While countries around the globe are still struggling to procure and distribute enough vaccines for their citizens, the next dilemma of the pandemic has already surfaced – to require vaccine passports or not. Vaccine passports are essentially immunity credentials designed to certify that a citizen has received a Covid-19 vaccination, and thus is presumed safe for entering a building, workplace, arena, or travelling across borders.

The attraction of this kind of credential is clear – from the benefit to public health to mitigating liability. The risks are clear as well. Individual health data is highly regulated in most countries, both to enable provision of services across networks and to preserve patient privacy and dignity.

Vaccine credentials can become part of the infrastructure of the new normal, but only if they work to bolster trust – among individuals, organizations and governments. Any immunity passport or vaccine credential program should be built on a foundation of trust, and consider the following:

  • Protect citizen data and privacy. Personal data is a valuable currency among bad actors. The impact of credit card fraud pales in comparison to medical identity theft. Some best practices to protect citizens include:
    • Keep citizen and workforce identities secure with digital signatures that can either be employed within the user’s mobile device or a physical smart card.
    • Use digital identity proofing to securely on-board citizens.
    • Apply multi-factor authentication (MFA) for authorized workers when accessing citizen data.
    • Employ adaptive risk-based authentication as an early threat detection and prevention system with step-up challenges when conditions warrant.
    • Establish an enterprise certificate strategy to secure network connections, manage software/firmware, authenticate devices, secure email, encrypt and sign data, and protect user identities.
    • Use hardware security modules (HSMs) for a strong root of trust to protect and manage the cryptographic keys needed to sign and validate device certificates.
  • Ensure interoperability. Passports work when they are universally recognized – and a vaccine passport could have much wider use than a travel credential. Your vaccine passport needs to help you cross the border, and may also be required for entertainment events, a restaurant, or even hotels There’s a lot we can learn here from multinational efforts to enable global travel, notably the UN ICAO standards, which enable a universal system for secure air travel.
  • Bridge the technology divide. Smart phones and cell coverage are ubiquitous in most urban centers, but as the virus has proven, civilization doesn’t stop there. While mobile devices can be used to effectively store and present digital credentials, not everyone has a smart phone. Physical smart cards should work hand in hand with digital credentials to ensure a wide range of use cases and smooth interactions.
  • Consider a national ID strategy. With the infrastructure and investment necessary to ensure a viable vaccine passport, why not redeploy this effort into a national citizen ID program that can be used for multiple purposes including the secure delivery of government services, secure cross-border travel, and documentation of vaccination.
  • Take an ecosystem approach. As highlighted by the recent SolarWinds breach, effective cybersecurity requires an ecosystem approach. Public safety and security come down to distributed trust, that secures not just vaccination records but also verifies and authenticates a secure supply chain from vaccine production to distribution to citizen.

The technology foundation for trusted immunity credentials is here today . The challenge is in ensuring collaboration around common standards around the world – in other words, to enable trust in a way that opens doors around the world.

No one knows where we’ll be a year from now.  In our experience as a trusted solutions provider for more than 400 government programs in over 100 countries, Entrust understands that programs to enable trust in this fast changing world must rely on a proven foundation of technologies and standards for secure identity and transactions.