May 3, 2018

Most ePassports and similar documents implement a cloning detection security mechanism that allows you to see if a scanned ePassport has the original or a copied chip. There are actually two security mechanisms for cloning detection: Active Authentication and Chip Authentication. More details on the working and differences can be found in a previous blog post on an overview of how cloning detection works.

We often get questions about which identity document implements what cloning detection mechanisms. In this blog post we share what we’ve learned over the years.

First it is important to understand countries have different types of chipped identity documents. A country will typically have different typed of chipped documents (e.g., ePassports and ID cards), and different generations of each type in circulation at one point in time. If and if so what cloning detection mechanisms is implemented can differ per generation. For example, until recently the UK passports did not have cloning detection, but the new UK passport (since Dec 2015) fortunately does have it. We thus cannot state if passports from a certain country support cloning detection or not, as this also depends on the generation of document.

The below map shows for different countries what percentage of document we saw in our logging with cloning detection (Active Authentication and/or Chip Authentication).

Countries that are gray, we have no or too little information on, e.g., because they do not have ePassports or we did not have access to their country certificates when we did our logging.

As the map shows, cloning detection is pretty common. Three notable exceptions are

  • United States – who appear not to have cloning detection at all
  • France – with very few documents with cloning detection (5% in our logging dataset), but this could also be caused by French passports not adhering to the Chip Authentication standard (we think)
  • United Kingdom – with only 22% cloning detection in our dataset, but this likely will increase quickly as we already mentioned above the newer passports do have cloning detection

The below maps show how popular Active Authentication and Chip Authentication are in our dataset. They show that Chip Authentication is used more often than Active Authentication, and that quite some countries have both.

How did we plot the above maps?
We of course do not have all generations ID documents from all countries in the world in our lab to test, we therefore use our logging information from the past year to assess if ID documents in a specific country support cloning detection. To filter out some of the noise, we only plotted countries for which we had at least 25 log entries that passed passive authentication successfully. For example, countries we do not had country certificates for are not displayed in the above map. To avoid confusion, the above does not indicate penetration of chipped ID documents in a country, that would be a very different blog post. The map above is provided as best effort, i.e., we did our best but cannot guarantee that is complete correct. Especially since we collect this type of statistics anonymously, we cannot remove duplicates or there can be errors or manipulations in our logging we cannot detect. If you spot a mistake, we appreciate it if you let us know via readid@innovalor.nl.