This invention relates to document security features, in particular machine readable features for use on documents such as passports, and methods of authenticating documents.

Secure documents such as passports, identification documents, certificates and licences are frequently the target of counterfeiters and persons wishing to make fraudulent changes to the data contained therein. Typically such documents are provided with a number of security elements for checking the authenticity of the document. These may include RFID chips, holographic films, optically variable elements (such as colour-changing inks), security inks (such as IR and UV visible inks) and other printed data. Some such security elements may themselves contain personalisation information identifying the owner of the document (e.g. data giving the owner's name, a photograph or biometric data), whereas other security elements may be provided to prevent other data being manipulated (for example a holographic film overlaying printed data).

Persons wishing to produce counterfeits of such documents, or to fraudulently alter data in existing documents, typically attempt to do so by substituting security elements with similar ones obtained from other security documents or, depending on the technologies involved, manufactured themselves or obtained illegally. As the sophistication of such techniques improves, it has become more difficult to detect forgeries since in many cases the substituted security element provides the same or similar response to that which an inspector of the document expects.

The present invention provides a document comprising a machine readable security feature thereon, the document having two or more security elements each associated with a corresponding identifier detectable from the respective security element, and the machine readable security feature containing document data representative of at least two of the identifiers corresponding to the security elements, to thereby identify at least two of the security elements of the document.

By associating each security element with a (preferably unique) identifier, such as a number or other code, and recording the identifiers in the machine readable security feature, substitution of any of the security elements can be readily detected, since the identifier (if any) of the substituted security element will no longer match the document data embodied in the machine readable security feature. The identifiers can take any convenient form, such as alphanumeric, symbolic or even binary, provided they serve the purpose of distinguishing one security element from many others of a similar type. For example, a serial number or barcode could be used. The identifiers may or may not be recognisable to an observer, but preferably, at least some of the identifiers are not recognisable, in order to increase the difficulty of producing a copy.

The present invention further provides a method of determining the authenticity of a document, the document comprising a machine readable security feature thereon and having two or more security elements each associated with a corresponding identifier detectable from the respective security element, and the machine readable security feature containing document data representative of at least two of the identifiers corresponding to the security elements, thereby identifying at least two of the security elements of the document, the method comprising: reading the machine readable security feature to retrieve at least one identifier contained therein; detecting an identifier associated with at least one of the security elements; and comparing the identifier retrieved from the machine readable security feature with the identifier detected from the at least one security element to determine whether the security element identified by the machine readable security feature is present on the document, to thereby determine whether the document is authentic. In this way, the authenticity of a document can be judged based on the identify of the security elements comprised in the document, which provides a level of security over and above that achieved by simply testing the responses of the security elements. The technique also lends itself particularly well to automation, since at least some of the identifiers as well as the security feature may be machine readable. This reduces the possibility of user error.

The document data representing the identifiers may be embodied in the machine readable security feature in a number of ways. In one embodiment, the document data comprises each of the at least two identifiers. That is, the machine readable security feature could comprise a machine readable list of the identifiers. In other embodiments, the document data comprises a code in which each of the at least two identifiers are incorporated. For example, the various identifiers could be represented by different portions of a barcode or other graphic. These embodiments could also be used in combination, certain of the identifiers being represented individually, and others incorporated into a code.

In certain embodiments, each of the security elements may be independently allocated its own identifier which may or may not match any of the other identifiers. In this case, the document data embodied in the machine readable security feature includes all of the identifiers corresponding to the at least some security elements to be identified. In other preferred embodiments, each of the security elements is associated with the same identifier, common to all of the security elements. That is, each of the security elements is provided with the same detectable serial code or other identifier. In this case, the machine readable security feature need only contain that same identifier, this identifier being compared against the identifiers detected from each of the security elements to be identified.

The machine readable security feature may be provided on the document in a number of ways. Preferably, the machine readable security feature is readable by optical recognition (within or outside the visible spectrum). For example, the machine readable security feature could be printed onto the document, or otherwise applied by means of a label, a transfer or the like. The feature could also comprise perforations or variations in the document thickness such as a watermark, which can be detected in transmitted light.

