What is a MRZ in Passports?
What is the MRZ in passports for?
The MRZ (Machine Readable Zone) in passports is designed to streamline the process of identity document verification. It allows machines to quickly read and extract key personal information, such as the passport holder’s name, nationality, date of birth, passport number, and the document’s expiration date. By providing this data in a standardized format, the MRZ ensures that passports can be read efficiently by machines across different countries, minimizing the need for manual data entry and reducing the risk of human error.
The MRZ is especially useful in airport security, immigration checkpoints, and during travel, as it facilitates fast and accurate scanning of passenger information. It helps authorities validate identities quickly and cross-check the information against international databases to detect potential fraud or security threats.
MRZ in passports uses a special font: OCR-B
The special font used in the MRZ is OCR-B, designed specifically to be easily read by both humans and machines. OCR-B’s standardized structure ensures that even in cases of minor degradation or imperfections in the printed text, machines can still accurately interpret the data. This font is widely used across various machine-readable documents because it minimizes the risk of misreading characters, thus increasing the reliability of automated systems.
MRZ in passports enhances security
The MRZ enhances security by allowing fast cross-referencing of an individual’s information with various databases, such as immigration records or watchlists, making it a vital tool in combating fraud and maintaining security. Additionally, since it is machine-readable, it helps reduce the time taken for manual data entry during document processing.
Despite its efficiency, the MRZ is not immune to tampering, which is why many documents with MRZs also include other security features like biometric data, DOVIDs such as KINEGRAMs or holograms, and embedded chips.
Where can the MRZ in passports be found?
Typically located at the bottom of a passport’s data page, the MRZ contains two or three lines of alphanumeric characters. These lines follow international standards defined by the International Civil Aviation Organization (ICAO) in Document 9303, which ensures uniformity in how the information is encoded and read across the globe. The data included in the MRZ typically consists of the document holder’s name, document number, nationality, date of birth, sex, and expiration date, all in a compressed and predefined format.
The ICAO’s specifications ensure that all member countries issue passports with the MRZ in a consistent location and format. This uniformity facilitates quick and accurate extraction of essential information such as the holder’s name, nationality, date of birth, passport number, and the document’s expiration date.
In some biometric or eMRTDs (electronic Machine Readable Travel Documents), the MRZ may be integrated into a polycarbonate data page or placed alongside additional security features like embedded chips.
Security Features of MRZ in Passports and Identity Cards
The MRZ in passports and identity cards includes several basic security features designed to ensure the accuracy of the information and prevent tampering.
Checksums
One of the key features is the use of check digits or checksums, which are calculated based on the other characters in the MRZ. These checksums help verify the integrity of the data by detecting errors that may have occurred during scanning or data entry. If a checksum does not match the expected value, it alerts the system to potential corruption or tampering of the information.
OCR-B Font
Another significant feature is the use of the OCR-B font, a machine-readable font specifically designed to be easily recognized by optical character recognition (OCR) systems. This font ensures that both humans and machines can accurately read the data, even in less-than-ideal conditions like minor printing imperfections.
Why MRZ in Passports are not Enough
However, despite their utility, these features have clear limitations in terms of security.
Security Features of MRZ in Passports are not Enough
Checksums, while useful for verifying the integrity of the MRZ data, are relatively simple to calculate and do not provide encryption or protection against deliberate tampering. A forger with knowledge of the formula can alter the MRZ and adjust the checksum to match, making this feature insufficient to prevent sophisticated fraud.
Similarly, the OCR-B font, while effective for machine readability, does not include any intrinsic security measures. Because OCR-B is publicly available and easy to reproduce, counterfeiters can create fake MRZs that may pass basic visual or mechanical checks. When the MRZ doesn’t use the OCR-B font, there is typically no immediate alarm or warning, as most systems are designed to scan and process the data without verifying the specific font used.
According to the ICAO, digits in the MRZ in passports are checked as follows
According to the ICAO, digits in the MRZ in passports are checked as follows
A check digit consists of a single digit computed from the other digits in a series. Check digits in the MRZ are calculated on specified numerical data elements in the MRZ. The check digits permit readers to verify that data in the MRZ is correctly interpreted.
