Introduction to Enabling NFC in your App
The Power of NFC: Reading Passports from your Phone
Near-field communication (NFC) allows two devices to communicate within a very short range, no more than 10 cm. While NFC has been available for over a decade, the technology recently became mainstream with the proliferation of electronic passports and contactless credit cards.
Jumio’s SDK already allowed you to compare a user’s selfie with their passport photo. But accessing the NFC chip in an electronic passport dramatically improved identity verification by introducing another data point, this time provided by a trusted (state) issuing authority. We can now validate that the passport is legitimate by checking the security certificate embedded on the NFC chip against the ICAO’s public key masterlist. In the future, we hope to add the ability to compare the user’s image with the photo data on the NFC chip.
Adding NFC support to the SDK wasn’t easy. If you’ve embarked on this journey, you know that the specifications are hundreds of pages long and that there are many pitfalls along the way. In this series of blog posts, we will share what we learned so you can have a better understanding of NFC and an easier time enabling it in your own applications.
NFC Support in iOS
Devices supporting the near-field communication protocol first arrived in consumer hands in trial form in 2007. By 2012, most Android devices included an NFC-capable chipset. Apple Pay, deployed in 2014, was the first iOS use of the NFC protocol, but Apple prevented all other use of the NFC hardware. With the iPhone X in 2018, Apple began introducing expanded NFC capabilities through use of an external library, albeit one that only worked on newer devices. Finally, in late 2019, iOS 13 extended full NFC capabilities to all devices newer than the iPhone 7.
Apple delayed implementing NFC until the applications that needed the technology were ready for adoption. They focused initial development efforts toward Bluetooth Low-Energy (BLE), feeling this better filled consumer needs for mobile devices. They only implemented NFC when it was needed for making Apple Pay work, where the extremely short range of NFC enabled a more natural and secure solution. Even then, Apple remained focused on more robust technologies like Bluetooth by keeping the general NFC capabilities restricted in use.
The UK Home Office in 2018, with support from the Dutch government and others, ran a pressure campaign to convince Apple to add this capability to iOS. Scanning the NFC chips in passports allows app providers, like the UK Home Office, to better validate an individual’s identity using multiple security factors; in the passport scenario, combining something you have (your official passport) with something you are (a selfie).
Why is NFC So Valuable?
The NFC protocol is an evolution of the more-familiar RFID protocol. Unlike RFID, NFC operates over a very short range (no more than 10 cm). Also unlike RFID, which tends to make use of proprietary protocols, NFC chips store and provide data in a standardized way that is reader-agnostic.
Modern electronic passports follow the ICAO9303 standard established by the International Civil Aviation Organization (ICAO), acting as ISO/IEC 14443 NFC-enabled smart cards. Whereas most NFC chips possess at most a few kilobytes of on-board memory, the biometric passport standard requires at least 32 kilobytes of EEPROM storage. The standard specifies three biometric identifiers — fingerprint, facial, and iris recognition — and provides for images of these identifiers stored on the NFC chip. The passport NFC chip also contains a rudimentary operating system that provides, among other things, support for cryptographic capabilities.
The problem, of course, is that prior to general iOS support for reading NFC chips, major segments of the smartphone-using public would be alienated by any app provider wanting (or needing) this enhanced security. As of March 2020, over 27% of smartphone users in Europe have iOS devices. The share in the UK is over 50%. In the United States, the iOS market share rises above 60%. With iOS 13, we can finally build multi-platform apps that use the NFC chips in passports and other identity documents to gain greater confidence in identity matches and improved security in making those matches.
NFC Access Modes
When using NFC, there are three general modes of access: Card Emulation, Reader/Writer, and Peer-to-Peer. Prior to iOS 13, only the reader mode was supported, and even then it was largely restricted to Apple Pay. In iOS 13, all NFC modes are now accessible to app developers. Here’s a brief rundown of what these capabilities entail.
