Digital ID Security is Safer than You Think
Product & Tech Updates by Dave Holmes
Digital identification (Digital ID) and mobile driver's licenses (mDL) are currently hot-button topics. Organizations from states to national governments are seeking to introduce these technologies on the grounds of improved security, convenience, and error protection. Still, many are wary of the potential for security and privacy violations.
The idea of replacing printed identification papers or cards with a smart card or a digital ID within a mobile app isn't new. In 2007, Mexico deployed the first electronic driver's license on the foundation that other forms of ID—such as loyalty and national ID cards—had already paved the way. Last year, interest accelerated with the introduction of the ISO 18013-5 standard for mobile driver's licenses
Many states across the US have already adopted mDL usage, and other states, like California, are holding trial runs to address security concerns before implementation. However, the US isn't the only country looking into digital IDs and actively drafting legislation for their implementation. Governments worldwide are launching pilot trials and forming task forces to develop mobile standards for driver's license applications. ISO 18013-5 will continue to be the international standard and provide privacy guidelines for users as countries around the world push for digital ID adoption. The ISO standards were created with the goal of interoperability in mind, and adoption among varying countries/states/ jurisdictions will enable mDL's to be functionally utilized across borders.
Properly handled, the transition from printed to digital ID should only improve processes for those holding the ID and those verifying the credentials. Yet, that doesn't mean there haven't been rising concerns surrounding the technology. In this article, we'll address some of the more common questions regarding digital ID and mDL technology and hope to dispel some myths surrounding them.
"What is a Digital ID/mDL?"
A driver's license is a physical document associated with an individual issued by a trusted government organization. Many entities use a driver's license to verify the individual's identity and biographical information (such as age, date of birth, or residence). An mDL is a secure digital representation of DL data that is provisioned onto a smart mobile device, such as a smartphone or smartwatch, for use by the proper, intended mDL Holder. It can also contain information relevant to additional state privileges or national context
When used for in-person transactions, a digital ID provides electronic authentication, which gives the verifier confidence in the presented ID without requiring specialized knowledge to confirm a physical driver's license.
"Will adopting Digital IDs lead to a centralized Federal ID database?"
The introduction of the REAL ID Act in 2005 brought with it Federal Government requirements for identification, including driver's licenses. While the REAL ID requirements don't include mandatory digital ID, they certainly don't forbid it, leading to a pervasive myth that REAL ID, digital or otherwise, will be used as a national ID card system with a centralized database.
Not so, says the Department of Homeland Security: "REAL ID is a national set of standards, not a national identification card. REAL ID does not create a federal database of driver license information. Each jurisdiction continues to issue its own unique license, maintains its own records, and controls who gets access to those records and under what circumstances."
"Does scanning a mobile driver's license "ping" any sort of database?"
The introduction of technology, rather than the human eye, into the process of checking a driver's license guarantees the document's legitimacy. Many, though, are concerned that each time an mDL is scanned, it will send traceable information as a query to a database, giving an opportunity to record who has been asked for ID and where.
While technically possible, that's not how mDLs are being implemented. A spokesperson for Arizona's Motor Vehicle Division, Bill Lamoreaux, told the Los Angeles Times that the technology "is device to device," operating entirely locally. "We don't know when or where these [mDLs] are used, as with a physical, plastic license or ID."
California's digital ID trial will address this privacy concern with mandatory protections, stating that the applications holding the ID will not be permitted to use tracking or other forms of data mining. The mDL and the corresponding mobile app are prohibited from gathering additional data beyond what's needed to perform their stated functions, including location information.
"Do mobile driver's licenses share vast quantities of personal data?"
Copying someone's details from a physical ID card is easily recognizable, usually involving a camera, photocopier, simple pen and paper, or even stealing someone's wallet. The speed and covertness at which digital data can be transferred, however, gives way to another common concern: That criminals could snag all your private data with little more than a tap of your mDL.
However, an mDL can provide secure, convenient identity verification capable of eliminating fraud. "The mDL Holder controls access to the data when responding to a Verifier request," explains the Secure Technology Alliance. "The mDL Holder accesses or allows access to the data contained in the mDL through a downloadable app approved by the issuing authority. The app allows Holders to determine whether, to whom, and what mDL data they wish to share during a specific encounter." Overall, the mDL is a new way of cryptographically verifying identity for businesses that offer the ability to easily reassure Digital ID holders that their privacy is protected.
"Isn't Digital ID technology unproven?"
It's true that digital IDs and mobile driver's licenses are new and not fully adopted by the masses yet. And new technology, as everyone knows, isn't always the most reliable. It's one thing when a new coffee maker turns out substandard drinks, but putting your ID on the line is very different
The core concepts behind digital IDs are well-established, however. The technologies on which they are built are proven and trustworthy, and the ISO standard for mDLs offers a range of measures designed to protect privacy and security. Near-field communication (NFC) readers, like our SocketScan S550 NFC Mobile Wallet Reader, include cryptographic protections and are designed to transfer and validate only the information required for a given transaction - whether that's entering a secure facility or just proving your age for a drink.
As the nation moves towards the REAL ID deadline of May 3, 2023, and countries worldwide are increasingly adopting mDLs and other forms of digital ID, it's time to put these myths to rest - and to embrace the oncoming transition with the enhanced security and privacy it promises.
Socket Mobile is looking forward to helping our users step into this new revolution of digital IDs and take advantage of the heightened security measures they propose. We provide barcode scanners and contactless readers that support ISO 18013-5 credentials (such as the S550 and the new S370) and, as mentioned above, devices that only read the information that the digital ID holder chooses to share with the merchant. Our devices authenticate the Bluetooth connection used to send and receive data, and links are encrypted for ultimate security. We're committed to providing safe data capture solutions that increase mDL reading abilities for our end-users and provide peace of mind for those presenting their digital ID on the other side of the scanner.