Question for Mike or anyone else who knows about this stuff:

What about a scenario brought up by a reddit user: a hotel clerk in a tourist destination handles a hundred international passports in a day. Is there some way they can surreptitiously grab a signature from each of them and use them for an attack?
So I tried an app out with my phone and it read the biometric,photo and ID details fine. The security info says the signatures are OK but it seems there is no "Active Authentication", meaning the passport could be cloned. Apparently that's the common situation according to this.

Without active authentication the system won't be defended against the hotel clerk attack, is that correct (because there is no nonce provided from the reader)?