LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

What does Passive Authentication (PA) verify on a biometric passport, and what's its limitation?

PA verifies that the data on the chip is genuine and unmodified — it's a digital-signature check over the chip's data. It does not, however, prove the chip itself is genuine (a perfect clone passes PA).

How PA works:

  1. The issuing country generates an asymmetric Document Signer key and a Country Signing Certificate Authority (CSCA) key.
  2. When a passport is issued, the chip's data (name, photo, biometrics, …) is hashed and signed by the Document Signer.
  3. At the border, the reader:
    • Reads the chip's data and the signature.
    • Looks up the country's CSCA certificate (distributed via ICAO's Public Key Directory).
    • Verifies the chain: CSCA → Document Signer → data signature.

What PA proves: the data on the chip is exactly what the issuing country put there.

What PA does not prove: that this particular chip is the original. An attacker who copies the data and signature into a counterfeit chip passes PA — that's the gap Active Authentication closes.

Tip: Most border systems run PA first and treat its failure as "fake passport, refuse entry." It's the cheapest and fastest check — and works offline as long as the reader has the CSCA certificates cached.

From Quiz: ISF / Cryptographic Protocols & Requirements | Updated: Jun 25, 2026