NFC IDs for Secure Verifications Globally using Passport Reader
Verifying identities online is becoming more complex with advanced tampering methods, which is why NFC technologies are crucial in the next chapter of KYC security. This post will explore some concepts around NFCs and how Trust Swiftly has adapted our solution to meet multiple business requirements. Trust Swiftly has integrated the latest and most secure authentication method for Passports and eIDs. ePassports have been around for a while, but due to new devices such as iPhones and Android, many consumers can now scan their ID documents with NFC. An official estimate from 2012 by the US State Government (ePassports and Biometrics) stated around half a billion ePassports. Since then, the numbers have significantly grown, with over 140 countries issuing ePassports, raising the circulation to over 1.25 billion in 2025. This population increase has tipped the scale into mass adoption, making it another tool for KYC. However, it is still a fraction of the total world population, and passports and compatible devices are skewed towards specific demographics. Before using NFC, it is critical to have backup methods as we have seen plenty of downsides to the solution, making it no silver bullet.
Using our integration with the Passportreader.app, users can now be verified with enhanced security. The integration allows for quick NFC scanning using the reliable Iris ID application that can even skip the step of downloading apps by using App Clips. The NFC chip in passports and some IDs is cryptographically resistant to many attacks and allows businesses to obtain data from a document signed by a government and not tampered with. For example, a US passport contains the same selfie image and name that can be decoded from the data sent via NFC. Using NFC is critical if you want extra assurance about identity, as the skills required to tamper with it are significantly higher than doing a simple Photoshop job or a fake driver's license. The process also has two steps: first, the scan of the MRZ (machine readable zone), which then allows access to scanning via NFC due to the security of the chip.
Security Risks and Vulnerabilities of ePassports
Diving into some security measures and workarounds is necessary to understand potential gaps. Regarding the trustworthiness of this verification method, it is not foolproof. Furthermore, multiple security measures exist through active and passive passport authentication (Microsoft Word - High Level Guidance on DTC). Organizations like ICAO are already researching quantum-proof signatures and also digital passports, so there are plans to prevent complex fraud in the future. A recent Global Entry trip in the US has even allowed travelers to use their faces to enter the country without taking out any passports. Digital passports are likely still farways off, but support for physical ones is the future we will face due to the 10-year life of a passport. However, for now, there are a few bypasses to look out for with ePassports, which you should be aware of when accepting as an identity document. First, you should ensure passive authentication is done on the NFC chip to ensure an official government signed the data. ICAO has a master list, and Trust Swiftly helps facilitate the process of verifying authenticity. Governments use their certificate to sign and secure passport information; while not all share their public key, you can find multiple sources to validate the data.
When a government or contractor produces the physical passport, they include the NFC data embedded within the document. A public key certificate is shared worldwide with different organizations so companies can quickly check the data. However, some countries are not secure with their private keys, and we do not know the ones that have been compromised. The security of this private key is all that protects the passive authentication measures, and even active authentication, which prevents duplicate passport cloning, is limited. Countries like the US do not even support active cloning detection. Therefore, threat actors have multiple ways to eventually access a restricted private key and then start issuing their own data. Many countries outsource the production process, too, so there are even more points of compromise. Fortunately, this is such a high-security case that the ones with access to these methods do not share it widely or publicize it as the value would diminish. Little can be done once a private key has been compromised since passport authentication is offline for KYC businesses. Reissuing passports is possible as the private keys used to sign them are siloed to batches of them so the issue can be contained. Real-time passport number verification is only allowed for governmental agencies in the US. Governments will eventually have to release an API to make it easier for businesses to validate data in real-time. Another missing data point is home addresses, as ePassports typically only show the country of citizenship. For example, another workaround for NFC checks is simply stealing the document or requesting a new one from the government by using fake information and having it mailed to a drop address. Passports are extremely expensive, and on the dark market, they are listed for thousands of dollars. Some vendors will sell passports on Telegram and forums, but their quality varies significantly on bypass abilities. Cheaper ones are also sometimes found on eBay that are expired and work, too.
Using a stolen or cloned passport won't work getting through US border control as you will be instantly flagged in a centrally connected system that stays current on the latest valid documents. However, that document has little trouble getting through many non-government systems that lack extensive facial comparison checks. Using the photo from the passport data is critical for facial recognition and a live selfie using a non-compromised device in these cases. There are also NFC cloners, but most of them work for NFC payments and not for ePassports.
While there are a few security flaws, the real issues revolve around usability. We extensively reviewed customer complaints online and found many on Reddit, LinkedIn, YouTube, Apple, and Google app stores related to incomplete NFC scanning processes. Based on the stats and reviews, up to 20% of users are unable to succeed on their first attempt. Many users then must retry and do various techniques, hoping the chip can be scanned. Unfortunately, the experience of scanning an NFC is challenging for some to complete. Looking at many major vendors, you will find frustrated consumers trying to resolve it by removing a case or placing their phones in different areas on the ID. It is a multi-step process that non-tech-savvy people have difficulty completing. LinkedIn had so many complaints in the US that they quietly replaced the process from Persona to CLEAR last year. This makes education and guides very important as there are multiple drop-off points during the process and workarounds to get a correct scan. Even a person following all the instructions may still not succeed, as the NFC is sensitive to how it is accessed and requires a steady read of the data.
Next, many users complain about its privacy component. They are not used to sharing their passport data with other companies, especially when they only share typically when traveling. A driver's license is different when it is shared constantly, but a passport is not an everyday identity document that is carried. However, these issues should not deter adoption, as NFC authentication is one of the most potent levels of authentication. There is a reason NIST puts it in the superior tier of documents and should continue being one of the most secure ways to verify a person. As discussed, understanding these issues that may arise and having workarounds is essential to adding NFC checks into any identity verification workflow. If you want to learn more about NFCs and integrate a comprehensive approach to verifying IDs, please get in touch with us to implement the most robust KYC solution.