Quiz Entry - updated: 2026.07.05
How does Passive Authentication (PA) work in detail, and what does it explicitly NOT protect against?
All data groups (DG1–DG16) are hashed into a Document Security Object (SOD), signed by the issuer's Document Signer cert, verifiable up to the Country Signing CA — but PA does NOT prevent cloning, since it only proves the data are genuine, not that they sit in the original chip.
* PA's signature chain proves the data are genuine but does not stop cloning. *
How it works: to prevent changes to stored passport data:
- All data groups (DG1–DG16) are hashed.
- The hashes are stored in the SOD (Document Security Object).
- The SOD is signed by the issuing country's Document Signer (DS) certificate.
- Authenticity is verifiable with the Country Signing Certificate (CSCA).
Weaknesses in practice:
- Patchy implementation: validation of DS certificates is often skipped at airports/borders, massively weakening security.
- No protection against cloning: PA explicitly does not prevent copying a passport — it only proves the data are authentic, not that they reside in the original chip.
- Trust chain: security depends on the integrity of the entire CA infrastructure; compromised CSCA keys endanger all passports built on them.
Tip: This is the PA/AA division of labour: PA proves the data are genuine; only Active Authentication proves the chip is the original. A perfect bit-for-bit clone passes PA but fails AA.
Go deeper:
Biometric passport (Wikipedia) — the SOD signature chain and PA's no-anti-cloning limitation.