A special check digit calculation has been adopted for use in MRTDs. The check digits shall be calculated on modulus 10 with a continuously repetitive weighting of 731 731 …, as follows.
Step 1: Going from left to right, multiply each digit of the pertinent numerical data element by the weighting figure appearing in the corresponding sequential position.
Step 2: Add the products of each multiplication.
Step 3: Divide the sum by 10 (the modulus).
Step 4: The remainder shall be the check digit.
For data elements in which the number does not occupy all available character positions, the symbol < shall be used to complete vacant positions and shall be given the value of zero for the purpose of calculating the check digit. When the check digit calculation is applied to data elements containing alphabetic characters, the characters A to Z shall have the values 10 to 35 consecutively, as follows: 
Data elements included in the check digit calculation and check digit location for each document type are contained in the form factor specific Parts 4 to 7 of Doc 9303.
Valid MRZ in Passports can Easily be Created
Valid MRZ in Passports can Easily be Created
There are numerous MRZ (Machine Readable Zone) generators available online that allow users to create a valid MRZ based on freely inputted information. These tools can generate MRZ codes that appear legitimate, but they lack the security features, such as encrypted data or chip integration, found in passports and identity documents. While these generators can mimic the format and checksums, they pose security risks if misused for fraudulent purposes, as they cannot replicate the advanced security layers present in official documents. Here are some examples:
Need for More Advanced Security Features
To counter these vulnerabilities, modern passports and ID cards incorporate additional security features, such as biometric data, DOVIDs, and embedded chips. These features provide more robust protection against counterfeiting and unauthorized modifications, going beyond the limitations of the MRZ itself. While the MRZ enables fast data processing, these advanced features enhance the overall security and integrity of the document.
More Secure Ways to Verify Identity Documents With a MRZ and Chip
Now, as we have seen, the MRZ in passports offers only basic security, relying on checksums and the OCR-B font, both of which are relatively easy to bypass with knowledge of the system. The MRZ was designed primarily for quick and efficient machine reading, but it lacks robust encryption or anti-counterfeiting measures. Because of this, relying on the MRZ alone for verifying the authenticity of identity documents leaves a potential gap in security, especially when facing sophisticated fraud attempts.
This is where the combination of the MRZ with more advanced security features becomes essential
Modern passports and identity cards are not just printed documents; they now incorporate advanced security measures like biometric data, DOVIDs, and embedded chips. These chips store encrypted personal information, including biometric data such as fingerprints or facial recognition templates. To access the data on these chips, a secure process is required, which integrates the MRZ with the chip’s capabilities.
The MOBILE CHIP SDK significantly increases security when verifying identity documents
When a passport is scanned, the MOBILE SCAN SDK first scans, reads and verifies the MRZ to obtain essential information, such as the document number and expiration date. This information is then used by the MOBILE CHIP SDK to perform a Basic Access Control (BAC) operation, logging into the chip and allowing access to the encrypted data stored within.
Once logged into the chip, the MOBILE CHIP SDK can retrieve a variety of highly secure data, including biometric identifiers and cryptographic keys that are far more difficult to counterfeit than the plain text in the MRZ. This data is digitally signed and encrypted, providing a much higher level of assurance that the document is genuine and the person holding it is who they claim to be. By reading directly from the chip, the SDK bypasses the vulnerabilities of the MRZ alone, ensuring that even if the MRZ has been tampered with, the chip data cannot be easily falsified.
MOBILE CHIP SDK Offers Advanced Security Features
The combination of the MRZ and the chip allows a much higher security: first, the MRZ provides easily readable data that can be quickly checked for errors or fraud indicators, and second, the chip provides a deeper level of verification by offering access to encrypted, tamper-proof data. This integration significantly strengthens the security of identity document verification processes at border control, airports, and other secure environments.
