JULY NIST ANNOUNCEMENT: A watershed moment for mobile driver’s licenses or another false start?
Last week, the National Cybersecurity Center of Excellence (NCCoE) and NIST (National Institute of Standards and Technology) held a briefing on the upcoming mobile driver's license project. Read on to get up to speed on the current state of mobile driver’s licenses (i.e., what’s taking so long), and then learn the latest news about an exciting and potentially major breakthrough announced by NIST that has the potential to change everything.
Mobile Driver’s License: Historical Context
A mobile driver's license (mDL) offers numerous potential benefits that enhance convenience, security, and efficiency in the realm of identification and driving privileges. Firstly, mDLs provide a digital and easily accessible format on smartphones, reducing the need to carry physical cards, streamlining interactions with law enforcement, and simplifying age verification processes at various establishments. Secondly, mDLs can incorporate biometric authentication, enhancing security measures and reducing the likelihood of identity fraud. Additionally, the dynamic nature of mobile licenses allows for real-time updates, ensuring accuracy and immediate reflection of any changes, such as addresses or endorsements. Overall, mobile driver's licenses have the potential to offer a modern, secure, and user-friendly solution to traditional identification, driving privileges, and authentication processes.
Despite their obvious value, mDLs have experienced slow adoption for several key reasons. Primarily, there hasn't been enough coverage in the US (e.g., not enough states issuing them, not enough consumers downloading them) to excite national or global relying parties to fund integration to the multiple providers of mDL. Further, no comprehensive standard exists to enable or integrate multiple providers, so again, you have large companies not wanting to spend money to integrate many different providers. Finally, the REAL ID Act didn't contemplate driver's licenses on mobile phones (hello! 2005 called and it wants the flip phone back).
Having said all of that, this announcement from NIST, along with the work that's happening at the international standards (ISO) level, illustrates that there are collective pushes to standardize both the API interfaces and online use cases for mobile driver's licenses. I don't believe it will happen quickly (e.g., I’m hearing that ISO expects to have part 7 of the ISO driver's license spec released in 2024 - ISO/IEC 18013-7), but at some point, mDL will be a big part of the online identity verification landscape. Relatedly, we’ve seen the Department of Homeland Security working on a subset of REAL ID rules to enable the acceleration of mobile Driver’s License adoption.
Here's a quick recap of the session as shared with the FIDO (Fast Identity Online) Alliance working groups:
NIST walked attendees through the project goals. The project will:
- Develop an open-source reference implementation of ISO/IEC 18013-7 mDL specification for unattended use cases.
- Build prototypes in the lab using products and services from participants.
- Develop security and privacy guidance for implementations
Additionally, the project will set up sandbox environments and participants can build demos of different transaction types, including:
- Attended use cases
- Identity Proofing
- Attribute presentation
- Authentication
- Single sign-on
The NCCoE and NIST are looking for mDL application providers, issuing authorities, verifiers to bring use cases and business processes, identity service providers to provide mDL readers, and third-party trust lists.
Conclusion:
It’s difficult to overstate the potential benefits of mDLs for the general public. Equally difficult to overstate how onerous and complex adoption has proven to be. The recent actions taken by the NCCoE and NIST have me feeling optimistic. It’s too early to say for sure but it appears that we are fast approaching a world where efforts such as ISO/IEC 18013-7, and NCCoE/NIST efforts will provide a framework to accelerate the integration of mDL use cases, and modifications to REAL ID regulations will lead to market saturation of digitized driver’s licenses in the US. With active participation from industry leaders and guidance from NIST, I believe that the United States can craft an mDL-based solution that enables remote identity proofing, improves public safety, protects privacy, and saves everyone a whole lot of trips to the DMV.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.