Recap:
Part 1 explores the potential of mobile driver's license (mDL) technology, highlighting its benefits in enhancing security, privacy, and convenience for digital identification. It focuses on how it may replace traditional physical IDs in the future.
Part 2 provides a detailed guide on how the provisioning and verification processes of mDLs work, explaining the steps involved in securely issuing and verifying digital IDs, including encryption, user authentication, and interaction with third-party systems for validation.
Before we dive into the theory of standards, here’s an exciting story of Jane to illustrate how the mDL standards will affect our everyday life once the mDL is adopted:
Imagine Jane is traveling cross-state from Georgia to Louisiana in the U.S. At the airport security checkpoint in Georgia, she presents her mobile driver’s license (mDL) on her phone. Thanks to ISO 18013-5, the security agent can verify her identity offline using stored credentials, ensuring her data remains secure. Later, when renting a car, ISO 18013-7 kicks in, enabling real-time, online verification of her mDL. The rental kiosk connects directly to Jane’s issuing authority, confirming her license's expiration and revocation status in seconds, allowing her to drive legally in Louisiana.
The blog has three main objectives for the audience:
Understand the Importance of Standards: Highlight the role of standards in ensuring efficient, secure, and interoperable mobile driver’s license (mDL) implementation across different jurisdictions globally.
Learn About Operational Models: Clarify the differences between online and offline modes of mDL data verification, including attended and unattended use cases, with examples to illustrate how each model functions.
Familiarize with ISO 18013 Standards: Provide an overview of the ISO 18013 series that governs mDLs, emphasizing key standards and their importance for security, testing, and data exchange.
Operational Models
AAMVA guidelines have defined two distinct methods for retrieving the data necessary to verify the authenticity and integrity of mobile driver's license (mDL) data. These methods are categorized as offline and online, each with its own set of standards. In both modes, the data can be further verified by either a human or a machine, leading to attended and unattended use-cases. The table below describes these operational models of mDL with examples to better understand these models. Separate standards cover the requirements for each mode.
| Definition | Attended Use-case | Unattended Use-case |
Online Mode | The mDL is validated against real-time data from a network.
Pros & cons: This ensures that the most current information is used, but it requires an internet connection. |
|
|
Offline Mode | The mDL is verified without a network connection, using pre-loaded or stored credentials, ensuring verification can still occur in areas without internet connectivity.
Pros & cons: This mode is useful when there’s no internet connection but may not have the most up-to-date information. |
|
|
Importance of Standards
Background: just like, the Universal Serial Bus (USB) standard allows devices from different manufacturers (e.g., phones, laptops, printers) to connect and communicate seamlessly. Without this standard, each manufacturer might use a different connector, making it difficult for users to connect devices. In short, standards provide a common language that everyone adheres to, facilitating compatibility, improving efficiency, and ensuring product reliability across various sectors.
Similarly, the standards for mDLs outline the interfaces and necessary requirements for efficiently retrieving and authenticating identity document data from an mDL. Additionally, it defines uniform methods for engaging with an mDL for identity and driving privilege applications, ensuring that
mDLs are universally compatible across different issuing authorities
verifiers (relying parties) can authenticate a holders' identity using the same equipment, regardless of where their mDL was issued.
ISO/IEC 18013 Standards
At Identity Week in Washington DC last week, Michael McCaskill, the director of identity management at the AAMVA, presented the evolution of the ISO/IEC 18013 standard for mDLs.
