The Roadmap to Accepting Mobile Driver’s Licenses Online has Arrived
In recent days, you may have heard a collective sigh of relief from institutions around the world that have been struggling with the lack of consistent mechanisms for managing identity transactions with mobile driver’s licenses (mDLs). The source of this relief—the release of a new specification from the International Organization for Standards (ISO) focuses on the secure and privacy-protecting presentation of mDLs over the internet. Like all ISO standards, this latest release, ISO/IEC 18013-7, serves as an international guideline to ensure quality, safety, and efficiency across various industries and governments. It outlines technical protocols to ensure identity verification while maintaining data security and user consent, making mDLs safe and reliable for online interactions. By adhering to such standards, mDL implementations can ensure interoperability across systems and countries resulting in a smooth and reliable user experience. Establishing this specification is a game changer for the multitude of organizations that require proof of identity to achieve security or regulatory compliance standards during online transactions.
The Exponential Growth of mDL Adoption
The global adoption of mDLs is increasing at an exponential pace, with the APAC region currently leading the charge—accounting for 72% of global mDL adoption, according to data from ABI Research. Per their estimates, approximately 15% of adults worldwide—850 million people—will have a mobile ID within the next year. In the United States, 14 states have already released ISO-compliant mDL solutions that are in use for applications like providing identification at TSA checkpoints, accessing government services, and accessing accounts in person, like at a bank. The entry of technology juggernauts like Apple and Google is likely to accelerate adoption in the US and beyond, as other industry players tend to follow suit.
As adoption grows, so will demand for services that support the technology. Recent history has shown technological capability surpassing some of the more traditional criteria that consumers consider when choosing where to bring their business. Flexibility and convenience are driving many consumers’ choices and mDLs are likely to be considered a positive in both categories.
The desire for more personal privacy will also be a significant driving force behind both the adoption and demand for support for mDLs. It’s likely that the most significant differentiator between mDLs and traditional driver’s licenses, for consumers, is the ability to share only the data necessary to complete a transaction. While this is a benefit for in-person transactions, it is going to be even more important for online interactions as the need for age verification and identity verification increases. The ability to verify an identity, share a birthdate, or even just present one’s age without “giving them a picture of my license” will serve to eliminate a barrier to adoption of increased online security.
Improving the ID in IDV
While the technology currently exists for simple, secure identity verification, scanning a physical identity document is a known point of weakness. From the effect quality of scan can have on OCR data capture accuracy to the relative ease of modifying or spoofing a physical ID document, steps have to be taken to ensure that data is accurate and unaltered. Organizations like Daon have multiple technologies in place to minimize or even eliminate these concerns with physical IDs, but mDLs take many of these issues completely off the table. By passing data directly from a government source, digitally, they ensure 100% accuracy. Add the fact that the data is guaranteed by a cryptographic signature, and a business can be certain that they not only have the right data but that it has not been tampered with.
Giving mDLs a Passport to the World
Previous standards established the passing of mDL data from one device to another in an in-person scenario. This new standard removes the guardrails and establishes the protocols for secure, verifiable, and efficient sharing of identity information remotely.
Like with the in-person standard, the new specification focuses on two main actors:
- mDL – the mDL application/wallet that is on an individual’s, or holder’s, device that securely holds the mDL data, manages authentication and consent for access to the data, and interacts with the relying party systems on the holder’s behalf
- mDL Reader – the technology component at the relying party that manages the interactions with the mDL application/wallet and verifies the transmitted mDL data
In the in-person scenario, the mDL and mDL Reader exist on two separate devices, with the data being passed from the mDL owner’s device to the mDL reader. With the new specification, both mDL and reader can exist on the same device, as data is passed to a website or app that exists on the user’s mobile device. It can also pass data between devices if, for instance, the user is accessing a website on their laptop and passes the ID data from their mobile device. To facilitate the online use of mDLs, two key protocols come into play:
Web API Method: Think of a Web API as a secure digital messenger that creates a direct line between your mobile device and the verifier (like a website or app you’re using). This allows the verifier to request only the specific pieces of information they need from your mDL. For example, if a service needs to confirm your age, the Web API enables your device to send just your date of birth, securely and instantly. The data is encrypted—like sealing it in a tamper-proof envelope—so no unauthorized parties can access or alter it during transmission.
OpenID Connect and OpenID for Verifiable Presentations: OpenID Connect (OIDC) is a widely used system that acts like a universal digital passport, letting you log into multiple services with one secure account. Building on this, OpenID for Verifiable Presentations (OID4VP) allows you to share specific parts of your digital ID selectively. It’s similar to showing your ID through a privacy filter that only reveals the necessary details, keeping the rest hidden. This method uses encrypted tokens to transmit your data securely, ensuring that you maintain control over what information is shared and with whom.
These encrypted tokens, known as JSON Web Tokens (JWTs), function like secure digital tickets. They carry your information in a way that only the intended recipient (the verifier) can read, ensuring that your personal data remains confidential and protected during the exchange.
W3C Digital Credentials Browser API: Currently still in development, it is expected that ISO/IEC 18013-7 will be updated to include this as a third option for online mDL data transmission. The W3C API is expected to be a protocol-neutral enhancement, enabling users to store and present their digital credentials directly from their browser, streamlining the process for web-based interactions and significantly increasing the accessibility of mDL data across applications and devices.
Safety First
As with all aspects of mDLs, security and privacy are top of mind.
One of the significant advantages of these protocols is the ability to share only what is necessary. Imagine needing to prove you’re eligible for a service that requires users to be over 18. Instead of sharing your entire driver’s license, you can securely transmit just the information confirming your age. This selective data sharing protects user privacy and reduces the risk of personal information being misused.
The data transmitted is also encrypted into code only decipherable by the verifier, who has the correct ‘key’. This process ensures that even if someone intercepts the data, they can’t understand or misuse it. It’s akin to sending a locked briefcase that only the recipient can open.
They also utilize standard security practices for the prevention of forgery and cloning attacks by signing the mDL data with the issuing authority’s cryptographic keys, which assures the integrity and authenticity of the data.
Finally, secure sessions and the use of an origin component are employed. These techniques are designed to ensure that once a connection between points of communication is established, only communication originating from those sources is allowed, preventing replay or relay attacks.
Room to Grow
While this new specification is a significant leap forward for the digital identity landscape, there are several areas of mDL functionality that still need to be addressed.
While issuers have established controls to prevent the use of lost, invalid, or expired mDLs, standardizing this process has yet to be addressed. Functionality including expiration/renewal, reporting lost credentials, wiping data from stolen devices, and central revocation lists are among the capabilities currently being focused on for future standards.
Existing biometric verification technologies, like those provided by Daon, can currently be built into the mDL workflows, but integration of biometric verification into the standard, confirming that the user presenting the data is the mDL owner, is reserved for a future specification.
Finally, the current specification requires that a user be online to verify with mDL data, limiting on-device app functionality. Solutions for taking this process offline are being explored so that verification can take place even when internet connectivity is unavailable.
Planning your next move?
Now is an ideal time for organizations to investigate what opportunities online presentation of mDLs may bring for their operations in unlocking faster, more accurate, and more convenient interactions with customers while reducing fraud and ensuring compliance. Creating a strategy that includes mDLs will provide a competitive edge in a digital-first world.
To discuss the opportunities available to your organization, connect with one of Daon’s experts.