Advantageously, the document data is encrypted such that it is not directly intelligible to an observer. That is, even if the feature itself is visible to a user, it is not understandable without first decoding its meaning. Preferably, the machine readable security feature comprises a 2D barcode, scrambled indicia or a digital watermark. In particularly preferred embodiments, the machine readable security feature is not apparent in the visible spectrum, preferably being formed of a UV, IR or fluorescent ink. As well as hiding the feature from potential counterfeiters, this makes it more difficult to copy since such techniques are not readily available.

In other embodiments, the machine readable security feature comprises a RFID chip or a magnetic strip having the document data stored therein. Whilst such features may themselves be visible to an observer, the data therein is not readily accessible without the appropriate reading apparatus. It is also more difficult to manufacture counterfeit features of this sort.

Any number of security elements may be provided on the document, and all or a selection of them may have corresponding identifiers included in the machine readable security feature. The security elements may or may not contain personalisation information. Preferably, at least one of the two or more security elements comprises any of: a contactless, readable data store, preferably a RFID chip, containing readable data including a corresponding identifier; a printed machine readable code containing a corresponding identifier; a laser-marked machine readable code containing a corresponding identifier; a film applied to the document carrying a machine readable corresponding identifier; and an optically active element applied to the document carrying data incorporating a machine readable corresponding identifier.

The document itself may also form a security element by recording a characteristic of the document and utilising the measurement as an identifier.

For example, any dimension, thickness, weight or other measurable characteristic of the document, or a feature thereof, could be used. Preferably, at least one of the two or more security elements comprises at least a portion of the document surface, a surface characteristic of which has been measured and recorded to provide a corresponding identifier. Advantageously, the surface characteristic is obtained by laser surface analysis of the at least a portion of the document surface.

As noted above, it is generally preferable that the identifiers associated with each security element are detectable by machine so that authentication can be carried out automatically. However, such identifiers may still be detectable by a user, e.g. printed data. In some embodiments, it is preferable that the one or more security elements comprises readable indicia incorporating a corresponding identifier which can be compared by an observer against the document data contained in the machine readable security feature. This enables authentication to be carried out with only one machine reading step (or even manually, if the machine-readable security feature is additionally intelligible to an observer).

Any number of security elements and corresponding identifiers could be provided. The more security elements for which identifiers are incorporated into the machine readable security feature, the more difficult the document is to forge.

The invention can be applied to any document, but preferably, the document is a booklet document comprising more than one page, at least one of the two or more security elements being provided on a first page, and the machine readable security feature being provided on a second page of the booklet document. In this way, substitution of one or other of the pages will be readily detected.

Advantageously, the document is a document of value, preferably a passport, identification document, banknote, certificate, or licence.

In the method of authenticating, the data contained in the machine readable security feature may be extracted in any manner appropriate for the type of feature in question. Preferably, the machine readable security feature is read by an optical scan of at least a portion of the document.

Likewise, the identifiers may be detected using techniques appropriate to each security element type. Preferably, the identifier associated with at least one of the security elements is detected by at least one of: an optical scan of the security element; radio frequency interrogation; magnetic interrogation; visual observation by a user; and laser surface analysis.

Advantageously, the document data contained in the machine readable security feature is encrypted, and the method further comprises decrypting the document data to retrieve the at least one identifier.

Depending on the level of security required, not all of the identifiers stored in the machine readable security feature need be checked against the corresponding security elements. However, preferably, the identifiers associated with each of the security elements for which identifiers are retrieved from the document data are detected and compared with the retrieved identifiers.

Examples of documents and methods of authentication in accordance with the present invention will now be described with reference to the accompanying drawings, in which: Figure 1 schematically illustrates a first embodiment of a document; and Figure 2 shows a second embodiment of a document viewed in daylight and under UV, with the security elements illustrated at an enlarged scale for clarity.

The following description will focus on the example of a passport document.

