Preventing fraud in vaccine passports

Jenn Markey, Product Marketing Director for Identity, Entrust, discusses the core requirements of a ‘digital immunity passport’ both from an ethics and practicality perspective

Using digital signatures to fight fakes

Vaccine passports, or immunity certificates, offer a fast way to re-open our borders and restart international travel. Many governments are well underway in developing their systems and countries that rely on tourism have been quick to announce plans for this summer. However, the key to the success of the vaccine passport is trust. Trust that the credentials within it are 100% genuine, and trust that the passport itself is beyond suspicion of fraudulent activity. How can we stop fraudsters undermining systems with fakes? Can identity technology help secure our path out of lockdown?

Multiple vaccine passport schemes are in development

To kickstart the travel industry, some governments are investigating the practicality of vaccine passport schemes. This month Brussels will propose a law on setting up a “green pass” for vaccination certification. Estonia and Iceland already link e-vaccination certificates to travel and exclusion from quarantine. Similarly, Cyprus’ tourism minister has announced the country will allow British tourists who have been fully vaccinated against COVID-19 to enter without restrictions from 1 May 2021.

This follows swift action from the travel industry: the International Air Transport Association (IATA) travel pass initiative will be trialled by carriers including Malaysia Airlines, Rwandair and Air New Zealand.

Challenges of vaccine passports as “golden tickets”

In many ways, a vaccine passport is an extension of existing systems. Traditional passports help to identify and define how individuals are allowed to move around at borders. Likewise, returning citizens or travellers from countries with yellow fever risk are required to produce a valid vaccination certificate. However, vaccine passports pose additional challenges because of their exceptional value to a world that has been in lockdown for over a year.

The incentive for creating fraudulent vaccine documents is high and their use has become a growing concern. Arrests have already been made for counterfeit COVID-19 test documents in France, Brazil, the UK and elsewhere. Therefore, a digital ‘immunity passport’ needs to be fundamentally secure and tamper-proof.

Multi-layered digital security

To achieve this, a digital signature needs to be created and is generally stored within a convenient mobile device such as a phone, or a smart card. The digital signature is designed to interact with systems and relevant authorities – working to securely identify the individual as well as validate any official documentation they might be carrying.

A digital credential of this nature is inherently more secure and durable than a paper record, which can be reproduced easily, or a digital copy of a document stored in an open file or wallet, both easy to obtain already on the dark web. A digital credential is bound to the holder by various means, providing both physical and digital security. For example, the digital link between the individual’s virtual credential and the physical form factor such as their passport or mobile phone. This, in turn, is bound to that person by means of secure identification, often in the form of a biometric scan – either facial recognition or fingerprint.

The official credential – in this case, a vaccine certificate to identify the holder as someone vaccinated against COVID-19 – has multiple layers of trust built into it. The authenticity of the credential can be proven, with built-in security features required to match an authentic sample.

The digital signature – how it works

The credential bears a digital signature that links it to the authorising body and therefore ensures that it is both genuine and issued by the correct authority. Testing results and vaccination certificates can be securely uploaded from verified testing centres or vaccination authorities. The integrity of the documentation is also provable, with built-in digital sealing features that certify the data needed has not been tampered with, either physically or digitally.

In terms of security, the digital credential for each individual is unique and trusted – allowing only the issuing authority to have the capability to authenticate and sign the required records when the individual has received the required vaccine. Strong access controls and authorisation rules would protect privacy, to ensure that only approved personnel have the rights to only the data they require, and that personal records stored and in transit remain encrypted.

An accepted travel pass would issue an easily-identifiable tick of approval for passengers who have the authoritative digital credentials and the encrypted records of their vaccination to present during their clearance at border control points.

Ultimately, vaccine passports or immunity credentials may be a strong, viable solution for enabling trust between travellers, carriers and the governments controlling international borders, but they must have digital and physical protections to ensure that that trust is not misplaced. Strong identity security is critical for allowing borders to open up in a safe, convenient and controlled manner, for our ability to get COVID-19 in retreat and for and getting people on the move once again.