From vaccine passports to voter IDs: the hidden security threats of digital passes

Digital passes and other forms of identification are set to become an increasingly common part of everyday life. But while they’ve been explicitly designed to secure and authenticate user identities, what about the machine identities that enable them to work? Otherwise known as digital keys and certificates, machine identities form the basis of trust in all kinds of online transactions, and secure all machine-to-machine communications. As such, they’re a crucial piece of the puzzle. If machine identities used to secure digital passes were to fall into the wrong hands, it could undermine the entire digital pass system and allow security threats to emerge.

The reality of implementation for vaccine passports

Vaccine passports are currently being discussed in the UK and all over the world. The EU’s Green digital certificate came into force on 1st July, which will allow travel between member states. In Israel, vaccine passports were introduced in the form of a “green pass” app. Used until the majority of the population was vaccinated, it enabled residents to access facilities like gyms and concerts.

But how will vaccine passports actually work for other countries adopting them, and what form will they take? They’re likely to be embedded in an app, which will essentially be a container for the vaccine certificates. Each of these will need to integrate with highly sensitive personal and medical information to validate the owner. To do this, vaccine passports will rely on a web of machines and servers to connect, validate and deliver the service they are required for. In the UK, the current plan is to do this through the NHS app, which will authenticate users for international travel and entry to mass events.

The question of QR code security

Zach Fleming, principal cyber security consultant at Integrity360, discusses the concerns that can arise when it comes to QR code security. Read here

Managing machine identities

Vaccine passports, or any other digital pass, must be secured with machine identities. These are used to secure and authenticate everything from software installed on airplanes to your mobile banking apps. Gartner recently emphasised the critical need to manage machine identities in its security and risk trends report. As we become increasingly reliant on technology, the number of devices and volume of non-human identities in use continues to grow, yet the management of machine identities is still not well understood. This needs to change quickly.

If the machine identities that vaccine passports rely on are poorly secured or managed, it could leave these applications wide open to abuse by malicious actors. Attackers could exploit machine identities to establish hidden or concealed encrypted communication tunnels, accessing sensitive health information as it’s transferred between vaccine passports and the servers where data is stored. Perhaps even more worryingly, forged or stolen machine identities could also allow an attacker’s machine to masquerade as a legitimate server, potentially enabling them to spoof vaccine passports.

Secure by design

To mitigate these risks and prevent vaccine passports falling into the wrong hands, they must be built and managed to be secure by design, with strong machine identity management in place. Without this, organisations can’t guarantee the confidentiality of information flowing to authorised machines, and block data transfers to unauthorised machines.

To address this, organisations developing digital passes need to secure the entire machine identity life cycle. This involves automating the complex management of machine identities, driven by a clear set of policies and controls. This can’t just end with the provisioning of machine identities; they must be continuously monitored to ensure any anomalies or vulnerabilities can be flagged and detected quickly.

Identity gets a new look: examining the W3C Verifiable Credentials standard

David Chadwick, product director at Crossword Cybersecurity, discusses what the W3C Verifiable Credentials standard, co-authored by Chadwick, means for identity security. Read here

Protecting the users

As we begin to emerge from over a year of lockdowns and restrictions, it’s likely digital passes, whether they are vaccine passports or voter IDs, will form an increasingly important part of all our lives – from travelling to attending large scale events, and even voting. We need to ensure we are not handing hackers the advantage when implementing these technologies. Ultimately, it’s only by proactively managing machine identities at machine speed that organisations and governments developing these applications will be able to protect their users.

Written by Kevin Bocek, vice-president, security strategy & threat intelligence at Venafi

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at