Identity industry

May 20, 2022

The Security of IDs Volume 2:
What Travel Document RFID Chips Contain

In the second entry of our series about ID document elements and
their relation to security, we examine the role of RFID chips and the
information they can contain.

No matter where you are from, chances are that when you travel, the document you carry contains a tiny device called an RFID chip. But have you ever wondered what these RFID tags are?

The presence of that internationally-recognized symbol on the front of our travel IDs may make us feel safer, but RFID tags are still a mystery for many. When we travel, all we see is that the security personnel takes the document, inspects it visually and/or using a special device, then hands it back. But how did they know the ID was genuine? How do they see RFID data? And, more importantly, what exactly is on an RFID chip?

In this article, we take a deep dive into RFID chips to see how they work, what they contain, and how they are related to making our travels safe.

What RFID Is

To better understand the importance of RFID chips and how they can handle so much information, we need to go into some technical details first. Although the concept of RFID technology has been around since the end of World War II, radio-frequency identification (RFID) came to be in 1973 when Mario W. Cardullo patented the technology in the U.S. Since then, RFIDs have been gradually upgraded, being capable of emitting ultra-high frequency (UHF) signals.

However, the core technology remained the same. To this day, RFID tags consist of the following elements:

  • A microchip that contains information RFID readers can interpret
  • A tag antenna to send and receive signals (radio waves)
  • A substrate to hold all components together.

Regarding the types of RFID tags, there is a clear distinction between active and passive RFID tags. Whereas active RFID tags have an onboard battery and periodically transmit their ID signal, their passive counterparts use the radio energy transmitted by the RFID reader to be read. Since passive tags are smaller and cheaper to manufacture, travel documents like passports exclusively use them to store the traveler’s data.

RFID Chip anc Circuit Inside az American Passport
A passive RFID tag with additional circuits hidden inside a passport.

Speaking of data, we can also distinguish RFID tags based on how data is stored on them. In that regard, there are read-only or read/write tags. With the latter, certain or all information stored on the RFID chip can be modified, while read-only tags have the data burnt into them permanently. In the case of travel IDs, embedded RFID tags are exclusively read-only due to the sensitivity of the data they have to store.

Data Groups: The Core of RFID Chips

As with the size of travel documents and what they need to contain from a visual point of view, RFID chips and their content is also strictly regulated by Document 9303 of the International Civil Aviation Organization, or ICAO. In that regard, the ICAO determines so-called data groups (DG) that describe what they are about and whether or not they are mandatory.

There are 16 data groups in total, categorized as follows:

  • DG1: Detail(s) recorded in the MRZ
  • DG2–7: Encoded and displayed identification feature(s)
  • DG8–10: Encoded security feature(s)
  • DG11–16: Miscellaneous
Chart Showing Obligatory and Optional Data Groups Found on a Travel Document RFID Chip
A comprehensive chart showing obligatory and optional data groups featured on RFID chips for passports and standardized travel IDs.

Let’s take a closer look at these data groups to see what they consist of and how they are related to travel ID security.

DG1: MRZ Data

We already talked in detail about what MRZ is and its content in the previous article of our series. For newcomers, however, let us provide a quick recap: MRZ, or machine-readable zone, is a specific zone in passports and other travel IDs that contain the visually available information of the document in a machine-readable format.

The same is reflected in DG1 of travel document RFID chips, containing the following vital information:

  • The document’s type
  • The issuing state/organization
  • The holder’s name, nationality, date of birth, and sex
  • The document’s number, check digit, expiry/validity date
  • A composite check digit
  • A check digit for the date of birth and/or expiry/validity
  • Optional data with respective check digits.

It’s worth adding that although it’s the issuing state or manufacturer that decides what a travel document must include, the content of DG1 inside an RFID chip, even down to the data format, is strictly regulated and must feature everything listed above. The reason for that is the data featured in the MRZ and DG1 of the RFID tag must coincide with each other. This guarantees that information on the MRZ and the chip can be verified when the travel document comes in the read range of an ID scanner.

Serbian Passport With RFID Tag and MRZ Data Emphasized
MRZ data has to be the same on the document and the RFID chip.

DG2 – DG7: Encoded and Displayed Identifiers

In terms of the ID document security industry, an encoded identifier is present on the RFID chip to further strengthen the overall security of the ID. It’s one thing that encoded identifiers are in such a format that they can only be decoded by special devices like RFID tag readers or ID scanners. The biggest strength of encoded identifiers is that they are applied to the most unique features to be found on people: the face, the fingerprints, and the eyes.

For this reason, DG2, a must to be featured on all travel document RFID tags, is populated by data related to the document holder’s facial likeness, such as the presence of glasses and mustache, the color of their hair, and many more. DG3 and DG4 are for storing unique identifier data about fingerprints and irises, respectively.

However, unlike facial encoding, having DG3 and DG4 is entirely optional for travel document issuers. This is why, for instance, in the EU and EFTA states, a fingerprint is required to be featured on the chip, while the United States only requires storing the traveler’s encoded and displayed portrait on the RFID tags.

The rules for displayed identifiers are a bit simpler: DG5 on the chip is reserved for the displayed portrait, and DG7 is for the signature or usual mark. Both of these have to be exactly the same as their visual inspection zone (VIZ) counterparts. DG6 is usually left empty and is reserved for future use to be decided by the issuer.

Fingerprint and Facial Scan for RFID Tags
While fingerprint data (left) is a must only in certain countries/regions, the facial image (right)
is an obligatory element in all travel ID RFID tags.

DG8 – DG10: Encoded Security Features

These data groups, which are almost never used due to them being fully optional, are reserved for the authentication of security features that make a travel document unique and resistant to fraud. What can be confirmed with these data groups are as follows:

  • DG8: data feature(s), how the data is handled regarding, i.e, appearance, on the document
  • DG9: structural feature(s), as in how data is structured within the document
  • DG10: substance feature(s), which is used for confirming the materials and (security) elements used for creating a specific travel ID.

DG11 – DG16: Miscellaneous RFID Data

As we mentioned before, the only data groups that have to be featured in a travel document are DG1 and DG2-MRZ and facial encoding. This means that featuring anything beyond DG4, but especially DG11, is entirely up to the issuer. However, since miscellaneous information may be included in RFID tags, it’s best to give them a nod here as well.

  • DG11: additional personal details, including the document holder’s name in full length written in national Unicode characters, their other name(s), personal number, address, phone number(s), or even more personal data such as profession, title, and a summary
  • DG12: additional document details, such as the issuing authority, the date of issue, other person(s) included in the MRZ, tax/exit requirements, and the front and rear image of the MRZ
  • DG13: issuer country-specific data
  • DG14: security options
  • DG15: active authentication public key info
  • DG16: person(s) to notify with their name and contact details.

The Importance of Data Groups in ID Security

With each passing year, passport security gets better. The introduction of standardization regarding VIZ and MRZ data was already a significant step towards creating fraud-resistant travel documents, but the addition of RFID tags to these IDs further decreased the chances of them being copied or modified by criminals.

These chips are mostly read-only. Readers specified in extracting information from RFID chips and visualizing it can reveal whether the document has been tampered with. With the necessary licenses from each country—telling ID validators what data groups are filled in—ID scanners like Osmond can perform the verification in no time.

It’s worth noting, though, that the presence of an RFID chip and at least DG1 and DG2 doesn’t guarantee perfect safety for travel documents. Visual elements can be modified, and even RFID tags can fall victim to sophisticated forms of tampering, such as chip cloning. However, RFID chip manufacturers and travel ID issuers are prepared for this, which is why there are additional security elements added to RFID tags. This is the topic of our next article in the series.