Australian mDL holograms ‘not a security feature’ despite state guidance

Digital holograms and other visible security features do not ensure the integrity of digital IDs, including Australia’s digital driver’s licenses. But they underpin advice from states that the mobile driver’s licenses (mDLs) can be used for identity verification through visual checks.

New South Wales, Victoria, South Australia and Queensland have each developed mDLs, with the first three promoting visual verification based on the integrity assurance of digital holograms, the Australian Broadcasting Corporation reports. Dr. Vanessa Teague, associate adjunct professor at the Australian National University and CEO of Thinking Cybersecurity, points out that the visual seals are “not a security feature.”

Queensland mDLs feature a pulsing government logo as a visible security feature. A Queensland government website advises that the visual feature only be used for “low-risk verification.” The government also notes that verification can be carried out by scanning a QR code. Phones storing Queensland mDLs must have biometric authentication, but the use of biometrics for identity verification is not mentioned on the “about” page.

Service Victoria and VicRoads each suggest that the hologram’s on its mDLs provide assurance that the digital ID is valid. Guidance from Victoria’s state government advises justices of the peace to scan the mDLs QR code to verify it “if you need to” after viewing the photo and hologram.

But a bar in Mornington, Victoria has publicly announced that it will no longer accept the digital IDs as proof of age due to the large number of fakes encountered.

South Australia’s guidance makes clear that the animations prove only that the credential is not a screenshot, and instruct relying parties to validate the mDL by scanning a barcode.

Service NSW says state mDLs can be verified by having the license holder swipe down to refresh the date and time stamp, or by scanning the QR code.

The situation may soon improve, however, as an NSW government spokesperson tells ABC that a verifiable photo credential compliant with international standards is being piloted.

NSW and South Australia launched their mDLs before the publication of ISO/IEC 18013-5. Queensland’s mDL, stored in an app from Thales, is compliant with the standard, but cybersecurity experts told ABC that the guidance on visual checks undermines their reliability.

Teague told ABC that the lack of understanding of basic cybersecurity principles demonstrated calls into question whether the QR code has been properly implemented.

“It’s very, very unclear whether there’s really any genuine expertise in even getting the basic cryptographic design elements right and there’s no public scrutiny,” she says.

The most disheartening element of the warnings may be that they echo a complaint reported by Ars Technica in 2022.

…and then there are the users

Driving without carrying a license has been illegal in Australia for years, but apparently some mDL holders in NSW have been surprised to discover that if they are stopped by traffic police when their phone is dead and they are not carrying a physical license, they could face a $110 fine.

Queensland and Victoria give motorists the option to show their mDL at a police station within a given time frame to avoid a fine, Yahoo reports, there is no grace period in NSW.

Article Topics

Australia  |  digital ID  |  identity document  |  mDL (mobile driver's license)  |  New South Wales (NSW)  |  QR code  |  Queensland mDL