Security model
Trust you can verify, not just claim.
OneTap’s value is cryptographic proof. This page explains exactly what it checks, what that proof does and does not cover today, and where we are taking it.
The verification chain
What happens on every scan.
Secure chip access
Opens an encrypted channel with the document chip using the ICAO 9303 PACE (or legacy BAC) protocol — the same access control used at automated border gates.
Tamper detection
Recomputes the hash of the data read from the chip and matches it to the signed hash inside the Document Security Object (SOD). Any altered field fails instantly.
Authenticity signature
Verifies the SOD was cryptographically signed by a genuine Document Signer Certificate — proving the data was issued by a real authority, not fabricated.
Country trust anchor
Chains the Document Signer up to the issuing country’s root certificate (CSCA). France is fully anchored today; EU trust coverage is expanding.
Barcode signature
For document barcodes (French 2D-Doc, US AAMVA), verifies the issuer’s ECDSA digital signature to confirm the printed data is authentic and unmodified.
The trust model
From a single chip to a country’s root of trust.
Authenticity is only as strong as its anchor. OneTap follows the ICAO PKI chain:
SOD signature
The chip carries a Document Security Object listing signed hashes of every data group. OneTap confirms nothing was altered.
Document Signer (DSC)
The SOD is signed by a country’s Document Signer Certificate. OneTap verifies that signature cryptographically.
Country root (CSCA)
The DSC must chain to the country’s CSCA root certificate — the anchor that proves the issuer is legitimate.
Current coverage — stated plainly
What today’s verification proves.
We believe an identity product should be precise about its guarantees. Here is exactly where OneTap stands today.
- Genuine & untampered: full passive authentication (hash + signer + chain) on ICAO 9303 chips.
- Country-anchored for France today; other EU countries are integrity-verified while their CSCA roots are added.
- Signed barcodes verified for French 2D-Doc and US AAMVA.
- Not yet: holder-to-document face matching and anti-clone chip authentication — both on the near-term roadmap below.
Where it’s heading
The path to authority-grade verification.
Delivered in order, each step raises the assurance level.
Face match (person ↔ document)
Read the chip’s facial image and match it to a live capture — proving the person present is the document holder, not just that the document is genuine.
Anti-clone chip authentication
Active / Chip Authentication so a copied chip cannot pass — a challenge-response that proves the chip is the original silicon.
Full EU + global trust coverage
The complete ICAO country-certificate master list plus revocation checking, extending fully-anchored verification to every issuing country.
Privacy & data
Personal data stays on the device.
Document reading and verification run locally on the phone. Trust-anchor certificates are cached on-device, so a check needs no network and no personal document data has to be transmitted or stored by us. Deployments handling identity data remain responsible for their own GDPR/CCPA obligations.
- On-device verification — offline-capable
- Trust anchors delivered over pinned, encrypted channels
- No personal document data retained by OneTap
Want the technical deep-dive?
We’re happy to walk security and compliance teams through the full verification chain and roadmap.
Contact us