Security model

Trust you can verify, not just claim.

OneTap’s value is cryptographic proof. This page explains exactly what it checks, what that proof does and does not cover today, and where we are taking it.

The verification chain

What happens on every scan.

01
NFC · PACE / BAC

Secure chip access

Opens an encrypted channel with the document chip using the ICAO 9303 PACE (or legacy BAC) protocol — the same access control used at automated border gates.

02
SHA · DG hash

Tamper detection

Recomputes the hash of the data read from the chip and matches it to the signed hash inside the Document Security Object (SOD). Any altered field fails instantly.

03
CMS · DSC

Authenticity signature

Verifies the SOD was cryptographically signed by a genuine Document Signer Certificate — proving the data was issued by a real authority, not fabricated.

04
X.509 · CSCA

Country trust anchor

Chains the Document Signer up to the issuing country’s root certificate (CSCA). France is fully anchored today; EU trust coverage is expanding.

05
ECDSA · 2D-Doc

Barcode signature

For document barcodes (French 2D-Doc, US AAMVA), verifies the issuer’s ECDSA digital signature to confirm the printed data is authentic and unmodified.

The trust model

From a single chip to a country’s root of trust.

Authenticity is only as strong as its anchor. OneTap follows the ICAO PKI chain:

Document

SOD signature

The chip carries a Document Security Object listing signed hashes of every data group. OneTap confirms nothing was altered.

Issuer

Document Signer (DSC)

The SOD is signed by a country’s Document Signer Certificate. OneTap verifies that signature cryptographically.

Country

Country root (CSCA)

The DSC must chain to the country’s CSCA root certificate — the anchor that proves the issuer is legitimate.

Current coverage — stated plainly

What today’s verification proves.

We believe an identity product should be precise about its guarantees. Here is exactly where OneTap stands today.

  • Genuine & untampered: full passive authentication (hash + signer + chain) on ICAO 9303 chips.
  • Country-anchored for France today; other EU countries are integrity-verified while their CSCA roots are added.
  • Signed barcodes verified for French 2D-Doc and US AAMVA.
  • Not yet: holder-to-document face matching and anti-clone chip authentication — both on the near-term roadmap below.

Where it’s heading

The path to authority-grade verification.

Delivered in order, each step raises the assurance level.

Next

Face match (person ↔ document)

Read the chip’s facial image and match it to a live capture — proving the person present is the document holder, not just that the document is genuine.

Planned

Anti-clone chip authentication

Active / Chip Authentication so a copied chip cannot pass — a challenge-response that proves the chip is the original silicon.

Planned

Full EU + global trust coverage

The complete ICAO country-certificate master list plus revocation checking, extending fully-anchored verification to every issuing country.

Privacy & data

Personal data stays on the device.

Document reading and verification run locally on the phone. Trust-anchor certificates are cached on-device, so a check needs no network and no personal document data has to be transmitted or stored by us. Deployments handling identity data remain responsible for their own GDPR/CCPA obligations.

  • On-device verification — offline-capable
  • Trust anchors delivered over pinned, encrypted channels
  • No personal document data retained by OneTap

Want the technical deep-dive?

We’re happy to walk security and compliance teams through the full verification chain and roadmap.

Contact us