Content pfp
Content
@
0 reply
0 recast
0 reaction
Dan Romero pfp
Dan Romero
@dwr.eth
How do the apps that scan the NFC chip in a passport to ZK proof prevent fraud?
5 replies
2 recasts
27 reactions
tldr (tim reilly) pfp
tldr (tim reilly)
@tldr
cc @web3pm
1 reply
0 recast
1 reaction
Dan | Icebreaker pfp
Dan | Icebreaker
@web3pm
@dwr.eth https://withpersona.com/blog/nfc-e-passport-verification-guide https://docs.rarimo.com/zk-passport/biometric-passports-101/ NFC chips have a token ID (in addition to an optionally incrementing nonce) that can be used as a unique identifier Within the context of a single app, you can create a zk scheme where you can detect duplicates of the same passport being used for multiple proofs, without revealing the ID. This is harder to pull off across multiple apps however while preserving zero-knowledge without coordinating ahead of time to use a consistent way of detecting duplicates Also note that with persona, they force you to also take a picture because they are comparing the NFC scan itself against the physical passport. I haven't dived into how you guarantee authenticity just from the NFC scan itself- not sure there is a way to validate an authentic NFC scan if you do not trust the user without querying a third party (e.g., issuer) for verification that a particular tap is valid
1 reply
0 recast
2 reactions
Dan Romero pfp
Dan Romero
@dwr.eth
> I haven't dived into how you guarantee authenticity just from the NFC scan itself- not sure there is a way to validate an authentic NFC scan if you do not trust the user without querying a third party (e.g., issuer) for verification that a particular tap is valid Right, so this is the issue. If I'm sophisticated enough, I can create a fake NFC tag and physical document for the photo. There's no API to ping to see if John Doe with SSN XXX-XX-XXXX in USA is a real person.
2 replies
0 recast
2 reactions
Dan | Icebreaker pfp
Dan | Icebreaker
@web3pm
>There's no API to ping to see if John Doe with SSN XXX-XX-XXXX in USA is a real person. There kindof is in the US- all of the credit bureaus directly or indirectly license out their data to data brokers and for a few pennies, you can query an individual's entire credit history, address, real estate, SSN, etc. just with a phone number. However, your instinct is right in that it's still hard to validate that a particular passport tap is in fact the John Doe with SSN XXX that we know is a real person. Going to tag the team at Rarimo to see if they have figured out how to solve this since we have prioritized *who you trust* over *who you are* at Icebreaker
0 reply
0 recast
0 reaction