Feature: Maximizing security and compliance in the shift towards mobile ID

07/06/16

By Gerald Hubbard, Director of Business Development, GET Group North America  

The way people live, work and play has gone digital so it’s no surprise that our personal identification documents may soon follow suit as state and government agencies explore the adoption of mobile driver’s licenses (mDLs). Moving towards an electronic format for identification isn’t just trendy or convenient; it can help reduce criminal activity associated with plastic driver’s licenses and similar forms of ID.

But in order to be successful, ensuring a secure shift towards mobile identification will require a holistic change in the personal identity ecosystem. Technology safeguards and collaboration between tech vendors and identification-issuing institutions will be critical to ensuring that these new methods of providing identity documents are safe, authentic, secure and compliant.

Making a case for mobile ids

Today, driver’s licenses and state IDs are the most common identification documents in the world.  Many are used in acts of fraud such as cashing checks, opening bank accounts and boarding flights. In order to combat identity fraud and improve the safety, security and authenticity of personal identification documents, identification-issuing institutions are exploring the use of mobile driver’s licenses accessible via the card holder’s smartphone.

In addition to offering instant updates to addresses and driving records, resulting in shorter lines at the DMV and reduced costs for the state, electronic identification – if done correctly – could become a more effective barrier against fraud, making it harder to produce counterfeits by elevating the quality of personal identification documents with increased clarity and photo quality in digital formats.

Millennial and younger generational preferences are also an important driver behind the push for mDLs. More and more of their day-to-day transactions are taking place on mobile devices, from banking to shopping, and more. These tech-savvy consumers don’t like to carry wallets. While the change to digital “everything” is less universally accepted among older consumers, many of them are tracking right along. For those that remain uncomfortable with the digital age, physical IDs are not expected to go away entirely any time soon. Mobile IDs will simply be a new option that offers extra convenience and security for those who are ready for it.

Imagine, first, the possibilities.

The dream

One day in the future, we’ll all be wondering how we got by without the benefits of a digitized ID system. Proponents anticipate driver’s licenses that can be renewed, updated or revoked in real time without a trip to the DMV (saving everyone time, money and aggravation). Envision an ID that can be instantaneously invalidated and replaced if lost. Additional security features can be added to an mDL to help prevent fraudulent use and to enable new value add applications.

Mobile ID can potentially even serve to improve online security and protect privacy by reducing fraud and administrative costs.

Use scenarios

To understand the complexity of infrastructure needed to enable a mobile ID system, it’s helpful to first consider the multitude of scenarios in which an individual is asked to show proof of identification (usually a driver’s license):

·         TSA checks at airports

·         Traffic stops by law enforcement

·         Retail store to show proof of age (e.g., when purchasing alcohol or cigarettes)

·         Banks

·         Car rental

·         Hotel check-in

·         Online transactions

 

Ideally, an mDL will work in all these situations and more, so the system infrastructure should be created with multiple and complex uses in mind.

But in the rush to provide new technology solutions, an exhaustive approach to vetting the quality of the technology vendors and the digitized cards themselves must be a priority when transitioning to electronic formats.

Leveraging established standards in the move forward

While some states are running active pilot programs, and the idea of mobile IDs is generating a lot of enthusiasm, a host of technical and governance issues remain to be worked out. Most stakeholders agree that a migration to mDL programs is inevitable and that when these concerns have been resolved, this evolution will be beneficial.

Identity, Credentials and Access Management (ICAM) technology vendors are working on solutions that address many of the known issues ? such as privacy, liability, readability, security, infrastructure, device malfunction and interoperability. They are seeing opportunities to leverage established personal identity standards - such as AAMVA[i], ICAO 9303[ii], ISO 18013 and NSTIC – as identity technology continues to evolve. NSTIC is the US Government’s private sector partnership for the National Strategy for Trusted Identities in Cyberspace.

Compliance with standards is what makes identity documents valid in a variety of national and international scenarios. ISO/IEC 18013-1:2005, for example, “establishes the design format and data content of an ISO-compliant driving license (mDL) with regard to the human-readable (visual) features and the placement of ISO machine-readable technologies on the card.” This creates common standards for the “international use and mutual recognition” of an ISO-compliant driver’s license (IDL) without “restricting individual domestic or regional driver licensing authorities from incorporating their specific needs on the mDL.” Ultimately, this allows for one identity document to be recognized by driver licensing authorities for both domestic and international purposes. [iii] Utilizing technology that allows mobile documents to maintain compliance with these types of standards will support a more streamlined and efficient transition to digital adoption when the time comes.

Successful deployments may include federated ID authentication for automated mDLs, use of an mDL to sign electronic documents, and even to protect privacy and confidentiality of information exchanged over public networks, using a mobile DL with an encryption certificate built into the app. This could allow for mobile identities to increase access to online services for Government to Citizen (G2C) and Business to Consumer (B2C) transactions. Examples are non-repudiation of digital signatures, encryption, and secure authentication for online access to services.

