Content pfp
Content
@
0 reply
0 recast
0 reaction

Dan Romero pfp
Dan Romero
@dwr.eth
How do the apps that scan the NFC chip in a passport to ZK proof prevent fraud?
5 replies
2 recasts
27 reactions

tldr (tim reilly) pfp
tldr (tim reilly)
@tldr
cc @web3pm
1 reply
0 recast
1 reaction

Dan | Icebreaker pfp
Dan | Icebreaker
@web3pm
@dwr.eth https://withpersona.com/blog/nfc-e-passport-verification-guide https://docs.rarimo.com/zk-passport/biometric-passports-101/ NFC chips have a token ID (in addition to an optionally incrementing nonce) that can be used as a unique identifier Within the context of a single app, you can create a zk scheme where you can detect duplicates of the same passport being used for multiple proofs, without revealing the ID. This is harder to pull off across multiple apps however while preserving zero-knowledge without coordinating ahead of time to use a consistent way of detecting duplicates Also note that with persona, they force you to also take a picture because they are comparing the NFC scan itself against the physical passport. I haven't dived into how you guarantee authenticity just from the NFC scan itself- not sure there is a way to validate an authentic NFC scan if you do not trust the user without querying a third party (e.g., issuer) for verification that a particular tap is valid
1 reply
0 recast
2 reactions

Dan Romero pfp
Dan Romero
@dwr.eth
> I haven't dived into how you guarantee authenticity just from the NFC scan itself- not sure there is a way to validate an authentic NFC scan if you do not trust the user without querying a third party (e.g., issuer) for verification that a particular tap is valid Right, so this is the issue. If I'm sophisticated enough, I can create a fake NFC tag and physical document for the photo. There's no API to ping to see if John Doe with SSN XXX-XX-XXXX in USA is a real person.
2 replies
0 recast
2 reactions

Dean Pierce 👨‍💻🌎🌍 pfp
Dean Pierce 👨‍💻🌎🌍
@deanpierce.eth
My understanding is that all the data in the passport is signed in a way that chains up to a private key that's not on the passport. Anyone who pulls the data off with an NFC tap (and the code inside the passport that the data is encrypted with) has all the private data and can prove that it was signed by some national authority. Of course, for privacy reasons you don't want to give all that private data to others, so you can do a ZK proof that you verified some subset, or properties of the data, and can share that proof while keeping all the private information on your phone.
0 reply
0 recast
0 reaction

Dan | Icebreaker pfp
Dan | Icebreaker
@web3pm
>There's no API to ping to see if John Doe with SSN XXX-XX-XXXX in USA is a real person. There kindof is in the US- all of the credit bureaus directly or indirectly license out their data to data brokers and for a few pennies, you can query an individual's entire credit history, address, real estate, SSN, etc. just with a phone number. However, your instinct is right in that it's still hard to validate that a particular passport tap is in fact the John Doe with SSN XXX that we know is a real person. Going to tag the team at Rarimo to see if they have figured out how to solve this since we have prioritized *who you trust* over *who you are* at Icebreaker
0 reply
0 recast
0 reaction