Can you recall the last time you opened a bank account? It’s likely you walked into a local bank branch and spoke to a representative who asked for your driver’s license and social security card to verify your identity. Now imagine you want to create a bank account online. The process is likely similar—type in your social security number, take a picture of your driver’s license, and submit both to the bank via their webpage. Seems straightforward, right?
Credit: Shutterstock
Identity verification is important—it protects us from identity theft and reduces the risk of fraud and unauthorized access for organizations like the bank. When you present a passport to get on a plane, a driver’s license to get access to government services, or your social security card when starting a job with a new employer, you are giving the person or organization you are working with the assurance that you are who you say you are. This process allows them to trust you and move forward with the transaction. However, when completing a transaction online, things get more complicated.
In recent news you may have seen headlines around online fraud, identity theft, artificial intelligence, deep fakes, and other challenges we face in the digital world. As a growing number of services and transactions move online, we face a changing risk landscape that makes it harder to protect individuals and organizations from bad actors. For example, traditional means of identity verification where you present an ID like a driver’s license for physical inspection does not work for online transactions. Current best practice for online identity verification asks users to take a picture of their driver’s license with a smart phone and to answer knowledge-based questions. The efficacy of these methods is being eroded by new technology such as images of driver’s licenses generated by artificial intelligence that are so accurate that document scanning tools believe they are real, compounded by the ability of bad actors to get ahold of the information needed to answer knowledge-based questions.
However, advances in technology and the ubiquity of smartphones are changing the way we think about and present our identities both in person and online. Among these innovations is the emergence of mobile driver’s license (mDLs). mDLs function much like a traditional driver’s license, carrying information such as name, date of birth, and address but in a digital format accessible through a dedicated mobile application, often referred to as a digital wallet. Governments around the world are exploring how digital credentials like mDLs can be used to replace physical forms of identification. In Europe, the European Commission has passed regulation directing member states to implement a European Digital Identity Wallet. In the U.S., several states have already deployed mDLs that can be used to purchase alcohol or be presented to the Transportation Security Administration (TSA) when boarding a plane.
Identity Verification in the Digital World
mDLs offer several potential benefits. Unlike a physical driver’s license mDLs offer you the convenience of storing your credentials digitally on your smartphone. For use cases like physical security checks or age verification, these processes could take less time while also minimizing the data that you need to expose. But perhaps the biggest benefit of mDLs is your ability to use them seamlessly for digital and online transactions.
Recall the previous example of creating a bank account online. Even if you follow all the steps the bank asks for, you may still find that remote verification could not be completed and you need to visit a local branch for in-person verification. The reality is that physical driver’s licenses were not designed for our online world. Security elements such as holograms, tactile features, and microprint are designed to be physically examined in-person to ensure your driver’s license is legitimate. These same features provide less assurances when you take a picture of your driver’s license to be examined by online software.
mDLs, however, are designed with digital and online transactions in mind. They are underpinned by public key cryptography and work with biometric authentication that provides assurances of the validity of your license and that you are the person using it, helping to reduce identity theft and fraud. They can work natively between two mobile applications on your smartphone but also in cross device flows between mobile applications and the web browser on your laptop or tablet. They also offer the potential for selective disclosure, which would allow you to pick and choose which information from your driver’s license you want to share with third parties. Their ability to be used online could also help alleviate accessibility and equity challenges, such as individuals with physical disabilities or geographic constraints. Transactions at financial institutions, healthcare providers, government services, and many other organizations could benefit from enhanced customer experiences, more accurate identity verification, and reduced fraud if they supported mDLs.
Addressing Challenges to Realize Adoption
As with any new technology, the advancement of mDLs raises important questions around security, privacy, usability, equity, accessibility, and interoperability. To realize the full value of mDLs, collaboration is needed to mature standards, best practices, and protocols that safeguard user data while promoting adoption of mDLs.
This is why the National Cybersecurity Center of Excellence (NCCoE) is bringing together stakeholders from across the mDL ecosystem to build out a reference implementation to promote standards and best practices for mDL deployments and to address mDL adoption challenges. The first NCCoE use case will focus on helping consumers to create financial accounts and financial institutions to meet Customer Identification Program/Know Your Customer (CIP/KYC) requirements using mDLs. The reference architecture for this project will explore multiple mDLs capabilities to include:
- Remote Identity Proofing – remote presentment of mDLs as identity evidence with verifiable user attributes as part of an identity proofing process to establish core identity and meet CIP requirements.
- Authentication – user authentication after identity proofing and account issuance. This may include using the mDL as an authenticator or may leverage the binding of a phishing-resistant multi-factor authenticator.
- Step-Up Verification – after user authentication, using the mDL as a step-up verification for high-risk transactions or when fraud is suspected.
The NCCoE project will work in collaboration with technology providers, regulators, standards bodies, government agencies, and organizations seeking to adopt mDLs. Currently, the NCCoE is seeking collaboration from financial institutions for our first use case. Specifically, we need feedback on front end and core technology architectures so we can better understand how mDLs can be integrated into current financial institution technology stacks. We also need details on online financial account opening and use to gain clarity on how mDLs augment these business processes. Lastly, we need a better understanding of how financial institutions consider the value that mDLs may bring in fraud prevention and meeting regulator expectations for CIP/CYK requirements.
If you’d like to participate in this effort, please request a letter of interest from mdl-nccoe [at] nist.gov (mdl-nccoe[at]nist[dot]gov).
If you’d like to stay up to date on this project, join our mDL community of interest. We look forward to working with you to realize the potential of mDLs.