Tap for ID: Your Next Driver’s License Might Also Live on Your Phone

Some passengers can now pass through airport security without ever taking out their wallets.

That’s because a handful of states and Puerto Rico now offer mobile driver’s licenses (mDLs), which are accepted at many airports as if they were your physical identification card. While these cards are relatively new and limited, experts say they will be the future in how you identify yourself online.

Taking Measure asked security engineer Bill Fisher, who manages mDL efforts in NIST’s National Cybersecurity Center of Excellence, to explain what these licenses are and how they’ll be used.

So, let’s start with the basics. What is a mobile driver’s license?

In short, the mobile driver’s license is a digital representation of your physical driver's license. It contains the same information that your physical driver’s license does — your name, address, date of birth and other details.

What’s the advantage of a mobile driver’s license?

Well, beyond the potential conveniences of having your driver’s license stored on your phone, mDLs have several properties that give them advantages over physical IDs. First, you’ll have the ability to present them online. If you’ve ever been asked to take a picture of your physical ID for online transactions, such as when setting up a bank account, the process is a pain. I end up taking pictures of the front and back of my license and then emailing them to myself in order to upload the picture to the website I am working with.

Instead, mDLs allow you to present your driver’s license directly from the digital wallet on your phone through your mobile operating system, such as iOS or Android, or wirelessly to a website on your desktop or laptop.

The second major advantage, and the reason the NCCoE is working on mDL adoption, is the security properties mDLs have. They use public key cryptography, the same encryption that we rely on to securely connect our browsers to web servers. Mobile licenses run public key encryption under the covers; it’s extra security that the user doesn’t notice. This is an important quality to help limit potential fraud and defend against AI-generated fake images, known as deepfakes.

If I take the same scenario where a person is asked to take a picture of their license for online transactions, it’s hard for websites to tell if it’s a real picture of a valid driver's license. Physical counterfeits and deepfakes are cheap and abundant. Additionally, the website can’t know who is in possession of the license. It could be you, but it could also be your wife, kid or maybe someone who found the license on the street.

Your mDL is a more secure solution and is often protected by biometric authentication, using your face or fingerprint on your phone. This gives us more confidence that Bill is presenting his license and not Bill’s wife or an attacker.

Why is banking one of the more common uses for mobile driver’s licenses in their early days?

Financial institutions are the first use cases we’re focusing on in this project. One major reason is that banks have legal requirements to know their customers. That’s why banks put you through identification when you open an account. If I go in person to a bank branch and say, “I want to open an account,” they’ll take various steps to prove I am who I say I am. That’s because they have a legal requirement to vet their customers. They want to make sure I’m not an identity thief pretending to be Bill Fisher.

Those same requirements apply to online transactions. Banks must be able to verify your identity before they can offer you financial services on their websites. Right now, banks might be using knowledge-based questions. Things like: Did you buy a car in 2016? Did you open a mortgage in 2020? We’ve known for decades that this is not an ideal way to verify identities because that information can be found publicly.

Banks are also likely using some form of biometric where they have you take a picture of your license or passport and then a scan of your face to try to match them. But as I mentioned, these systems are being attacked by AI and deepfakes.

The second reason is that financial institutions are a major cybersecurity target. In 2021, there were more than $200 billion in identity-related fraud losses, and that number is assumed to have increased since then. These systems have always been targets, so a mobile driver’s license is another tool in the tool kit for performing identity verification to protect both banks and consumers.

So, how does the mobile driver’s license actually work?

Let’s start with the in-person use case. If you were in person at the bank and needed to present your mobile driver’s license, it would work similarly to using a service like Google Pay, Apple Pay or Samsung Pay. You would bring up your mobile license and tap the phone at a terminal. Your phone would authenticate you to unlock the mDL, which would be presented wirelessly to the terminal.

If you are banking on your phone using a mobile browser or your banking app, your mobile operating system can allow you to present your mDL to those services from a digital wallet on the same device. If you need to show your mDL to a website on a desktop or laptop, you can scan a QR code and provide the mDL wirelessly from your digital wallet on your phone.

