National identity documents have been around for more than a century. From a simple piece of paper with a glued photograph to a polycarbonate card embedding electronics, identity cards have concentrated the best technologies so citizens, businesses, and governments can put their trust in them every day.
While mobile identity solutions are becoming increasingly popular all over the world, they are but a companion to the physical identity cards that are still being issued. Physical credentials remain indeed necessary in those instances where identity proofing has to be performed in an offline environment (areas with little to no coverage). Above all, they are the most inclusive form of identification, as not everybody owns a smartphone.
Crucially, national identity cards have become the bridge between the physical world and the digital world, by including an electronic component that contains the citizen’s digital identity to give them secure access to online government services as well as private services.
As such, modern identity cards are expected to be reliable, durable, secure and well-designed while maintaining a cost-effective approach:
- Reliable, so they can be used anywhere, at any time, by anyone
- Durable, to allow repeated use and storage in the most stringent conditions
- Secure, so they can be trusted
- Well-designed, to represent best the country that issues them
- Cost-effective, to reduce the budget pressures of governments
First, we make general recommendations to select and combine security features. Secondly, we give some insights on the selection of the right communication interface. Then, we present some of the key features of a modern identity card, recommended in order to match accurately the most common needs and demands of issuing authorities mentioned above. Namely, we emphasis on the role the polycarbonate structure plays, along with the card design and the personalisation.
General recommendations to select security features
To start with, any government should demand an identity card with all the basic security features recommended by ICAO. In its Doc 9303 on Machine Readable Travel Document, the organization lists all the security features that need to be on a travel document, categorizing them as “basic” or “additional” features. The Doc 9303 also covers ID-1 documents (ie. cards) thanks to its Part 5.
General recommendations to select security features can apply to all types of secure document, from national identity cards to ePassports and visas. In order to make an optimal selection and combination of security features, it is recommended to focus on the real benefit they provide; they shall be cost-effective, with a good benefit/cost ratio, in order to increase the value for money of the project. As a result, a given government should have only some additional security features (ICAO Doc 9303) with a focus on level 1 features (controllable with human senses) instead of levels 2 or 3 features (covert/forensic, controlled with tools).
Generally speaking, the number of level 2 and level 3 security features should be limited to less than 10% approximately of the overall number of security features. Indeed, they are used mainly during second line controls, in case of a doubt. Most of the security features should be controllable with human senses (level 1) and should have a high resistance to attacks. They should also be easy to understand and quick to control, so can be effectively controlled on the field.
The security features that can be quickly controlled with human sense and/or thanks to automated checks with standard equipment (readers with visible / UV / IR lights) should be used as a priority. Conversely, any feature requiring special equipment to verify should be avoided. For example, a very specific tagged ink could be controlled by very few people in the field only (such a feature is better adapted for protection of branded commercial goods like tobacco or pharmaceuticals).
Finally, selecting the right security features also comes through selecting the right manufacturer. Choosing a trusted, long-established partner with an extensive experience in identity and solid industrial capacities, is essential to the success of the project. Certifications such as ISO 14298 (aka Intergraf), ISO 9001, ISO 14001, ISO 45001 and ISO 27001 are tokens of a manufacturer’s commitment to applying strict processes in terms of quality, security, management of information systems, and environmental systems. Governments looking for a manufacturer to help them in the issuance of a new identity card would be well advised to require those certifications, as they speak to the overall reliability of a potential new partner.
- Prioritize easy-to-control security features
- Avoid security features requiring specific equipment
- Choose a manufacturer with the right certifications, experience, and capacity
On selecting the right communication interface
Identity cards have long been used for identification, but this is not their sole purpose anymore. In recent years, governments have sought to add new use cases to physical credentials in order to give citizens an easier access to services (both in person and online). This was made possible by technological advances and the inclusion of an electronic chip inside the document.
Several national electronic identity cards are using a contactless interface. Contactless cards are used in several ID applications, one example is for travel authorization. The chip contains biographic data that follow ICAO Doc 9303 recommendations for international operability (first name, last name, gender, date of birth, nationality, card number, expiry date, …). Citizens with such an identity card, called Travel ID, can use it to travel inside a community of countries, as they would a passport. It is often legislation that imposes the issuance of a Travel ID. For instance, it is the case in the Economic Community of West African States (ECOWAS), or in the European Union.
As government identity documents are increasingly sophisticated and they support an always wider variety of use cases, there is an increasing need to include support of contact interface in addition to the contactless interface. This is named dual interface. All transactions are transiting through a single chip that is connected to those two interfaces, so the citizen can address his everyday needs with the interface that fits the most his habits.
