What is a Card Access Number (CAN)?

A Card Access Number (CAN) is a unique identifier printed on electronic identity cards (eIDs) or smartcards, used as an additional security feature during digital identity verification processes. Typically, a CAN serves to confirm physical possession of the card during online authentication or identity proofing, thereby reducing the risk of fraudulent digital activities.

Key aspects of a Card Access Number (CAN):

• Physical Possession Proof: Verifies the user physically holds the identity card.
• Additional Security Layer: Provides an extra authentication factor beyond traditional PINs or passwords.
• Usage Contexts: Frequently employed in government-issued eIDs, healthcare smartcards, and electronic residence permits.
• Fraud Prevention: Protects against identity theft, cloning, and unauthorized access.

Implementing CAN enhances the reliability of digital identity systems, supporting stronger authentication flows and compliance with various regulatory frameworks.

---

With growing digital interactions, verifying an individual's identity accurately has become paramount. The Card Access Number (CAN) provides an additional layer of security by ensuring the person conducting an online transaction physically possesses the relevant identification card.

The CAN is usually required as an additional verification measure to supplement:

• Traditional methods (username/password, PINs)
• Multi-factor authentication (MFA)
• Biometric authentication

This layered security approach effectively reduces the risk of:

• Identity theft and fraud
• Unauthorized card cloning or duplication
• Impersonation attacks during high-risk transactions

• Government Digital Services: Many governmental eIDs, including national ID cards and electronic passports, employ CAN to securely verify citizens' identities online.

• Healthcare Services: Health insurance cards or electronic health record (EHR) smartcards often require CAN to prevent medical identity fraud and unauthorized access.

• Secure Issuance & Management: Organizations implementing CAN must ensure secure generation and issuance processes. While the CAN itself is a printed, human-readable code on the document (not a confidential secret like a PIN), issuance systems must be protected and CAN values should be generated unpredictably to maintain the security of the chip access protocol.

• Compliance and Regulatory Alignment: CAN can be a component within systems designed to meet stringent regulatory standards such as the Trusted Digital Identity Framework (TDIF), GDPR, or NIST identity assurance levels (IAL). However, compliance with these frameworks requires comprehensive organizational, procedural, and cryptographic controls beyond the use of CAN alone.

• User Experience Considerations: A properly integrated CAN system can enhance the user experience by providing simple yet secure digital interactions, minimizing friction while maximizing security.

Organizations adopting passkey solutions to enhance user authentication flows can leverage CAN to further bolster security. For example, when registering or activating passkeys, requiring CAN entry provides proof of possession and increases overall trust in the authentication process.

Integrating CAN into passkey workflows:

• Adds a physical verification step to passkey enrollment.
• Strengthens identity proofing during initial user onboarding.
• Ensures regulatory compliance in highly regulated sectors like finance, healthcare, or government.

The CAN is typically printed on the front or back of electronic identity documents, including eIDs, electronic residence permits, or healthcare smartcards.

Systems use CAN to verify physical possession of a card, enhancing security and preventing identity fraud, card cloning, and unauthorized access.

CAN provides an additional authentication factor, confirming users physically hold their identity card, thus significantly reducing identity theft and fraudulent activity risks.

No, a CAN differs from a PIN. While a PIN is confidential and user-generated, a CAN is card-specific, printed directly on the card, and used to confirm physical card possession.