Regula analysis highlights airport identity threats

IDV developer Regula has released the Airport Identity Risk Index 2026, which looks ahead through to 2028. The report digs into how identity systems operate across automated gates, remote enrollment workflows, biometric checkpoints and digital travel credentials (DTC).

A key finding is that the relative impact of forged physical documents is expected to decrease as airports implement more sophisticated scanners and automated document checks. But risks remain.

“Airports are becoming some of the most identity-dependent environments in the world,” says Arif Mamedov, CEO of Regula. “The biggest shift we’re seeing is not just new attack techniques, but a change in where identity fails.”

Mamedov warns that identity security cannot be seen as a series of isolated checks. “It has to function as a continuous, multi-layered system,” he believes. The advancement of digital, cryptographic and biometric layers means failures can “fail loudly.”

For example, as QR and mobile-based credentials become more widespread, having weak app or scanner or backend validation could lead to attackers changing access parameters and bypassing controls. QR codes are becoming much more prevalent, with new trials announced just this week in Singapore while Malaysia ramps up usage at its busy Johor Bahru checkpoint.

Regula found that unreliable chip and certificate validation is becoming one of the fastest-growing exposure points. The rise of mobile identities, biometric passports and DTCs rely more on cryptographic trust and validation is key. The report warns that “many” airport systems validate only the data on the electronic passport chip, but don’t process the digital certificates that confirm the chip’s authenticity.

“This oversight, more common than the industry admits, opens the door to sophisticated attacks,” it says. “Fraudsters can clone chips or modify data in ways that some readers won’t detect.”

Using a Risk Probability Index (RPI) Regula scores the risk today, and in 2028 with a Future Growth Probability (FGP). Face morphing, which blends photos of two people into one image, is RPI ranked four out of 10 in 2026 — but is scored six out of 10 for 2028. “If accepted, the resulting [face blended] passport becomes a shared identity token, usable by more than one person.”

Two of the most alarming threats are deepfake-assisted remote enrollment and biometric presentation and injection attacks. For the former, it’s four out of 10 currently, but will grow to 7 out of 10 in 2028. Airlines and border agencies are phasing in remote identity verification, with pre-clearance at home, confirming identity via smartphone before airport arrival. Deepfake tools could enable a bad actor to impersonate real individuals. Regula points out there are no publicly known instances of this happening yet in aviation, but with remote enrollment and DTC usage growing, the risk could rise.

Article Topics

airport biometrics  |  biometrics  |  digital travel  |  digital travel credentials  |  identity security  |  injection attack detection  |  presentation attack detection  |  Regula  |  remote identity proofing