Dual interface cards provide by far the best flexibility and interoperability on existing applications. Not only can dual interface cards communicate in contact and contactless mode, but data can also be shared between applications, according to the security rules set up at the design stage. Dual interface cards combine the best of both worlds as they can make use of both contact and contactless infrastructures while ensuring consistency as they contain only one set of data.
An identity card with a dual interface can also be used to derive a Mobile ID into the citizen’s smartphone. Thanks to the certificates included in the chip, the creation of the Mobile ID is both easy and secure, and can be performed in several ways. One example is Monaco, where the citizen uses their smartphone as an NFC reader and enters the card’s PIN code to digitally store the data inside the device. After this step is done, the user can access the digital companion (digital copy of the identity card) for offline proof of identity. The Mobile ID can then be used as a means of authentication to access government services and private services online.
Dual interface cards allow governments and citizens alike to benefit from the security brought by smart cards associated with the flexibility of contact or contactless communications.
As such a crucial part of the identity card, the electronic component should be selected with great care and its durability should be optimum. Avoiding the physical connection between the antenna and the module containing the chip, thanks to a technology such as inductive coupling, brings the guarantee that the card will retain its full abilities during its whole lifetime (usually 10 years). Around a billion electronic platforms with inductive coupling technology are in circulation around the world, both the identity sector and the banking sector, where testing conditions are particularly stringent.
- Dual interface for a wide range of use cases
- Use a dual interface card to easily create a Mobile ID
- Inductive coupling for enhanced durability
On the chip choice
The recent sanitary crisis illustrated the need to connect through the network to complete administrative procedures. Also, border crossing is widely accelerated with the use of eGates that support electronic documents. The citizens need to prove who they are and what they are entitled to do based on electronic documents. How can you trust someone on the Internet if they are using login / passwords that are available on the dark net for a few pennies? In addition to what they know, the user must bring a trusted object in order to multiply the authentication means and prove they are the person they pretend to be.
Smart cards chips are an all-in-one piece that carries highly secure silicon and software joint together to prevent from any leakage, even the trickiest ones. They are the most secured elements that are designed and deployed today for automated or online authentication. In addition to carrying them in their pocket, the chip holds internal logics that help to add authentication means like biometry or Personal Identification Number (a.k.a. PIN code).
- A Doc 9303 compliant application is designed to cross borders rapidly and securely so the citizen can enjoy a drink or a meal before theirflight.
- A PKI-based application stores certificates that are issued by the State for online authentication and signature purposes, for tax declaration for instance.
- A Match On Card (MOC) application stores face or finger templates in the chip and matches any external template in the chip making the operation very quick, convenient and confidential.
Common Criteria (CC) certification is the world-class leading security scheme that proves that the chip will be resistant for at least ten years to the more invasive attacks. IN Groupe recommends to integrate in the card a recently CC certified product and also to lead every two years a security assessment of the chip to guarantee it is still free of vulnerabilities.
- Use a recent chip for your card
- Select a chip with Common Criteria certification to prevent from security vulnerabilities
- Assess chip security every two years
Polycarbonate: the best choice for identity cards
Identity documents shall answer to two main constraints: first resisting over time and use, second resisting to security attacks (eg. forgery attempts). Polycarbonate is the perfect answer to both these needs. It has a strong mechanical and thermal resistance and allows the personalisation of data in the core of the card and the integration of modern security features that resist to both counterfeiting and alteration attacks.
A polycarbonate card is in fact made of several polycarbonate layers of different thicknesses fused together during a step called lamination. During this step, heat and pressure are applied to merge the sheets together, without needing any glue or adhesive (unlike other substrates such as PVC, PET or Teslin).
After this, it is practically impossible to tear them apart, or doing so will irreversibly damage the layers and make them unusable. Having a perfectly symmetrical card structure is recommended, as it increases durability. Polycarbonate cards are also highly resistant to external damage caused by the environment. It can be stored in the most stringent conditions (both in cold or hot climates, and dry or humid environments) and in the most unlikely places (even in a shoe, when the bearer does not have pockets).
It is important to note that the polycarbonate used in the production of an identity card is specially treated; it should have no bleaching agents in order to remain completely UV dull. That means the polycarbonate will not react when lit by a UV lamp, so that the UV fluorescent inks can be perfectly visible. The same technique is used for banknotes.
An effective way to prevent attacks by delamination is to have a transparent area on the card. By letting the light pass through, they link both faces of the card. Any attempt to tear the card apart will leave evidence on the transparent area (it will turn opaque, offset printing will not be aligned, etc.). Having a transparent area on the borders of the card will make it that much harder for fraudsters to attack. It can also be laser personalised with the bearer’s data (for example, the date of birth in micro-text) to increase security. The secure background should be continuous between the opaque part of the card and the transparent area. A strong visual element astride the two parts helps in checking the card has not been split up.
