For a while, 34% of legitimate passports were issued with invalid signatures due to various mistakes during manufacturing. This made signature verification practically useless at the border as many legitimate passports would fail validation completely. I wonder if it has gotten any better since 2017.
I took a document inspection training course and cryptographic verification was never once mentioned as a tool that could be used.
The most "advanced" readers will capture the MRZ (machine readable zone) and OCR the VIZ (human readable area) and compare them.
Airlines and airports are pushing to go heavily self-serve over the next few years, so new readers can also do facial matching to your identity document to check bags or print boarding passes.
Actually cryptographic verification seems like a really niche feature because most of the time if you trust the issuer you could perform an equivalent online check. If this had been invented in 1976 or something then fine, but it was invented after a point where it's reasonable for border check points, police stations etc. to have Internet.
An online check is superior because it can be reactive. If Jim's identical twin, Sam, steals Jim's passport, Jim can phone it in and have the online system updated so that when Sam tries to fly to another country on Jim's passport that won't work - but with just cryptography we can't solve that.
Cryptography could still prevent the usage of copies of valid passports. I.e. where you have all valid names and numbers on the front, but cannot copy the passport's secret key and digital signature.
Without active authentication, you can copy the electronic data from one valid passport to a cloned document. As far as I know, AA is not widely implemented and passports have ~10 year lifespans.
Yes. Modern passports use the data in the MRZ to support a protocol called PACE, which is essentially a password based key exchange. You can look up the spec in ICAO 9303. It’s really quite well designed.
EU passports support a further level of mutual authentication in order to get the fingerprints, where the terminal is verified by the passport as well.
PACE authenticates that the reader knows the MRZ data and derives a key for communication, but (AFAIK) does not prove the passport is real or original. A cloned passport would also know the MRZ data to complete BAC/PACE.
There is a further step called Active Authentication where the reader sends the passport random data and it signs this data with a public key that can be verified as authentic.
https://www.icao.int/Meetings/TRIP-HongKong-2017/Documents/T...