What does Passive Authentication (PA) verify on a biometric passport, and what's its limitation?
PA verifies that the data on the chip is genuine and unmodified — it's a digital-signature check over the chip's data. It does not, however, prove the chip itself is genuine (a perfect clone passes PA).
How PA works:
- The issuing country generates an asymmetric Document Signer key and a Country Signing Certificate Authority (CSCA) key.
- When a passport is issued, the chip's data (name, photo, biometrics, …) is hashed and signed by the Document Signer.
- At the border, the reader:
- Reads the chip's data and the signature.
- Looks up the country's CSCA certificate (distributed via ICAO's Public Key Directory).
- Verifies the chain: CSCA → Document Signer → data signature.
What PA proves: the data on the chip is exactly what the issuing country put there.
What PA does not prove: that this particular chip is the original. An attacker who copies the data and signature into a counterfeit chip passes PA — that's the gap Active Authentication closes.
Tip: Most border systems run PA first and treat its failure as "fake passport, refuse entry." It's the cheapest and fastest check — and works offline as long as the reader has the CSCA certificates cached.