LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does Extended Access Control (EAC) protect fingerprints, and what must a reader prove?

EAC requires mutual authentication: Chip Authentication (passport checks reader) then Terminal Authentication (reader proves it holds a valid IS private key + certificate), followed by secure messaging — so only authorised, certified terminals can read fingerprints.

EAC was developed to give extra protection to highly sensitive biometric data, especially fingerprints and iris scans. The reader must authenticate with a private RSA key, the public counterpart being stored on the passport, via a challenge-response — and only authorised terminals with a valid certificate get access.

The multi-layer flow:

  1. Chip Authentication: the passport verifies the reader.
  2. Terminal Authentication: certificate check — the terminal must possess the IS (Inspection System) private key.
  3. Secure Messaging: encrypted communication.
  4. Access granted: fingerprints become readable.

Certificate infrastructure: reading fingerprints needs a special reading certificate, issued only to trusted authorities.

Tip: BAC asks "do you know the MRZ?" (a weak shared secret), whereas EAC asks "can you prove you're a government-certified terminal?" (a real PKI credential) — that's why fingerprints need EAC, not just BAC.

Go deeper:

From Quiz: PRIVACY / Device Tracking: Biometrics, RFID/NFC & E-Passports | Updated: Jul 05, 2026