Question 15
Can an MRZ be forged or faked?
The MRZ itself can be physically reprinted or altered, but doing so convincingly is much harder than it might seem, and that difficulty is exactly what makes MRZ a useful anti-fraud tool rather than just a data-encoding format. The reason comes down to check digits: each significant field in the MRZ (document number, date of birth, expiry date) has a corresponding check digit calculated using a defined ICAO algorithm, and there's typically a composite check digit across multiple fields as well.
Changing any piece of data without correctly recalculating every affected check digit will produce a mismatch that automated scanning catches instantly.
That said, the MRZ is still just printed text. It isn't encrypted, and a sufficiently sophisticated forger who understands the check-digit algorithm could, in principle, alter data and recompute the corresponding digits correctly.
This is precisely why serious identity verification systems never rely on the MRZ in isolation. A well-built process cross-references MRZ data against the visual zone (the printed name, photo, and other fields elsewhere on the document), against any barcode present, and, for e-passports, against the data stored on the embedded RFID chip, which carries its own cryptographic signature that's far harder to forge than printed text.
Beyond data consistency, physical document security features matter too. The paper stock, printing techniques, holograms, and other elements are extremely difficult to reproduce outside of an official government printing facility.
A forged MRZ with internally consistent check digits might still fail these physical authenticity checks, or fail to match the chip data if the document is an e-passport.
So the honest answer is: yes, an MRZ can technically be forged, but doing so convincingly enough to pass a properly designed multi-layered check is genuinely difficult, and gets much harder the more data sources a verification system cross-references.
This is exactly why ScanDoc's approach doesn't treat MRZ reading as a standalone fraud check. It combines MRZ extraction with visual zone OCR, barcode reading, and cross-validation between all of them, so a mismatch anywhere in that chain, not just a failed check digit, gets flagged for review rather than silently passed through.
Talk to a document scanning specialist
Have a specific integration question, or want to see how this fits your onboarding flow? The ScanDoc team is happy to help.