Instead of just ranting what the series of mDL standards entails, I have used the storytelling approach to demonstrate how each standard will impact our daily lives once mDL is adopted internationally:
18013-1
The standard defines the physical characteristics and basic data set for an ISO-compliant driver's license, including card size, layout, materials, security features, and driver information like name, address, date of birth, and license number. | Imagine Sarah moves to a new country and needs to drive. When she presents her mDL at the local department of motor vehicles, the clerk immediately recognizes its layout and security features, thanks to ISO 18013-1. This standard ensures that regardless of where her mDL was issued, it follows the same rules for size, data format, and key information (name, birthdate, license number), making it universally recognizable and easily verifiable by authorities across borders. |
18013-2
This standard provides requirements for the design and implementation of machine-readable technologies (barcodes and RFID) for their use in driver licenses. It specifies data elements, encoding schemes, data structures, positioning, layout, and recommendations for testing and validation of the technology. | Lena is renewing her driver’s license at a self-service kiosk. Thanks to ISO 18013-2, her mobile driver’s license (mDL) barcode and RFID chip are machine-readable, ensuring the kiosk can scan and verify her data instantly. The standard defines how data is encoded and positioned, making it easy for any device, whether at a local DMV or an international airport, to read her mDL. Lena quickly completes her renewal without needing to interact with staff, saving her time. |
18013-3
This standard provides requirements for the design and implementation of security features to prevent unauthorized access, tampering, or counterfeiting of driver's license data, including encryption, digital signatures, biometric authentication, and access management. | Mike is excited to use his new mobile driver’s license (mDL) to enter a music festival. As he scans his mDL at the gate, ISO 18013-3 ensures that his data is protected by encryption and digital signatures. This security standard prevents unauthorized access and tampering, so even if someone tries to intercept the data, it remains safe. The festival’s system also uses biometric authentication, verifying Mike’s identity with his face to ensure no one else can use his mDL. |
18013-4
This standard describes testing methodologies for verifying the accuracy and completeness of data elements, the readability and functionality of machine-readable technologies, and the effectiveness and robustness of security features and mechanisms. | At a car rental agency, Raj is using his mobile driver’s license (mDL) to rent a car from a self-service kiosk. Thanks to ISO 18013-4, the kiosk ensures the machine-readable data is accurate and reliable by testing for completeness and verifying security features. It checks the data structure, ensuring Raj’s information is intact and tamper-free. This standard guarantees that the systems are well-tested for accuracy, making Raj’s rental experience seamless and trustworthy. |
18013-5
This crucial standard for mDL was approved on August 18, 2021 and published on 30 September 2021. This standard outlines the necessary security requirements, data elements, and information exchange protocols for data exchange between mobile devices and verifiers (relying parties). This standard focuses on offline, in-person use cases where holders are in close proximity of verifiers during the presentation of their mDL data. | Mark is at a concert venue, and instead of carrying his physical ID, he uses his mobile driver’s license (mDL). Thanks to ISO 18013-5, the security requirements and data exchange protocols ensure that his mDL can be verified offline by a nearby device, even without an internet connection. The venue staff quickly confirm Mark’s identity and age using stored credentials that too without sharing his data of birth (selective disclosure), ensuring secure access without needing real-time network verification. |
18013-6
This standard is a work in progress and will likely be published in a year or two. It outlines the technical specifications for testing the functionality, security, and interoperability of an mDL application. | Emma is using her mobile driver’s license (mDL) to board a flight. Thanks to ISO 18013-6, the airline’s system has been rigorously tested for functionality and security, ensuring that the mDL works seamlessly across different platforms. The standard ensures that her mDL is interoperable, regardless of the airline or airport, providing a smooth experience. Her data is protected, and the system efficiently verifies her credentials. |
18013-7
The '-5' standard is for offline, in-person use, while the '-7' standard is for online use (attended and unattended). The '-7' standard is still in draft and could be published this or next year. It sets requirements for the interface between the mDL reader and the issuing authority infrastructure for real-time verification of credentials against the jurisdiction's database to check driving license status. | Carlos is renting a car from a self-service kiosk at the airport. Thanks to ISO 18013-7, the kiosk verifies his mobile driver’s license (mDL) in real-time by connecting to the issuing authority’s database. This standard ensures that his mDL is authenticated online, checking for up-to-date license status and driving privileges. The process is fast, secure, and requires no human intervention. |
Summary
On the right side, Alex uses the mDL offline at a music festival, where verification happens against stored credentials. (-5 standard)
The left side shows Alex verifying their mDL online at an airport car rental kiosk, with data checked via an internet connection. (-7 standard)
Both scenarios display a green checkmark for successful verification.
Disclaimers
I truly appreciate your understanding that the content is based on my secondary research.
Although the blog contains detailed information on several concepts, I have deliberately presented the content at a high level to ensure that it is easily comprehensible to everyone without compromising its accuracy.
Your feedback is invaluable, so please do not hesitate to share your comments if you come across any inconsistencies in the content.
Additionally, the images featured in the blog are original and are the exclusive property of my company, Demystify Biometrics.
To ensure the information's accuracy and tone, AI-based tools have been utilized for research and content refinement. Your support and understanding mean a lot—thank you for being part of this journey.
Comentários