Furthermore, polycarbonate gives access to a whole range of security features embedded at the lamination stage. These lamination features make authentication easier and help better detect forgery attempts (typically, the addition of a transparent overlay with a fake portrait image). Any polycarbonate card should have some tactile embossing (guilloches and micro-texts, over the portrait if possible), a mat/shiny effect, and a strong tactile feature on the side of the card, to enable a quick check with the finger. Transparent borders will enhance these features.
Thank to polycarbonate, we can also embed a transparent DOVID (Diffractive Optically Variable Identification Device) in the structure itself. This feature, positioned over the portrait area, is an effective protection against photo substitution and alteration. In order to make controls easier and quicker, it is strongly recommended to embed a strong level 1 security feature in the DOVID, as it often is the first checked security feature on an identity card. This could be a sharp and obvious colour permutation combined with a 3D (relief) optical effect or a movement difficult to reproduce. The latest generation DOVIDs are now composed of several holographic elements of different shapes scattered on the portrait area, instead of just a round patch. This allows the protection of biographic data as well as the portrait area, and gives opens the way to new possibilities in terms of design.
- Use UV dull polycarbonate with a symmetrical structure
- Add complexity with a complex transparent area
- Opt for an embedded DOVID with strong level 1 feature
The art of secure document conception
Only designers with a real expertise in secure document conception can bring an identity card to life. All the visual features have to work together to create a cohesive and secure document. Because a national identity card is often an object of pride, the artwork should be carefully selected to truly reflect a country’s identity. Co-conception workshops are an ideal way to work together with the manufacturer towards the conception of creative and aesthetic designs integrating the agreed-upon security features and state symbols. It is also important to renew the design every few years (between 5 and 10) in order to stay ahead of fraud.
As one of the most sensitive data on the credential, the portrait should be protected by the security printing. The construction of the card should allow the personalised layer to be beneath the offset printed layer, so that the security printing appears on top of the personalisation. Forgery attempts by scraping the card would then destroy the security printing. Guilloches printed in offset, both in visible and UV inks are a subtle way to bring this protection without compromising the legibility of the portrait.
Good designs integrate seamlessly a wide variety of security features, helping them work together without being counterproductive. Great designs do so while staying easy to check. A few ways exist to help control authority decide on the authenticity on the document. For example, having a continuous line helps check the rainbow printing (both under normal light and under UV light). Another easy trick is to align perfectly the visible and the invisible designs, so that the authentication feels more intuitive. This is called a registered design. In the example on the right, the ridge of the mountain is visible under normal light and in UV. It is also part of the rainbow printing, to give controllers a continuous line to follow and see where the two colours blend together.
- Make a design that represents your country
- Use guilloches (visible & invisible) on top of the portrait to protect it
- Make a design that is easy to check
Last but not least: identity card personalisation
The goal of an identity card is to store personal information that can help identify a person with certainty. The certainty one has in identifying someone else derives from the security of the credential itself. This means the personal information has to be stored securely in the card. Polycarbonate helps issuers reach this goal. As we have seen, the construction of the card itself, in many polycarbonate layers, makes it possible to personalise directly inside the card using laser engraving technology. Several features such as the security printing, the lamination features, and the DOVID will thus protect the data.
To identify a person with certainty, one must be able to match the portrait on the card with its holder. To this extent, it is important the portrait remains visible; the security features protecting it should not compromise its legibility. The portrait should also be big enough to allow a detailed personalisation, it should have a high resolution and an appropriate level of contrast. The quality of the portrait image as an input, and the personalisation technology (software and hardware) are crucial to reach the best output in terms of security and controllability. Even if personalisation is not in the project scope, choosing a card manufacturer that has experience in operating personalisation centers can be a good idea to ensure the personalisation constraints are carefully taken into consideration as soon as the design stage.
For additional security, it can be useful to repeat the key data. For example, the date of expiry or the document number are easily repeatable in a Multiple Lens Image (MLI), some textual data can be laser engraved in micro-text on the card, and an additional portrait image can be laser engraved in a lighter shade (called ghost image). The card structure should also be compatible with laser engraved tactile personalisation, a very cost effective security feature. All of this combined makes forgery attempts harder, as fraudsters have to alter several data at different locations, using different technologies.
- Choose a manufacturer with experience in setting up personalisation centres
- Repeat the key data and use a large portrait in high resolution
- Have tactile laser engraving