Identiverse panel cracks open international mDL standards

Oh what a tangled web we weave when talking about digital identity online and digital driver’s licenses: so says a panel of experts convened at Identiverse 2024 to discuss decentralized identity management standards and protocols, with a focus on mobile driver’s licenses (mDLs) and digital credentials.

Hosted by OpenID Foundation Executive Director Gail Hodges, the Industry Whispers panel emphasizes the need for a unified approach to standards on mobile driver’s licenses to ensure trust, security and privacy. Digital identity professionals working on major projects in the EU and the U.S. believe secure cryptography is key to implementing the digital identity verification systems that underpin a trustworthy mDL ecosystem. But, as is often the case in balancing privacy and security with customer experience, trusted methods must come with a minimum of friction.

Drive for interoperability causes collisions between standards

Orchestrating complexity is a fundamental challenge. To quote Hodges, “worlds have been colliding” in trying to align standards bodies on the issue of digital identity and mDLs. Ryan Galluzzo, the digital identity program lead for the Applied Cybersecurity division at the National Institute of Standards and Technology (NIST), says that “from the decentralized perspective, there a lot of standards and protocols layered on top of each other, and each one of them is owned by different organizations.”

Galluzzo points to four main global standards that form the foundation of the conversation. The World Wide Web Consortium (W3C) is responsible for the data model and the structures around verifiable credentials. The OpenID Foundation is developing its model for ID presentation and verifiable credential issuance protocols. The International Standards Organization (ISO), Galluzzo says, “triggered these larger conversations.”

And the National Cybersecurity Center of Excellence (NCCoE) is “very focused on understanding these kinds of mobile drivers license standards, where they exist today and where going next how they fit within this broader context,” which currently encompasses several models addressing different challenges, from basic functionality to online presentation.

Under those four major players, says Galuzzo, exists a whole web of smaller projects that create a veritable jungle of digital identity standards. “If you’ve got an acronym and you produce standards, you’re probably involved in this.”

Making sure all these different standards work together is crucial to preventing a glut of different, uncoordinated digital wallets and credentials. “I don’t want to have to have fifteen different wallets for fifteen different types of credentials and credential formats,” Galluzzo says. “I want to have one wallet that can interoperate, maintain multiple credentials and credential formats, and present them in an easy and consistent way online.”

Trusted relying parties are key to widespread adoption

A key takeaway from John Bradley, senior principal architect who has been deeply involved with FIDO and contributed to several protocol specification efforts, is that despite the need for advanced cryptography, the quick progress on mDLs means systems will need to rely on traditional cryptography for at least five years. Bradley also echoes Galluzzo’s concern about interoperability of digital wallets.

“We don’t want all of the issuers to issue their own wallets,” he says. “We want people to be able to choose a wallet and put credentials in it. So the issuers have to be able to trust the wallet. They have to be able to trust that the wallet does the right thing with the credentials and has the appropriate security.”

But Bradley warns against monopolizing trust, and emphasizes the key role of relying parties (RPs). “We need to figure out how the RPs can be trusted by the wallets who are acting on behalf of the issuers.”

Complicating the matter is achieving trust in international identity transactions (so, for example, a California-issued credential is trusted in the EU), breadth of data disclosed, and the risk of making wallets themselves a privacy liability. “What wallets you have actually tells you a whole heck of a lot about you,” Bradley says. “If I have a wallet from Uruguay, you might as a relying party be able to guess maybe that’s where I’m from.”

California dreaming leads to hybrid digital driver’s licenses

Standards beget working groups, making the landscape even more varied than it first appears. This is all before taking implementation into account. California, however, may have it figured out, at least in part. Explaining the state’s hybrid approach to digital driver’s licenses, Chief Digital Transformation Officer Ajay Gupta says the shifting nature of the digital ID and mDL ecosystem globally prompted California’s decision to support more than one digital credential format.

“We are not necessarily interested in calling out one standard, if it’s good or not,” he says, pointing instead to California’s data privacy laws, which are among the strictest in the U.S. “We know that we want to get there as soon as possible, where we have cryptographically safe digital credentials available for people to present. We reduce operational burden. We reduce the transaction costs, and we give the power to the holders the same way they have with the plastic card today. But while doing that, avoiding the digital trace that becomes a very big problem as soon as the digital credentials are out there in the world.”

California considered all of this in implementing its mobile driver’s license scheme. “That’s why we have this hybrid wallet. That’s why we have the first online implementation of a digital credential in the nation at this point in time that lets you log in, that lets you verify your identity at this point in time.”

To use Galluzzo’s metaphor, as the world drives along the highway that leads to mDLs, a game of bumper cars is inevitable. But despite bumps, Galluzzo – who objects to the ‘tangled web’ tag – is “fairly optimistic that we are at least going in the same direction.”

Panel identities healthcare, auto rental as potential use cases for digital credentials

A separate Identiverse panel interrogated mobile ID ecosystem dynamics through the lens of public-private partnerships. Teresa Wu, vice president of smart credentials for Idemia, leads a discussion on the evolution of mobile ID issuance and adoption.

Key takeaways span the breadth of the digital ID and mDL ecosystem. Panelists say uptake of mobile IDs is increasing, transforming the Know Your Customer (KYC) process from a probabilistic to a deterministic approach. They identify new use cases for mobile IDs in the healthcare sector for identity verification and in rental car services to prevent fraud in real-time. And they note the critical role that the Transportation Security Administration (TSA) and the American Association of Motor Vehicle Administrators (AAMVA) play in maintaining consistency and interoperability across jurisdictions by setting standards and guidelines for mobile driver’s licenses.

An AI summary of the panel quotes Lori Daigle, program specialist in identity management for AAMVA. “Our role at AAMVA is to ensure that we are consistent and that standards make for an interoperable mobile driver license experience for customers who are crossing state lines,” she says. “What AAMVA is doing right now for our jurisdictions is, we are taking the keys from our issuing authorities. We are putting them into a digital trust so that the relying parties can download those keys and then understand that the mobile credential they are looking at is issued by a legitimate issuing authority.”

Article Topics

AAMVA  |  AAMVA Digital Trust Service  |  digital ID  |  Digital Trust Service (DTS)  |  digital wallets  |  Identiverse  |  interoperability  |  mDL (mobile driver's license)  |  NCCoE  |  NIST  |  OpenID Foundation  |  Ryan Galluzzo  |  standards