How does Extended Access Control (EAC) protect fingerprints, and what must a reader prove?
EAC requires mutual authentication: Chip Authentication (passport checks reader) then Terminal Authentication (reader proves it holds a valid IS private key + certificate), followed by secure messaging — so only authorised, certified terminals can read fingerprints.
EAC was developed to give extra protection to highly sensitive biometric data, especially fingerprints and iris scans. The reader must authenticate with a private RSA key, the public counterpart being stored on the passport, via a challenge-response — and only authorised terminals with a valid certificate get access.
The multi-layer flow:
- Chip Authentication: the passport verifies the reader.
- Terminal Authentication: certificate check — the terminal must possess the IS (Inspection System) private key.
- Secure Messaging: encrypted communication.
- Access granted: fingerprints become readable.
Certificate infrastructure: reading fingerprints needs a special reading certificate, issued only to trusted authorities.
Tip: BAC asks "do you know the MRZ?" (a weak shared secret), whereas EAC asks "can you prove you're a government-certified terminal?" (a real PKI credential) — that's why fingerprints need EAC, not just BAC.
Go deeper:
Extended Access Control (Wikipedia) — chip + terminal authentication and the certified-reader requirement.