NIST announces new mDL use case, resources to support financial sector adoption

A webinar on mobile driver’s licenses (mDLs), presented by the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST), introduces new resources to help financial institutions implement support for mDLs.

Off the top, hosts Bill Fisher and Ryan Galuzzo of NIST provide a walk-through of NCCoE’s mDL privacy risk assessment, to help parties gauge what’s at stake in implementing mDLs. Its data flow diagram, an “abbreviated version of the NIST Privacy Risk Assessment Methodology”  written from the perspective of a financial institution, includes five questions that cover goals, potential problems and potential solutions.

“What are your organizational privacy goals? How does the system that you’re assessing work?

What privacy problems might that system introduce? What’s the impact of those problems or the potential impact of those problems? And then how do we address those problems?”

Fisher explains that, on the NCCoE website, each question leads to an accordion dropdown menu that provides examples of how a theoretical financial institution might answer, explanatory diagrams illustrating data flows, and more, including lists of some of the controls both in NIST SP 800-53 and in the NIST Privacy Framework that apply to particular problems.

Fisher says “this is a bit of a new way of displaying and presenting this content for NIST,” and that the organization welcomes public feedback, especially from financial organizations.

Provisioning a major issue for financial services firms

The webinar also summarizes NIST’s first mDL use case (financial services) and introduces its second.

“For this first use case, we worked very closely with the financial sector and had conversations with five or six different large financial organizations to talk with them about their identity verification solutions, mobile driver’s licenses, and how this solution might fit and meet their needs both from a privacy perspective, a security perspective, a compliance perspective and all those things,” Fisher says.

Important feedback from that exercise was that many see mDL as “a fundamental shift in the way the financial organizations think about identity verification,” in that it takes away some control from the organization, and allocates it to government authorities and wallet providers.

“Financial institutions, from a risk perspective, are not in the business of just blindly trusting entities,” Fisher says. “They want evidence and proof and they want to understand how they can trust those entities, right? What’s the trust model? What level of assurance do they have in these entities?”

“What was expressed to us is that financial institutions need additional clarity around the processes used to enroll individuals into a system of record at DMV to issue an mDL to a wallet and then around the presentation of the credential from that wallet.”

NIST’s response is a document called “Building Assurance in the mDL ecosystem,” which Galuzzo says focuses on three core components. “One was enrollment into the system of record. How do we understand what degree of vetting and proofing went into the issuance of that original polycarbonate plastic, whatever kind of physical ID was involved in the actual process of being provisioned to the DMV.”

Galuzzo says NIST heard about inconsistencies in identity proofing processes for provisioning: some required in-person enrolment, some involved biometrics, and so on. Since there is no standard specifically for that process, the question NIST faced was, “How do we fill the gap?”

The idea is to arrive at a “high level set of metadata or descriptions signed by the issuer that says, ‘Yes, this person has a mobile driver’s license. Yes, it was issued based on a DHS compliant physical driver’s license. It was issued during a remote event that used biometrics and had a successful pass rate.”

This, NIST believes, will give users more confidence in understanding what happened during the issuance process.

“I think this is also super important once you start thinking about a broader ecosystem that’s more than just mDL,” says Galuzzo. “We’re going to have a whole world of verifiable digital credentials out there that are going to have deviances and variations in the way that issuance is done. Being able to encode in a common set of terms and concepts how that issuance occurred will allow relying parties to more readily accept a broader spectrum of potential verifiable digital credentials.”

Currently, NIST is pursuing a model in which the encoding of the issuance data is based on “an existing set of specifications that are emerging in the OpenID Foundation using OpenID Connect for identity assurance.”

Verifiable credentials work to address identity binding in mDLs

“The last part,” says Galuzzo, “is looking at this concept of holder binding during mDL presentation – or probably more accurately holder authentication and user authentication. In the context of current mobile driver’s license and verifiable digital credential issuance we see a broad spectrum of how the user actually authenticates to the mobile driver’s license or the credential before releasing it to the relying party in presentation. This can be anything from the device unlock pin to a device unlock biometric to a biometric that’s bound specifically to the credential to a software level biometric match to the image that’s stored on the mDL. Each one of those has different usability factors” and can apply to different use cases.

He notes some of the standards work going on to address these issues, and notes the FIDO Alliance’s recent announcement on a Digital Credentials Working Group.”

The last new resource profiled in the webinar is NIST’s Interaction Diagrams, which aim “to help illustrate the different protocols used, the different standards used, the different components of our architecture and how they all interact with each other.”

Government gets its turn in NIST spotlight

The big announcement comes near the end of the event: NIST’s second use case for mDL will be government credential services providers – “to demonstrate how governments can accept mobile driver’s licenses for identity verification.” DMVs, in particular, need to be able to accept mDL.

Fisher says in addition to shifting its focus to federal agencies, NIST also hopes with use case 2 “to demonstrate how federal agencies can consume mDLs, and specifically how they might be able to do it through a credential service provider. There are several credential service providers that are already in the government. So this model is not anything new. But how do you go to a centralized service, present your mDL as part of your identity proofing and identity verification, get issued an identity and bound authenticators to that identity, and then federate to different government services that you might want to get access to with that identity?”

Article Topics

800  |  biometrics  |  digital ID  |  financial services  |  identity verification  |  mDL (mobile driver's license)  |  NCCoE  |  NIST  |  remote identity proofing  |  verifiable credentials