However, as noted above, the invention can be applied to any document type.

The invention is most advantageously used in secure documents / documents of value. In the context of a passport, problems that the invention is able to help detect include:-

1. Substitution of the MRP (Machine Readable Passport) Data Page

2. Fraudulent Changes to the Data Page (MRZ Zone / Photo)

3. Substitution of the Film (e.g. a holographic overlay film)

4. Chip or Inlay Substitution 5. Substitution of the page with the passport number on

6. Substitution of a page with a laser perforated number

A passport document 10 is shown schematically in Figure 1. The document is of a booklet configuration, having a front cover 11a, a back cover 11b and internal pages including a data page 12a and an adjacent page 12b. On the data page 12a is typically provided personalisation information, such as printed information 13, including the document owner's name, nationality and date of birth, for example, and a photograph 14 of the owner. Commonly, the data page 12a includes a machine readable zone 15 ("MRZ"), in which are printed letters, numbers and other symbols, which can be scanned and processed using optical recognition to retrieve data. The boundary of the MRZ 15 is indicated in Figure 1 using broken lines but in practice this is not typically made visible.

To protect the personalisation data 13, photograph 14 and MRZ 15, at least a portion of the data page 12a may be covered with a film 16. This typically comprises a polymeric film which is laminated to the page 12a using adhesive and/or heat sealing. The film 16 preferably includes features such as holograms, colour changing inks or other optically variable elements such that the film cannot easily be reproduced. By covering the data on data page 13 with the film 16, the data cannot be changed without first removing the film 16, which process will typically damage or destroy the film and the security elements contained therein.

The document is typically also provided with information on one or more other pages, such as passport number 17 which here is shown on the adjacent page 12b though in practice may be reproduced on every page of the document. The passport number may be printed or could be provided by perforations, for example laser perforations. The passport number 17 may include a check digit symbol such as that disclosed in our International Patent Application Number PCT/GB2007/002551.

The document preferably also includes a data store which can be read without direct contact, such as a RFID chip 18. Figure 1 indicates the RFID chip 18 in the vicinity of internal page 12b, but in practice the RFID chip 18 would typically be provided on the inside face of front cover 11a or back cover 11b, connected to a suitable antenna (not shown). The data contained in RFID chip 18 can be read using a suitable radio frequency reading device as is well known in the art.

This embodiment of the invention provides a way of correlating the key security elements found in an MRP (Machine Readable Passport) or ePassport, and to provide a means of detecting whether any of the features have been substituted or changed by using the adjacent page 12b (the one opposite to the MRP data page 12a) of the passport 10 to hold data relevant to at least some of the above- described security elements 15, 16, 17 and 18. This is achieved by providing a machine readable security feature 20 on page 12b containing document data in which is incorporated a number of identifiers associated with at least some of the security elements 15 to 18.

In this embodiment, each of the security elements 15 to 18 has been allocated an individual identifier. The manner in which this is done will depend on the type of security element in question. The identifier may be intrinsic to the security element (e.g. a serial number automatically applied to the element during manufacture), or may be added specially (e.g. printed onto the security element). Generally, the identifier serves to identify the security element itself, rather than the owner of the document: it is preferable that there is no correspondence between the personalisation details and the identifier applied. In this example, MRZ 15 includes an identifier "XYZXYZXYZ" in its machine readable text. This identifier may form part of other information or could be designated as standalone data. The film 16 has marked thereon an identifier 16a formed of the number "987654". The identifier 16a is preferably printed onto the film prior to lamination, on the side of the film 16 which adheres to the data page 12a. Advantageously, the identifier 16a is printed in an ink which responds only outside the visible spectrum (e.g. IR or UV ink), such that it is not visible to an observer.

The passport number 17 which is typically printed on or perforated into several internal pages of the document forms its own inherent identifier, in this case consisting of the code "GB12345". The number 17 is typically configured in such a way that the code can be captured using optical recognition techniques. The code may also include a check digit as mentioned above and this can be used on its own or in combination with the rest of the code as an identifier.

