The Face of Travel Today: Smart Airports, Biometrics, ePassports and Defining a Secure Identity Token
October 9, 2018
This past year, there has been a surge of activity across the travel continuum trying to enhance traveler facilitation and engagement, while at the same time implementing stronger identity assurance and security measures. In fact, over the next three years, 77% of airports and 71% of airlines are planning major programs or R&D in biometric ID management to smooth curb-to-gate passenger flow. While Dubai has plans for a biometric tunnel – Government, industry, and aviation partners have been pushing for technologies that will allow travelers to move throughout the travel continuum (booking – airport check-in – baggage drop – security screening – airport vendor services – boarding – arrival – customs – hotel check-in – return trip) without the need for the presentation of an identity document. Many of the solutions being considered in proof of concept demonstrations involve the use of biometrics in combination with a derivation of the traveler data from an e-passport; some of these populate and protect the token within a secure container on a mobile device. The traveler simply presents the token at the start of their journey to prime the continuum with their identity and travel authorization data. After that first encounter, all subsequent identity validation processes will be satisfied through facial recognition matching of the traveler at various points. The end goal has been to establish a biometrically-enabled, securely vetted, traveler-controlled, identity assertion token that can facilitate traveler interactions throughout the travel continuum.
The Current Situation
All the partners see the value of such a frictionless approach. They also agree that the identity proofing, and secure token generation/enrollment processes on the front end are critical to the mitigation of the risks that these new techniques introduce to the well-established security controls that are currently in place. To that end, international standards for the security controls and interoperable data format are being developed to allow the e-passport data to be presented as a “Digital Travel Credential (DTC)” or identity assertion token, that is derived from the authoritative data. These controls ensure that the DTC can be authenticated with the same level of assurance as the source e-passport document.
Several token enrollment/delivery models have also been reviewed, and some have been implemented in both vendor-specific technologies and other self-sovereign identity solutions. One model has the government providing and maintaining the DTC, with the traveler contacting the government whenever they were going to travel to have the DTC published to the travel continuum directly by the government. In another model, the government securely provides the traveler with the DTC when they receive their e-passport document, and the traveler then controls when the token is used and who can access the data. A third option directly derives the data from the e-passport during an enrollment of the token into the travel continuum. As this may be a traveler self-service enrollment, or possibly an enrollment at an airline counter, the enrollment must incorporate the performance of the ICAO required Passive Authentication (PA) process to ensure the authenticity of the source document, as well as its cryptographic binding to the traveler.
While the enrollment and backend processing capabilities vary, both government and industry capabilities are being deployed today to support this biometric facilitation concept. The US Department of Homeland Security (DHS) has been investing in the establishment of biometric capture and assessment capabilities with its Homeland Advanced Recognition Technology (HART) suite which includes a multi-modal biometrics database and supporting services. Identity proofing vendors across the industry have also established biometric-only, facilitation capabilities that are currently being deployed both domestically and internationally. CLEAR provides a biometric alternative for security screening at airports and event facilities, while Vision-Box has implemented biometric border control and traveler facilitation (entry/exit) kiosks in several countries.
The Challenge & The Future
The challenge at hand is harmonizing these capabilities across an interoperable fabric that can leverage the standards-based DTC data format, as well as any proprietary formats being used within leading edge deployments; and that can be incorporated into existing commercial, government, and/or public/private partnership initiatives. This fabric will ensure the interoperable delivery of the identity token across the travel continuum in support of reliable party systems and programs, such as:
- CBP Entry/Exit Tracking
- European Entry–Exit System (EES)
- European Travel Information and Authorization System (ETIAS)
- SITA iBorders Border Automation
- IATA One Identity
- Trusted Traveler Programs, including NEXUS, SENTRI, Global Entry
All these efforts can benefit from and would be enhanced by an investment in the connecting fabric that allows the individual capabilities of each to be extended and leveraged in support of the biometrics-only facilitation of the traveler.
The required security controls related to the underlying identity proofing, token generation, and token transit processes have been defined. Interoperability across the travel continuum can be supported by standards-based interfaces between the entities.
The day that a traveler can show up at an airport and board a plane without providing anything other than a biometric is coming soon.