Cards

Materials and security features

Modern ID cards are usually made from synthetic materials, including polyvinyl chloride (PVC, common plastic cards), composites of PVC and polyethylene terephthalate (PET), polycarbonate (a thermoplastic material made up of layers of plastic), and Teslin (a synthetic, flexible paper substrate), all of which can be composited. Each of these materials has advantages and disadvantages. PVC, for example, is the cheapest material but also the least durable. Polycarbonate cards come at a higher price but can be more durable and more tamper-resistant than other materials. Meanwhile, certain types of PET are more durable to heat. Some security features can work better on certain types materials (e.g. laser engraving does not necessarily work as well on PVC as polycarbonate).

Cards made of any material can include overt, covert, and forensic security features (i.e., levels 1, 2, and 3) to make them more resistant to tampering or counterfeiting. Such features can add significant additional costs, and include, but are not limited to, hidden images or texts using ultraviolet or fluorescent printing; laser engraving (polycarbonate cards only; adding a semi-transparent copy of a photo or image (a “ghost image”); micro text printing; embossing; holograms, etc. Furthermore, some security features are proprietary to particular vendors, which could introduce some form of lock-in, and may not necessarily reduce risks of fraud. The choice of material and security features will be highly dependent on country context, including budget, concerns regarding fraud, and how long the cards will in circulation before renewal is required.

When determining the material and security features of a physical card (as well as whether a physical card is necessary), it is recommended that countries conduct a comprehensive cost-benefit analysis that take into account intended use cases and public consultation to understand the advantages and disadvantages of different approaches. See the costing model for a more in-depth description of the pros and cons of different card types and average prices based on material and security features.

Data storage/processing capacity

In addition to their material and security features, cards vary in terms of their technology for storing and/or processing machine-readable data—i.e., information that can be read by and interact with hardware and software. There are three main technologies that are used for machine-readability and data storage on ID cards, which can be used in isolation or combined on the same card:

• Magnetic stripes (magstripes): Historically used in for bank and credit cards, magstripe cards encode information in a magnetic stripe that can be read when it is swiped or inserted into a card reader. Although not as cheap as barcodes, magstripe cards are a simple alternative to more advanced smartcards, but they can only hold a very limited amount of data.

• Barcodes: One-dimensional (1D) or two-dimensional (2D) barcodes encode information that can be captured by a scanner or camera, respectively. While 1D barcodes (e.g. a barcode on the back of a product to be purchased in a store) are useful for storing short numbers (e.g., a 12-digit ID number), 2D barcodes—e.g., quick response or QR codes—have a higher data storage capacity. For example, they can store encrypted personal data, images, and a digital signature that vouches for the authenticity of the data. Some countries have attempted to encode a biometric template (e.g. fingerprint) into a 2D barcode to facilitate offline authentication, but this comes with significant privacy and data security risks—unless it is encrypted—because that data is easily readable. Barcodes are cheap to implement, as they are simply printed as part of the card personalization process. However, they are less secure than smartcards because they are externally visible and not dynamic.

• Smartcards: Cards with an embedded chip (i.e., “smartcards” or e-ID cards) offer the highest level of functionality, including the ability to store multiple applications and complete cryptographic operations locally. As a result, data stored on a smartcard can be accessed offline for authentication, even where there is no internet connection or mobile network. “Contact” smartcards are read when inserted into a card reader, while (more expensive) “contactless” cards use radio frequency identification (RFID) or near field communication (NFC) to communicate with a receiver in close proximity. Access to the smartcard needs to be controlled for privacy reasons (and if fees are going to be charged for such access), which can be accomplished through software-based authorization or the integration of a Secure Access Module (SAM) chip loaded with relevant decryption keys into the smartcard readers.

Adopting one or more of these technologies is critical to using an ID card in a digital environment, including for:

• Authentication of the person. In addition to verifying the authenticity of the credential and its data, magstripes, barcodes, and/or chips can each facilitate automated authentication that binds the person to the credential, ensuring that they are its rightful owner. Of the above options, smartcards offer the most secure authentication capabilities, both online and offline. Magstripes and barcodes can effectively serve as an index that points to a person’s record in a database for online authentication. For example, people often swipe a magstripe card and enter their PIN at an ATM, and this information is then sent to the bank’s server to verify that the PIN associated with the card number (read from the stripe) matches the PIN the person has entered.

• Verification of data and the card’s validity. Machine-readable data stored in a magstripe, barcode, or chip can provide additional security against tampering and counterfeiting by attesting to the validity of the credential and its data. For example, the data stored in a magstripe, barcode, or chip can be checked against the information printed on the card or against a database (remote with an internet connection, or local without) to ensure that they match. Security is increased where this data is digitally signed by the issuing authority.

• Storage of non-visible data and additional applications. Smartcards and QR codes in particular have the capacity to store data that may not be visible on the card, such a unique ID number. Smartcards also have the capacity to store multiple applications, such as digital wallets that—combined with the chip’s microprocessor—can provide a variety of applications beyond identification and authentication. However, most countries that have attempted to introduce “multipurpose” smartcards—e.g., driving license and health information on the same card—have had limited success compared to promoting interoperability between information systems.

Visibility of attributes

In addition to the form and function of the ID card, practitioners must consider which data will be both (1) printed visibly on the card, and (2) accessible through a magstripe, barcode, or chip.

As with the collection of data, practitioners should seek to minimize the amount of personal information printed or stored on the card to that which is necessary for its intended use cases. Printed information is visible to anyone who has access to the card and therefore should therefore not include sensitive data or data that might increase the risks of discrimination, profiling and social exclusion (e.g., nationality, ethnicity, tribe, religion, gender, etc.). Countries should also consider not printing “root” identifiers (e.g., a unique ID number in non-tokenized form) or information that could change often (e.g. address). Likewise, since the front of a card can often be photocopied or taken photos of, countries should consider separating information on the front and back faces. For countries where only a portion of transactions will involve digitally reading a card, some information (e.g., a photo, name, etc.) must be visible on the card. However, efforts should be made to minimize this information wherever possible.

In addition, practitioners can deploy technological solutions to limit who has access to which information stored digitally on the card. For most transactions, service providers only need access to a limited set of information. Restricting the visibility of unrequired attributes therefore limits the processing of personal data, increasing privacy and data protection. For example, an election official may need to verify a person’s name, age, and locality, but they may not need access to information such as the person’s full address, their fingerprint, or other information in the ID database or card. Smartcards in particular can allow for the selective disclosure of certain attributes, as card readers can be programmed to restrict access to specific categories of data—such as biometric data—to authorized users, or to the relevant attributes identified in a particular context. New solutions for different models of attribute-based credentials are continuing to develop and can provide additional options for the selective disclosure of only the attributes required for a transaction (see Box 35 for a current example from Germany).