New e-passports feature an embedded Radio Frequency Identification (RFID) chip and antenna (Photo: Canva)
Following a pilot programme that began on April 1, 2024, the Indian government officially launched e-passports earlier this month as part of the Passport Seva Programme Version 2.0 (PSP-V2.0).
This move is aimed at strengthening passport security and streamlining immigration procedures. At present, e-passports are being issued in selected cities such as Nagpur, Bhubaneswar, Chennai, Jaipur, Hyderabad, Amritsar, Goa, Raipur, Surat, Ranchi, Jammu and Shimla.
Following positive outcomes in these locations, the government has now extended the scheme across the country.
The e-passports feature an embedded Radio Frequency Identification (RFID) chip and antenna, storing the holder’s personal and biometric information. This technology aims to reduce identity fraud and facilitate faster immigration processing through automated e-gates in countries that recognise ICAO-compliant documents. As the data is digitally signed and can be verified by immigration systems across the world within seconds.
This will not only speed up processing times at borders but also help prevent the use of forged documents. The chips meet international standards set by the International Civil Aviation Organisation (ICAO), allowing for secure, seamless travel across countries.
The PSP-V2.0, launched in 2022, is a continuation and enhancement of the previous Passport Seva Programme.
The nationwide rollout of e-passports is expected to improve travel convenience, reduce wait times at immigration checkpoints and bolster national security by aligning with global standards.
With this move, India joins more than 100 countries, including the United States, United Kingdom, Germany and Australia that have already adopted e-passports.
By enabling airport systems to read travellers’ data electronically, the need for manual checks is reduced and the chances of fraud are minimised.
Data security risks
As with any digital initiative, the use of technology to store sensitive personal data has raised concerns over data security. One of the main worries is the possibility of unauthorised access to the data stored in the chip.
“India’s e-passports come with embedded RFID (Radio Frequency Identification) chips that store biometric data like fingerprints, iris scans and personal identification details. To protect this sensitive information, several cybersecurity measures are in place. Basic Access Control (BAC) ensures that only authorised systems can access the data stored on the chip. This prevents casual skimming or reading from unauthorised scanners. Extended Access Control (EAC) offers an additional layer of security by requiring mutual authentication between the passport and the reader before releasing biometric data,” Saurav Pratap Singh, a cyber-security expert, NTT Data, tells India Outbound.
“Public Key Infrastructure (PKI) ensures that each passport chip is digitally signed using cryptographic keys that verify the integrity and authenticity of the data. If anyone tries to tamper with the data, it becomes invalid. Additionally, all sensitive data is encrypted both in transit and at rest, ensuring that even if intercepted, the data cannot be understood without proper authorisation. These combined protocols align with international best practices and are designed to prevent unauthorised access and data manipulation,” he adds.
But despite these high-end security features built into e-passports, vulnerabilities still exist. Since the information can be read remotely using RFID (Radio Frequency Identification) technology, there remains a risk that someone with the right equipment could potentially skim the data without the passport holder’s knowledge.
Although the data is encrypted, they warn that no system is entirely fool proof and if protective measures are inadequate, highly sensitive personal details could still be at risk.
“While e-passports are equipped with advanced security features, they are not entirely immune to vulnerabilities. The risk is relatively low, but potential attack methods include eavesdropping, where hackers may attempt to intercept data as it is wirelessly transmitted between the chip and the reader. However, encryption standards significantly mitigate this risk. Skimming involves unauthorised RFID readers trying to access data from a passport without the holder’s knowledge, but BAC and shielding mechanisms within the passport design help counteract this,” says Singh.
“Cloning is another rare threat, where an attacker might attempt to replicate the RFID chip; however, PKI ensures that cloned data cannot pass digital signature verification. Side-channel attacks, which are highly sophisticated and difficult to execute, may try to analyse power consumption or electromagnetic leaks during data processing to infer information. Overall, the multi-layered security framework of e-passports makes successful exploitation extremely challenging,” he adds.
In countries where digital privacy laws are still developing, like India, the absence of a strong data protection framework leaves citizens vulnerable to misuse of their personal information.
Despite these concerns, the Indian government maintains that the e-passport is a step towards more secure and convenient international travel. Officials claim that all necessary precautions are being taken to ensure the safety and privacy of the data stored in the passport chips. Yet, as the system is still in its early phases of deployment, the effectiveness of these safeguards will only become clear with time.
“As India embraces the future of travel documentation with e-passports, cybersecurity stands at the core of this transformation. By incorporating globally recognised standards, advanced encryption and biometric safeguards, the e-passport system is designed to offer both convenience and robust protection. While no digital system is completely immune to threats, the layered security architecture, legal safeguards and transparency measures significantly reduce risks,” adds Singh.
"
