Contact SalesRegister for free

ID check via ICAO & NFC

Full verification of identity documents according to ICAO 9303. Including MRZ scanning, NFC chip reading, PACE/BAC/CAN, SOD validation, passive authentication, active authentication, and chip authentication.

Why ICAO/NFC identity verification?

ProjectAssistant integrates a full ICAO 9303 implementation for verifying passports and ID cards. Using MRZ scanning and NFC chip communication, data such as name, date of birth, nationality, document number and photo are read directly from the secure chip. This confirms the authenticity of the identity document in accordance with legal identification and documentation requirements.

  • No manual entry — all data automatically from DG1 and DG2
  • Control according to ICAO 9303 security standards
  • Counterfeit detection via SOD and hash chain
  • Support for PACE, CAN, BAC
  • Photo & document data quality control

Step 1: MRZ scanning

The check begins by scanning the Machine Readable Zone (MRZ) of an ID card or passport. The mobile app uses a live camera overlay with automatic detection of:

  • MRZ type (TD1, TD2, TD3)
  • Checksum validation
  • CAN derivation for PACE
  • Document number, date of birth, expiration date

Based on the MRZ, the keys for BAC or PACE are calculated and the NFC reading starts.

Step 2: NFC access (PACE / BAC / CAN)

The app always tries PACE first—this is modern, safer, and faster. If the document doesn't support PACE, the system falls back to BAC or CAN.

Order of protocols

  • PACE (preferred) – modern protocols, ECDH/ECDSA, more secure
  • CAN – via Card Access Number (for EU ID cards)
  • BAC – older passports and IDs

PACE flow (GA1 → GA4)

  1. GA1: Start key agreement (mapping OID → curve)
  2. GA2: ECDH exchange
  3. GA3: Nonce mapping + mutual authentication
  4. GA4: Secure messaging key derivation

Result: ENC key & MAC key with which all subsequent APDUs will be secured.

Step 3: Reading Data Groups (DG1–DG15)

The app reads all required data groups from the chip. In your implementation, DG1, DG2, DG7, DG11, and DG12 are read, depending on country and availability.

  • DG1 - Machine Readable Data (name, date of birth, document number)
  • DG2 - Face scan / photo
  • DG7 - Signatures (for some countries)
  • DG11 - Additional personal data
  • DG12 - Document info
  • SOD - Document Security Object (hash & signature root)

Data mapping is done automatically to your EmployeeIdentityModel.

Step 4: SOD Verification & Passive Authentication

The SOD contains the hash values of each data group and a digital signature of the issuer state. ProjectAssistant validates:

  • Hash chain: DG1 hash = SOD hash
  • Signature: PKI signing with CSCA & DS certificates
  • Certificate validity & revocation

If the SOD check is successful, the document is cryptographically authentic.

Step 5: Active Authentication

If supported by the document, the app performs Active Authentication. This verifies that the chip is genuine and not cloned.

  • Challenge → Response
  • ECDSA/RSA authentication
  • Security check against copies

If the signature is correct, the chip is unique and not copied.

Step 6: Chip Authentication

Chip Authentication replaces Active Authentication in modern eIDs. It confirms the authenticity of the chip via a new ECDH exchange.

  • ECDH with chip private key
  • New session keys
  • Full proof of authenticity

Link to employee

After successful verification, all data will be automatically linked to the employee:

  • Name, date of birth, nationality
  • Document number, expiration date
  • Photo from DG2
  • Control log including PACE/BAC/CAN details

The document will automatically appear in the employee document system.