Card Emulation — This mode allows the phone to act as an NFC smartcard. Using this mode, a hotel can use your smartphone as your key for your hotel room. This is the mode that enables Apple Pay to function.
Reader/Writer — In this mode, a device can access and/or manipulate the storage on an NFC tag. NFC tags can be found in product or inventory management labels, smart posters, and even in some toys, like the popular Amiibos used with Nintendo consoles. This mode enables access to data on passports and other secure electronic documents.
Peer-to-Peer — Using this capability, two NFC-enabled devices can pair with each other to share information. Most commonly this mode is used to bootstrap another communications protocol, like Bluetooth, to facilitate faster transfer of data. This allows devices to share video and image data, for example.
Regardless of the mode of access, security is a primary concern of providers. Card emulation, for example, must provide the same cryptographic support as the tags used by credit card issuers if those issuers are going to trust the platform for payments. Likewise, the ICAO9303 standard governing electronic passports describes how data is encrypted and accessed on these documents.
Reading NFC Data
As a wireless communications protocol, NFC requires a standards-compliant device to communicate with. An NFC device like a phone interacts with either a powered target (an NFC card reader, for example) or an unpowered target (like the tag in a passport). In either case, the coiled antennas on both the NFC device and the target form an air-core transformer through which data (and power for passive tags) are transferred.
A powered target is another device such as a point-of-sale terminal or other card reader. These devices generate their own electromagnetic field that can provide power to a passive smartcard or tag. A phone uses the Host Card Emulation standard to mimic one of these passive devices.
An unpowered target, generally referred to as an NFC tag, commonly takes the form of a small sticker. These stickers can be affixed to posters, books, inventory, or anything else you might think of. Bulk rolls with modest storage needs can be very economical. At the time of writing, Amazon lists a roll of 2,500 NFC stickers with 144 bytes of accessible storage each for $625, which comes out to $0.25 per sticker. While 144 bytes seems miniscule, it’s far more than enough to store several URLs, especially if they’re run through a URL shortener. There’s also plenty of storage to store a compressed JSON structure containing complex identifying information in the inventory management use case.
On iOS devices, reading NFC tags requires use of the Core NFC library in the Apple SDK. Apple provides a quick tutorial with code examples, which goes through the basics of setting up an NFC tag-reader app.
Note: Although the tutorial intro specifies that iOS 13 supports NFC tag types 1 through 5, those are currently the only tag types the NFC Forum defines. In other words, iOS 13 supports all current NFC tag types.
With the full range of NFC capabilities that are available on both Android and iOS 13, app developers can now address a wide array of use cases. However, utilizing this functionality, especially for something as sensitive as identity verification, requires a distinct blend of knowledge. Before you dive in, you will need:
- Knowledge of tag specifications so you don’t waste money on purchasing tags with more storage than is needed
- Understanding of the hardware specifications and limitations of using NFC so you can design your apps to provide a user experience that is both intuitive and functional
- Familiarity with the various security protocols at play, such as BAC and PACE for reading passports
- Knowledge of the standard governing the access mode you want to use in order to understand how data in the target (tag, reader, etc.) is structured and/or delivered
- Understanding of the libraries enabling different access modes, especially core OS libraries and any third-party SDKs (like Jumio’s) that interact with it on the developer’s behalf
The articles in this series will not exhaustively cover these topics. Our primary goal is to share what we learned in deploying NFC capabilities for large-scale usage through our mobile SDKs. We do aim to provide enough of a technical foundation, however, to make tackling the other topics (such as NFC tag specifications) much easier. We’ve learned a lot of exciting new things as we’ve implemented NFC reading in the Jumio SDK!
This a series of blog posts highlighting our experiences with reading Passports from your phone via NFC:
- Part 1: Introduction to Enabling NFC in your App
- Part 2: Access Controls for Electronic Machine-Readable Travel Documents
- Part 3: Supplemental Access Control and Active Authentication
- Part 4: Bringing NFC to the Phone (coming soon)