Either way, the bank would be able to verify, in a cryptographic manner, that you’re presenting a valid license.

The bank can do this by using the public key cryptography I mentioned earlier, which has strong security protections. The way public key encryption works is that the public key is public and the private key is private. The public key can go anywhere and be used by anyone. The private key is stored in hardware and protected such that only the owner can have it. The fact that the private key cannot be cloned or obtained by another person is what gives the system its security properties.

What other uses are there for mobile driver’s licenses, in addition to banking?

Right now, only about 15 states (plus Puerto Rico) offer them.

The biggest use case currently is airport security. In most major airports around the country, you can use your mobile license to identify yourself to the Transportation Security Administration (TSA) and get through security. If they accept mDLs, you’ll typically see a Wi-Fi symbol where you can tap your phone and present your mDL instead of a physical card.

Credit: Monkey Business Images/Shutterstock

Of course, you still need to carry your physical ID card. But especially when traveling, it can be nice to have that redundancy, in case you lose or forget your physical wallet and ID. In today’s day and age, when we’re all so connected to our phones, the odds of you forgetting your phone are probably pretty low.

But in the future, I think these in-person use cases will pale in comparison to the online ones. Amazon has already said it plans to use them for verified accounts, and many organizations see value in using them to help improve account security.

What are some of the challenges that have to be worked through to get to broader adoption?

This is an evolving ecosystem, and we’re working through lots of challenges. One of the main challenges is that there are many different standards organizations involved in mDLs, such as the World Wide Web Consortium, the OpenID Foundation and the International Organization for Standardization.

Additionally, we don’t have a national approach to identification. States and territories issue IDs. So, as we roll this out, we’re encouraging state and territorial governments to adopt this technology in a way that follows standards and protects security and privacy. There are also privacy and security concerns at the individual level. Not everyone feels comfortable having an ID on their phone when it’s been a physical card throughout their lives.

And of course, funding is also an issue. States and territories are funding these efforts themselves. So, some states have been early adopters, while others are waiting on legislation or additional money.

What is NIST’s role in mobile driver’s licenses?

This is a really important space for NIST to be in because it involves security, collaboration and standards, which are all areas we operate in.

As in just about everything at NIST, we’re here as conveners. There are so many stakeholders involved in this process — policymakers, regulators, the tech community and many more. We’re working with five of the 10 largest banks. We’re also working with Apple, Google, smaller mobile wallet providers and the Department of Homeland Security, among many others. Our job is to bring those stakeholders together and drive toward solutions that meet security and privacy considerations, as well as real-world business needs. We want to make sure everyone’s equities are considered in this process.

The other piece is standards. Many standards organizations are involved in this technology. So, we’re working with these groups to make sure these standards work well together and that we provide lessons learned as we develop standards.

What is your experience using your own mobile driver’s license?

I’m based in Colorado, one of the first states to offer mDLs. I’ve used it many times when flying in and out of Denver. I also have a habit of asking establishments if they accept mDLs whenever I am asked to present my physical ID.

There aren’t many places that accept mDLs yet, but Colorado is a very tech-forward state. So we’ve had digital driver’s licenses for some time. The difference is that a digital driver’s license is more like a high-resolution image of your license without all the cryptographic verification that a mobile driver’s license has. So, while many places are used to people presenting their driver’s license from their phone, we aren’t at the point where businesses have the ability to validate mDLs.

What do you see as the future for mobile driver’s licenses and NIST’s efforts in this area?

Europe is moving very fast with its EU Digital Identity Wallet and support for cryptographically backed national IDs. We are also seeing the TSA start to accept digital versions of passports from wallet providers. As AI and deepfakes get more sophisticated, I think we’ll see more and more businesses looking toward mDLs as valuable security tools. As the number of businesses that accept mDLs grows, more people will be inclined to use them.

Our goal for the near term is to socialize this technology with institutions that need to verify people’s identities and to make the public more aware that this technology is available to them. We want to encourage people to try out mDLs and get used to them, as they’ll be a more common part of our digital lives in the years to come.