID is also linked to its performance; its security and durability.
- Poor quality leads to variations between documents, thus reducing security
The essence of security printing is the mass production of identical documents. Quality, or more specifically in this case, consistency, must persist throughout the entire process of ID document production. In particular, manufacturing and personalisation processes must ensure consistent ‘close match output’, so that all genuine documents look sufficiently similar to make a counterfeiter’s task more difficult.
- Unreadable machine readable features, such as a chip or OCR, make documents vulnerable
Although biometrics is a good example of a secure ID technology, chip-based security can be expensive and there are always cost pressures. Chip security can also be a false economy, potentially jeopardising the security of the document if there are insufficient physical security features backing it up, should it fail. If the chip is the only security feature associated with the ID, and it doesn’t function, then the examiner has to make a ‘judgment call’ rather than a more informed decision of authenticity.
- Low quality components erode security
The majority of security features on an ID document are not machine readable. These ‘human readable’ defences function best when they are clear and unambiguous, and this can be jeopardised by low-quality components. Verification doubts can arise if overlays are hazy, polycarbonate does not engrave cleanly or if optically variable devices such as holograms are blurred and ill-defined.
- Low quality components or equipment could reduce durability performance
A decision to select components of low quality is unlikely to be made consciously; however, lower quality may very well be a consequence of cost cutting. Not all vendors offer the same quality of substrates, inks, overlays, holograms, etc., and equipment performance can also vary. The result may be an ID that begins its life looking fresh and new, but all too quickly succumbs to the durability challenges of the real-life ID.
Achieving the necessary quality
To achieve the necessary quality requires consideration of design, QC processes, calibration and maintenance. In particular, material components and system hardware should not be selected independently of each other. The quality of the issued ID is likely to be highest if the materials and system have been supplied as a package: matched, designed and tested together to ensure optimised output (figure 2).
Security: Layered defences
Layered security and the use of multiple security features (overt, covert and forensic) is a fundamental principle when designing an ID programme.
• Security features
Criminals attack IDs in many ways, broadly described as either simulation or alteration. Because attacks are many and various, no single security feature is capable of defending against them all. Instead, a layered network of security features should be incorporated into the ID. Typically the features are categorised as shown in figure 3.
The strongest security features:
– encourage inspection by giving the examiner something interesting to look at and look for;
– allow quick and confident decisions on authenticity;
– are unambiguous and intuitive;
– do not need a tool or device;
– utilise the variable biodata;
– cannot be effectively simulated using commercial materials/equipment;
– are tamper-evident.
It is an advantage if the genuine security feature has been created using materials and equipment that are not commonly available. However, this does not guarantee strong security, as the criminal is ingenious and might use relatively low-tech methods and materials to copy features or effects that have been created using complex, high-tech and expensive processes.For example, the counterfeiting of a security hologram might be done using a different hologram removed from a different document, so long as the colours and effects are similar. Or, the simulation of basic laser engraving might be achieved with black digital print, rather than a laser. Complex optically variable effects have even been simulated using furniture polish or cosmetic make-up easily purchased in beauty supply stores.
• Security at time of personalisation
An ID is formed of many components and assembled in many stages. For comprehensive security, the features should be designed to occur throughout the document (figure 4).
Watermarked paper or holographic laminate may be very difficult to counterfeit, but can also be stolen. By arranging security features throughout the document, theft of any particular component is of less value to the criminal. This is particularly true for features created during personalisation.
By bringing together, during personalisation, the elements necessary to create the feature, it becomes more challenging for the criminal to recreate or acquire it, and thus security is improved (figure 5). Personalisation data, restricted materials, unique engineering and process secrets can all combine in very strong synergy to make the task of counterfeiting significantly more difficult. Modular hardware enables such features to be incorporated.
Security at Time of Personalisation features have the added advantage of also defending against data alteration. Certain personalisation technologies further enhance tamper-resistance by penetrating the substrate: inkjet permeating into passport paper and laser engraving of suitable polymers are examples of personalised data being held beneath the surface of the card or passport page (figure 6).
• Beware the ‘silver bullet’
The industry has many vendors that describe their technology or feature as being the only defence necessary to provide total security to an ID. Experience has found that this is never the case. The dangers of reliance on any single feature are clearly illustrated when considering the strengths and weakness of the smart chip.
Much excellent work has been done in the last 10 years by ICAO, the Smart Card Alliance Association and others to ensure that the development of electronic ID security remains at least one step ahead of the criminal. Although there are many reported cases of hacking of chips within electronic IDs, most of these stories do not stand up to scrutiny and many turn out to be a media hype. However, even the chip does not represent a ‘silver bullet’. Readers cannot always be relied upon and are not always available. Chips and readers malfunction, and may be deliberately disabled. Even electricity can be intermittent.
