Written by Most people reading this will already know what an mDL is (a Mobile Driver’s License of course). That’s because it isn’t a new idea; it has been in development for roughly eight years now. What is new this year however is the development of the existing mDL standard to include remote presentation, an add-on functionality which could do to plastic identity cards what plastic bank cards did to cash.
Along with 1.5 million participants in the state of California, I’m fortunate to be eligible to join the free pilot program offered by the CA DMV to secure myself an mDL. All I have to do is download the “CA DMV Wallet” app on my iPhone and take a front and back picture of my Real ID – it’s that simple. To demonstrate just how easy it is to use, I thought my colleague here at CHYP, Hayden Evans, could share his experience of using an mDL in an airport on the opposite coast:
“From my experience, the overall process of using the mDL provided by Georgia was very simple. There was no need to download any additional applications. All that was required was to follow the instructions laid out in my Apple Wallet. After submitting the required info to and receiving the corresponding approval back from the DDS (Department of Driver Services), I was ready to try it out at my earliest convenience. At Hartsfield-Jackson Atlanta International Airport, tapping my mDL was very reminiscent of tapping to pay for transit rides with OMNY in New York (minus the Express Transit settings). The only potential confusion was the option for flyers to use what’s referred to as their ‘digital ID’, which showed up as an option on my Delta boarding pass (top-left corner above the QR code). This involved the TSA agent taking my photo and presumably verifying it against some stored credential. To the average flyer having a Digital ID vs. an mDL may be confusing or unclear.”
So it may not be completely frictionless yet, but few digital experiences are, and this is only the beginning. There are currently over 25 participating airports accepting mDL’s all over the country, including three here in California. While the DMV makes it clear that this is not a full replacement of the Real ID, it can now be used in stores and restaurants for proof of age. In Utah for example, your mDL can be used in a variety of use cases with Credit Unions, Liquor Stores and Health Centres all accepting your digital identity as an officially recognized ID. Utah isn’t alone; there are dozens of other states already issuing mDLs or following closely behind them in the development stage.
In October of last year I was fortunate to attend the 37th Bi-Annual Internet Identity Workshop in Mountain View CA. This was my third time attending and in one of the very first sessions we received an update on the progress of the ISO/IEC 18013-5 mDL standard; originally conceived in 2016 by NIST but published in 2021. The standard specifically focuses on secure Local Presentation, including via QR Code, NFC and BLE mechanisms.
However, ISO/IEC 18013-7 as I mentioned earlier outlines specifications for the remote presentation of mDLs. Despite there being various transportation methods for credentials, the formatting of those credentials remains quite consistent amongst them. The standard proposes utilizing a Rest API to initiate a request for the mDL credential, prompting the application to respond with either a redacted or complete credential (thereby incorporating selective disclosure capabilities). Selective disclosure is the mechanism by which users can ‘hide’ certain elements of the credential that were disclosed This is privacy-by-design in action.
The plan is to use the OpenID4VP standard for presentation of the credential, and at the end of 2023 SpruceID announced impressive success rates for the first fully remote interoperability tests for mDL implementations. Expected to be published in full later this year, the standard aims to address a current technological gap: not all web pages have the capability to request a credential from a user-chosen wallet. In short, the standard addresses the complexities of specifically remote mDL presentation and will enable users to have a truly portable digital identity.
Issues like standardization still remain; and it will be interesting to see how the big players approach the issues of interoperability between wallets. Android and Apple both now support the ISO 18013-5 standard in the JetPack suite and iOS 15 respectively. If widespread acceptance of the mDL is the goal, we’ll need to see continued co-operation between wallet issuers, regulators and digital credential providers. Kantara’s “Privacy & Identity Protection in mDL ecosystems Discussion Group” is a great example of the kind of collaboration needed to support mDL adoption.
Changing consumer behaviour takes time. There are those in California who aren’t fans of the DMV’s pilot program, but still believe “that’s where we’re going with technology.” I’m willing to bet that underneath this skepticism is a person who was also hesitant about using contactless payments in shops and having their face scanned at ePassport gates at airports – until they became mainstream. They might have doubts at first, but in the case of mDLs and selective disclosure, I believe that people will soon appreciate being given more control over their digital identity. And all at the press of a button on their phone.
In our experience, people always prefer convenience. Privacy and Security therefore need to be convenient as well.