The RFID chip 18 is preferably encoded with a serial number during manufacture, as well as personalisation information relating to the passport holder. The serial number can be used as an identifier and can be retrieved by interrogating the RFID chip in the usual way.

Some or all of the above identifiers are incorporated into document data held by the machine readable security feature 20. In this embodiment, this is provided in the form of an optically recognisable printed code applied to page 12b of the document. The code could alternatively be applied in the form of a label, transfer, perforations, etc. Any other page could be used for the feature 20, but the page adjacent the data page 12a is convenient since this is the page the document will be opened to in the usual course of authentication. The machine readable security feature conveniently embodies the "document data" in a 2D barcode, such as a PDB™ barcode by De La Rue International Limited, or the like. Any type of barcode can be used such as linear barcode, stacked 2D Barcodes (for example Codablock - F and PDF417), and matrix 2D barcodes (for example, Aztec Code, Datamatrix or Semacode). Suitable barcodes and techniques for encoding and decoding the data are disclosed in EP-A-0954801 and EP-A-1471461 to Cobblestone Software, Inc. The barcode may be applied during personalisation of the passport by detecting the identifiers from at least a selection of the security elements provided on the passport, using techniques appropriate to the security elements in question, generating a corresponding barcode by applying predetermined encoding rules, and printing the generated barcode onto the document. Providing the security feature 20 in a format such as a barcode is advantageous because the data contained therein is not directly intelligible to an observer. Further, the potential amount of data which can be stored in the feature 20, and therefore to some degree its security, is significant. Using a barcode allows a greater density of information to be stored per unit area. Also, since the barcode can be unique in its structure, it makes fraudulent alteration of the code extremely difficult. However, in other examples it may be preferred to have at least some of the data in a format which is directly understandable to a user, for example printed in the form of text or numbers.

More than one such barcode or other feature may also be provided, collectively making up the machine readable security feature. In some cases, the various identifiers might be represented individually (i.e. with a code or symbol for each identifier), whereas in other cases the identifiers may be combinedly represented in one code or symbol (such as is the case in the above-mentioned bar code).

For further improved security, the feature 20 may be rendered using security ink, such as an ink which is not perceivable to the human eye under usual lighting conditions, for example a yellow invisible fluorescent ink. The fact the code can be printed in invisible fluorescent inks adds an additional level of security and complexity to any potential fraudulent alteration or counterfeit attempts.

In this embodiment, the barcode 20 is printed onto page 12b opposite to the MRP page 12a in a resolution that can be detected and read reliably by the optical scanner of an ePassport page reader. Any software that is required for decoding the barcode or other feature can be incorporated into the reader or into a computer system with which the reader communicates. The fact that the decoder software is built into a passport reader makes reverse engineering of the barcode decoder difficult. Since the feature 20 is machine readable, the process of checking and verification can be automatically performed.

The barcode 20 may be read by a dedicated application installed on the passport reader; this would read the barcode, decode the information and then check that all the data matched with that detected elsewhere (from the selected security elements 15 to 18). Although this process could be done on the front desk, at an immigration point, it is more likely to be implemented as a back office check as it may require two separate scans of the passport (e.g. the MRP page 12a and adjacent page 12b in the above embodiment) and/or more sophisticated detection methods for detecting each of the identifiers from the security elements 15 to 18.

It should be noted that whilst the barcode has advantages, as noted above, the use of a barcode is not essential. For example the feature 20 could comprise scrambled indicia (e.g. the document data visually scrambled for reassembly by a suitably programmed reader) or a digital watermark. Alternatively the document data could be printed onto page 12b (or any other page) or stored in some other way in the document 10 (e.g. in the RFID chip 18 or on a magnetic strip). An extension to this would be to hold the document data centrally on a database (as the information would be generated before or during personalisation of the passport) together with the applicant's other biometric and biographic data, with the feature 20 containing a key code for looking-up the relevant identifiers in the database. Information as to which identifier should correspond to which security element would be pre-programmed. This would enable verification to take place against data held on a central database rather than in the passport itself.