In summary, while the MRZ offers convenience and speed, its security limitations require the use of advanced technologies like the MOBILE CHIP SDK, which bridges the gap by using the MRZ as an entry point to access secure chip-based data. This layered approach enhances the security of verifying identity documents, helping to prevent fraud, counterfeiting, and unauthorized access to sensitive personal information.
In this series of articles, we take a closer look at the various security measures we use to protect our products and solutions in the best possible way:
» Enhancing Security with MOBILE CHIP SDK: A Solution to Prevent Identity Fraud
» Why is the MOBILE CHIP SDK Technology Safe and Reliable?
» Security and Quality Measures in the MOBILE CHIP SDK
Security and Compliance When Verifying Identity Documents With a MRZ and Chip
FINMA Recommends Chip Reading for Enhanced Online Identification
The Swiss Financial Market Supervisory Authority (FINMA) has updated its regulations to incorporate technological advancements in online identification processes. One key update is the inclusion of chip reading from biometric identity documents as a security measure for digital customer onboarding. This change removes the previous requirement for a bank transfer during the identification process, provided that the necessary data is successfully retrieved from the chip.
FINMA underscores the importance of using a combination of advanced technologies to ensure both the security of the digital identity verification process and the protection of the data being transmitted. This approach aims to increase trust in online identification methods.
The FINMA Newsletter 2016/7 provides several key recommendations for video and online identification procedures, especially concerning the prevention of money laundering and ensuring secure financial transactions through digital channels. The main recommendations include:
Use of MRZ
The document recommends the use of the MRZ on identity documents for automated data extraction and validation.
Technical and Organizational Measures
Financial intermediaries are required to implement appropriate technical measures to ensure secure transmission of data and prevent unauthorized access. This includes verifying document authenticity through machine reading and decryption of MRZ information.
Identity Document Verification
Identity documents must be verified not only through the MRZ but also through other advanced security markers on the physical document like the embedded chip.
These recommendations help financial institutions balance security and efficiency when conducting customer onboarding through digital channels, ensuring compliance with Swiss anti-money laundering laws and protecting against fraud.
Legal Compliance and Acceptance With the MOBILE CHIP SDK
The MOBILE CHIP SDK is designed to comply with stringent regulatory standards, making it a reliable solution for organizations handling sensitive user data. It fully adheres to ICAO 9303 standards for biometric and machine-readable travel documents, ensuring accurate reading and verification of data stored on electronic chips in passports and identity cards.
In addition, the MOBILE CHIP SDK supports auditable Know Your Customer (KYC) processes, securely capturing and encrypting all data during identity document verification. This helps businesses easily demonstrate compliance with legal requirements, reducing the risk of fines or penalties for non-compliance.
Regulatory bodies, such as the Austrian Financial Market Authority (FMA), are increasingly recognizing NFC and biometric verification as crucial tools for identity verification. On November 2, 2021, the FMA introduced an updated Online Identification Regulation, requiring the use of these technologies for KYC processes.
By following the lead of regulatory authorities like FINMA in Switzerland and the HM Land Registry in the UK, Austria is advocating for more secure, efficient, and cost-effective identity verification solutions. The use of NFC and biometric technologies streamlines KYC procedures, replacing slower, less reliable methods like video verification.
MRZ in Passports – Conclusion and Outlook
While the Machine Readable Zone (MRZ) in passports is a crucial component for quickly extracting personal information during identity document verification, it is not a security feature. Its primary function is to facilitate the efficient reading of data by machines, but it lacks the advanced protections required to prevent fraud or tampering. Modern eMRTDs (electronic machine readable travel documents) always combine the MRZ with an embedded chip, which is a far more secure source of information.
The chip in eMRTDs can be digitally authenticated, providing a highly secure way to access personalized details, such as the passport holder’s name, date of birth, and biometrics. Unlike the MRZ, the data from the chip is digitally signed and encrypted, ensuring it comes from an authenticated and tamper-proof source. The biometric data, such as the secure image on the chip, adds an additional layer of identity document verification that the MRZ alone cannot provide.
