In relation to the Philippines Statistics Authority’s (PSA) previous advisory dated 19 May 2021 regarding the acceptance of the Philippine Identification (PhilID) card as official proof of identity for transactions with government and private entities, please be advised that this advisory is being issued to provide additional information on the authentication and use of the card.

Specifically, this advisory aims to inform the public and all government agencies, who are potential relying parties of the Philippine Identification System (PhilSys), on the following matters:

1. Guidance on methods for relying parties to verify the identity of a registered person presenting a PhilID, including visual inspection of the physical security features, cryptographic verification of the digitally signed demographic information in the Quick Response (QR) code, and how to qualify this as an offline authentication in accordance with Republic Act (RA) No. 11055 otherwise known as the PhilSys Act; and

2. Specifications for the demographic information in the QR code, which enable relying parties to use this for automated data entry, such as pre-filling forms.

Under RA No. 11055, the PhilSys aims to eliminate the need to present other forms of identification when transacting with the government and the private sector. The PhilID, in physical or mobile¹ format, and the PhilSys Numbers (PSN) or any of its derivatives such as the PhilID Card Number (PCN), subject to authentication, shall be a sufficient proof of identity. Thus, relying parties which include national government agencies (NGAs), local government units (LGUs), government-owned and controlled corporations (GOCCs), government financial institutions (GFIs), educational institutions, and all private entities are mandated by law to accept the same for purposes of identification.

We reiterate that any person or entity who shall refuse without just and sufficient cause on the acceptance, acknowledgement and/or recognition of the PhilID or PSN, subject to authentication, as the sufficient proof of identification of the holder/possessor shall be liable for violation of RA No. 11055.²

The revised Implementing Rules and Regulations (IRR) of RA No. 11055, provides for two types of authentications:

1. Offline authentication refers to the process in which the identity of an individual is validated against the information contained on the PhilID by the relying party. This is further described in the IRR as the presentation of the PhilID and the matching of the data stored in the QR code on the PhilID.

2. Online authentication refers to the process in which the identity of an individual is validated real-time against the PhilSys Registry by the relying party through secured connectivity.³ The PSA is currently in the process of developing and piloting fingerprint, face, iris, SMS One Time Password, and demographic verification. Further guidance will be issued for this type of authentication.

Part I. Methods of Verifying Identity Using a PhilID Card

Method 1: Visual Inspection of Physical Security Features of the PhilID Card

The physical security features of the PhilID card can be assessed to determine whether it is authentic and the demographic information and photo on the card have been tampered.

When combined with comparing the data printed on the card with the data in the QR code (which can be read by any device with a camera or scanner), this visual inspection qualifies as an ‘offline authentication’ under the IRR for RA 11055, as amended.

For reference, attached as Annex A is the Guidelines on Validating Overt and Covert Security Features of the PhilID.

Method 2: Cryptographic Verification of the Digital Signature in the QR Code through the PhilSys Website

The demographic information in the PhilID QR code has been digitally-signed by the PSA using the Edwards-curve Digital Signature Algorithm (EdDSA). This provides the ability for relying parties to use asymmetric cryptography i.e., the public key corresponding to the private key used to sign the data in order to verify with high levels of assurance if the information has been issued by the PSA (as contained in the PhilSys Registry) and has not been tampered with.

The PSA has developed a PhilID QR Code Verification (PQRCV) website to use public-private key cryptography to allow relying parties to verify if the data in the QR Code has been issued by the PSA and has not been tampered with. Any computer or smart device with a camera and internet browser with internet access can use the PQRCV website. PSA will provide the URL once it is launched. Although this method is delivered through an internet website, it qualifies as an ‘offline authentication’ under the IRR for RA No. 11055, as amended.

To verify a PhilID card, the user will need to access the PQRCV website and provide permission to access the integrated or connected camera. When a PhilID’s QR code is scanned using camera, three processes will be done.

First, the website will check if the PhilID is active or revoked. Second, the embedded public key (corresponding with the private key used to digitally sign PhilID QR code data) will decrypt the digital signature embedded in the QR code. The result is a hash of the QR code data initially generated before printing the QR code onto the PhilID card. Third, the website will generate a second hash of the QR code data. If the first and second hashes match, then the QR code data has been issued by the PSA and has not been tampered with (i.e., it is correct). The website will display the data from the QR code, and this can be matched with the data printed on the PhilID card. The photo and ghost image can be used to determine whether the person presenting the PhilID is the true owner.

The following are the three possible responses to scanning the QR code using the PQRCV website:

Method 3: Integrating Cryptographic Verification of the Digital Signature in the QR Code into Relying Party Applications

The PSA will make the public key(s) available corresponding to the private key(s) used to sign the data in the PhilID QR codes to relying parties so they can integrate cryptographic verification (i.e., the same process described above, except without the revocation check) into their own applications, including for offline use. The intention is to enable relying parties to accommodate PhilSys-enabled verification into their systems and processes with minimal disruption and maximum opportunities for innovation. This method qualifies as an ‘offline authentication’ under the IRR for RA No. 11055, as amended.

Part II. Specifications for the PhilID QR Code

To further enable acceptance of the PhilID and to create the possibility of automation, relying parties can read and act upon data stored in a QR code printed on the back of each card.

The QR code conforms to ISO/IEC 18004:2015 and is readable by consumer QR code-capable equipment such as mobile phones, tablets, and barcode scanners.

Data represented in the QR code is not encrypted so it may be read by any software that is able to successfully read standard QR code formats.

Data is encoded in JSON format for ease of processing by applications and the integrity of data is checked by verifying a digital signature⁴ included in the JSON data packet.

Attached as Annex B are the Attributes and Corresponding Description/Use for the PhilID QR Code JSON Format.

While the online authentication is still not available, physical verification and other offline authentication shall be administered and the same is already in compliance with the procedures of RA No. 11055. Refusal to accept PhilID for purposes of identification has corresponding penalties.

Further, information provided in this document is aimed at providing the relying parties better understanding on the features of the PhilID card to further its acceptance for greater inclusion, and promote ease of doing business for Filipinos, especially in the vulnerable sector.

For your information, and guidance.

DENNIS S. MAPA, Ph.D.
Undersecretary
National Statistician and Civil Registrar General