In order for a true migration to digital formats, an IT infrastructure will be necessary that supports a positive user experience while allowing mDLs to remain in compliance with today’s international standards related to conformity and authentication of personal identification. Systems will also have to work together across jurisdictions, different contractors, and vendors so authorities in any state will have the ability to read and authenticate a driver’s license from elsewhere.

Ultimately, an effective national framework will likely support a chip-enabled card (eDL) with data securely replicated or derived on an mDL. Solutions will incorporate highly secure technology to prevent imposter mDLs and enable non-repudiation of transactions. Secure enrollment processes will be essential to make it possible for users to issue mDLs instantly – allowing citizens to readily identify themselves and use value-add services without delay. The DMVs are positioned to issue a trusted credential with their current “in-person-proofing” work flow at the DMV office. The technology will enable law enforcement to securely access and verify data on both the eDL and mDL.

The architecture will be one of the cornerstones of the technology’s success. Solution components should be based on security and privacy fundamentals, while providing reliable authentication and validation.

The personal identification landscape ahead

While a primary advantage of mDLs is that added levels of identity security can be built in, switching to digital formats will require special reader devices be implemented to do things like scan a 2D barcode for authentication, or a near field communication (NFC) device might be used with passive authentication technology. At the minimum, reader devices and technologies have to be made available to law enforcement, issuing agencies, retailers, and other card-reviewing agents and should be affordable, compatible and easy to use.

ICAM vendors are working with technologies used for enrolling, capturing, and accessing data for identity documents. In the future, real-time verification will likely be enabled with mobile handheld devices and conducted both online and offline, ensuring that poor telecommunications coverage in certain areas won’t disable use.

Rigorous security measures will be used for all data capture. Enrollment technology will require hardware and applications for acquisition of biographic and biometric data from applicants. Biometric validation will provide an added layer of security to avoid fraudulent use of the mobile ID. Encrypted communications will help protect individuals’ privacy and prevent data and identify theft.

Lifecycle management with a centralized data repository should hold individual records and control all mobile DLs, with the IT infrastructure residing in high-security facilities. 

The electronic infrastructure will be equipped to provide an audit trail, useful in assuring accurate record-keeping and, for example, resolution of adjudication disputes. It will also enable verification of both mobile driver’s licenses and personally identifiable information (PII). Levels of access authority will keep a user from viewing data that isn’t needed for their purposes – so that, for example, a liquor store clerk will only be able to verify identity and birth date, with no visibility into health or driving records – and assure the card holder’s privacy.

Conclusion

The conversation around mobile ID is going to continue. Plenty of “what-if” scenarios will have to be carefully considered in designing systems to offer and accommodate this new technology. At face value, it seems like a move to mobile identification is a no-brainer – if we can do our banking on our smartphones, surely we can prove identity that way, and after all, e-passports and e-boarding passes are already in use. At the same time, numerous complexities and nuances in the use and governance of such a system must be carefully weighed. Of course it will happen, probably sooner rather than later, but effective system design is going to take some time. Collaboration is needed between the companies inventing the technologies and infrastructure, and the stakeholders that will issue, use, and govern these mobile IDs.

Demonstrating the security, compliance and benefits of digital identification will help create demand and drive market adoption. Finally, with a trusted system infrastructure in place, mDLs will offer new revenue opportunities for state and local governments as citizens make the switch to mobile.

[i] American Association of Motor Vehicle Administrators

[ii] International Civil Aviation Organization. ?Document 9303? contains current ICAO specifications for machine-readable passports, visas and ID cards (“travel documents”) used in crossing the borders.

[iii] ISO.org, ISO/IEC 18013-1:2005, Information technology -- Personal identification -- ISO-compliant driving licence -- Part 1: Physical characteristics and basic data set

 

Subscribe to our free newsletter
Follow us on Twitter
Join us on LinkedIn

Latest Features & Interviews

Interview: Sean Farrell, Head of Portfolio Management, Government Solutions, SITA

Planet Biometrics discussed the future of biometric travel technology with Sean Farrell, head of Portfolio Management, Government Solutions, SITA.

Interview: Get Group's Gerald Hubbard

Ahead of connect:ID 2017, Security Document World took time-out to speak to Gerald Hubbard, director of business development  at Get Group

White paper: Slovakia prototypes mobile electronic identification (MeID) solution

Empowering e-government by shifting to smart cards is accelerating the arrival of a new era of mobile identity and electronic documents.

More articles >>
Share |

Sponsored Links

SDW Conference and Exhibition
SDW is a world-leading conference and exhibition providing a global showcase for next-generation secure credentialing solutions.