Unfortunately, there are several examples of governments reducing the budget for physical security features in order to afford the smart chip and the system infrastructure to read it. When a citizen arrives at a border with a passport and the chip does not function, the immigration officer must scrutinise the physical security features. But what if these features have been downgraded in order to pay for the chip and those that remain are less reliable?
• Design and training
Holistic design of the ID document is a critical part of successful, cost-effective security. Consider a successful sports team, where the coach gets the most out of the players by getting them to play as a team and not as a group of individuals. A feature designed in isolation may have its effect suppressed by other features or components in the document, or may be duplicating other defences and thus contribute a low return on investment. For example, security laminates may contain optical effects that are weakened by the underlying print design, or an anti-scanner feature such as optically variable ink (OVI®) may duplicate the anti-scanner properties of an integrated holographic device. The challenge is to coordinate many different designers, often working in several different vendors’ studios, to ensure a team approach is achieved.
Training is also essential. The best security features in the world are of no value if the examining individual lacks the skills necessary for accurate verification
Durability in the real world
The concept of ‘normal use’ for an ID document is open to interpretation. It is normal that a passport may be used to travel across borders, and also to open a bank account. However, what if the passport is sat on for 150 days a year by a busy business traveller, accidentally passes through a washing machine, or falls in a puddle of oil? And what is normal use for an ID card – to be carried around in a pocket with keys and coins and inserted daily into a reader, to be worn as a badge in bright sunshine for 200 days per year or to be kept in a drawer at home and rarely, if ever, taken into the outside world?
The point is that an ID needs to be designed to resist all the environments that it might reasonably encounter. Laboratory testing of specific performance criteria – such as flex, bend, delamination, abrasion, solvent attack, lightfastness and humidity – can ensure that certain durability standards have been met (figure 8).
These standards have evolved over many years, and continue to do so. There are many that are used to provide guidance in the setting of durability performance, among which Identification cards-Card Service Life, Part 1: Application Profiles, ISO 24789-1 and ISO 24789-2. For other standards.
The release of the new ISO 24789-Card Service Life standards will enable governments to more closely specify an application profile that fits their unique situation. Previous test standards have not allowed for specific use case analysis in developing a set of recommended test protocols. Developing unique profiles will ensure that tests are more relevant to measure customer durability requirements.
It is important to remember that results of laboratory tests may provide important insight into the likely performance of an ID. However, it is up to each issuer to set pass/fail criteria for these tests. Also the real world is a more complicated place than a laboratory, and the durability challenges faced by documents are not able to be precisely reproduced in a lab setting, where accelerated testing and extrapolation must be used to predict performance over many years. In short, there is no substitute for experience in the use of particular materials, construction methods and personalisation technologies in order to minimise the risk of an ID failing in normal use.
In an ideal world, quality, security and durability would be maximised and implemented without consideration for cost. In reality of course, budgets are limited and there are constraints. A government department must fight for the funds to deliver the best possible system to its population, and the citizen must be offered the document at an affordable price. This is especially true for mandatory ID card systems, where citizens must, by law, have been issued a card for which they will be expected to pay. With over one quarter of the world’s population living in poverty on less than $2 per day, there will often be a gap between the cost of the document and the ability to pay.
Although the challenges of finite budgets are all too apparent, the risks of making a difficult situation worse by cutting costs in the wrong areas are less obvious. Saving money on design or security features is usually a false economy; poorly designed or weakly protected documents may suffer mass fraud, thus requiring expensive re-design and even a new issuance programme. The use of poor quality components such as substrates, inks and chips shortens document life and again may end up costing even more money than doing it right in the first place. The risk of the ‘silver bullet’ single feature has already been highlighted.
The most important factor in implementing a programme within budget is to learn from other people’s mistakes. The use of tried and tested best practices helps minimise the chance of unexpected overspend. Considering best practices in the early stages of a secure identification project and overlaying these recommendations with the unique needs of the individual project enables compliance with local, regional, and international standards. In addition, best practices realise higher security, obtain greater efficiency and reduce risk.
Sources of best practices include other governments, experienced organisations and vendors, and, importantly, documentation from industry groups such as ICAO, the American Association of Motor Vehicle Administrators (AAMVA), the Asia-Pacific Economic Cooperation (APEC), GlobalPlatform and the Smart Card Alliance Association. Understanding the lessons learned in other projects allows for early consideration and identification of key topics ranging from issuing organisation structure and project management consideration, to end-user concerns, to supply chain optimisation and security, and even specific technology recommendations.
QSDC are critical aspects of a successful ID programme. When selecting the provider(s) of an ID solution, it is essential to understand the trade-offs presented in the QSDC framework to help reduce the risks associated with issuing secure identity documents.
There are many solution providers that have the necessary experience to deliver secure ID programmes to government organisations. The most successful providers utilise best practices and offer a broad portfolio of integrated solutions (hardware, software, supplies and service) that work together to enable government organisations to find the right balance and the right mix of QSDC for their secure ID programme (figure 9).