In a second embodiment, depicted schematically in Figure 2, the document 10' (shown in daylight at 10'a and as a UV simulation at 10'b) is provided with security elements 15' to 18' which correspond to those described in the first embodiment, the reference numerals having the addition of a prime ('). Here, the passport number 17' is formed by laser perforation and includes a check symbol (circled), and a further security element 19' is provided in the form of a printed number. Optionally, the second embodiment further includes an extra security feature 30 provided by measuring a characteristic of the document 10'. This is described in more detail below.

In this example, all of the security elements 15' to 19' are associated with the same identifier, "GB1234996". MRZ 15' includes "GB1234996" on the second line of machine-readable text. The code 16a' provided on the laminate film is also "GB1234996", as is the passport number both laser-perforated 17' and printed 19' onto the document. The RFID chip 18' is programmed with the code "G1234996" in its Datagroup 13 or Datagroup 1 sector, for example. The same code "GB1234996" is stored in the document data embodied by the machine readable security feature 20', which in this case is a 2D barcode but could take any appropriate form as described in the first embodiment. The document data could include the code repeated for each security element. However, since the code is the same for all security elements 15' to 19', the code need only be stored once in the machine readable security feature 20', and can be checked against each of the selected security features.

The first and second embodiments could also be used in combination with each other, for example, a code common to a subset of the security elements (e.g. passport numbers 17' and 19') could be stored alongside individual identifiers for other elements (e.g. the RFID chip 18' and the laminate code 16a'). The second embodiment also makes use of an optional security element 30 in the form of a measured characteristic of the document 10'. In this case, the characteristic is the surface roughness of the document substrate, which can be detected by laser surface analysis. It has been found that may document substrates, such as paper, exhibit surface roughness at a microscopic level which varies from place to place on the substrate, and between substrates (even those of the same type). Hence measuring and recording the surface roughness of a defined area of a substrate is akin to recording a person's fingerprint. Security element 30 therefore consists of a stored surface roughness profile which has been measured for at least a portion of the surface of the document 10', preferably from a page other than that on which the feature 20' is placed. When a document requires authentication, laser surface analysis of the specified area is performed, and the result compared with that retrieved from the document data in the machine readable security feature 20'.

Other comparable measurements can also be used as security elements. For example, the measurement could be taken from an element (including a printed element) applied to the document 10' rather than the document itself. For example, the exact dimensions of a line printed in invisible ink could be recorded. Or, if there is a measurable variation in standard page dimensions, weight or thickness, any one or more of these could be measured and recorded.

The scope of the number and/or type of security elements can be a large or small as is required, and could for instance include such features as a laser perforation check digit, laminate film number, taggant information (RFID chip number) etc., as described above. The security elements selected will depend on the application for which the document is intended. Further, it should be noted that not all of the security elements provided on the document need be provided with an identifier and/or recorded in the machine readable security feature. For example, the document may additionally be provided with holograms, embossings, watermarks or any other security elements which may or may not be associated with an identifier recorded in the security feature. Finally it should be noted that each identifier need not be 'programmed' as such, into the respective security element. A first example is the use of a measured characteristic of the document surface, identified as security element 30 above. In another example, where one of the security elements is an RFID chip, its identifier can be descriptive of its contents, for instance if the chip contains three Datagroup sectors 1 , 2 and 7, then this information can be stored in the machine readable security feature as the identifier. If the chip is substituted or the contents of the chip are modified (e.g. a Datagroup is removed), this will be identified by checking the machine readable feature.

Alternatively, the identifier could include a signature of some of the data in the RFID chip. The signature would be generated using the same key as that used to sign the chip data and could be verified using the "Document Signer" key stored in the chip. This is a digital certificate containing a public key which can be used to decrypt a digital signature and verify that it was encrypted with a corresponding private key. The certificate will have been digitally signed by a trusted Certificate Authority and therefore can be validated for authenticity.

Similar 'descriptive' identifiers can be generated for any of the security elements.