NIST publishes draft guidelines for financial firms implementing mDLs

The NIST National Cybersecurity Center of Excellence (NCCoE) has published the initial public draft of its practice guidelines for financial institutions implementing mobile driver’s licenses (mDLs) for customer identity verification.

The draft NIST Special Publication (SP) 1800-42A, “Digital Identities – Mobile Driver’s License (mDL): Accelerating Development and Adoption of Digital Identity for Financial Institutions,” is the result of NCCoE’s collaborative work with 29 industry and government partners to address security, privacy, and interoperability challenges associated with mDL adoption.

Several familiar faces from the biometrics and digital ID made key contributions to the guide, including NIST Digital Identity Program Lead Ryan Galluzzo, security engineer Bill Flanagan, and Heather Flanagan of Spherical Cow Consulting, who recently collaborated on an article about “Getting to Know the Verifiable Digital Credential Ecosystem” and the differences between the ISO/IEC mDL standards and W3C’s Verifiable Credentials framework.

The first stage of the NCCoE’s work focuses on the financial sector use case. (Subsequent projects will extend the work to other sectors.) Per the guide, “high assurance relying parties, such as Financial Institutions (FIs), represent high value targets for identity-related fraud and are considering the adoption of mDLs to support Know Your Customer (KYC) processes. To move forward, however, FIs need a better understanding of how this technology integrates with their current identity systems and business processes, as well as insights into how mDLs meet Customer Identification Program (CIP) compliance requirements and the identity proofing component of KYC.”

The guide aims to help FIs implement mDL standards and best practices using commercially available technology and “realize the security, privacy, usability, reliability, and compliance benefits that can result from an FI mDL deployment.” It covers architecture and build, threat models and privacy considerations, and includes specific recommendations for establishing trust in various scenarios.

Start now to build trust; align standards toward stability

The NCCoE’s research yields several key insights. The first is that organizations should begin taking steps toward adoption now. “Institutions that begin market research, proofs of concept, and pilots now will be better positioned to onboard mDL verification and realize the technology’s potential benefits.”

Verifiable digital credentials (VDCs) and mDLs have clear benefits in terms of privacy and security. But the trust system is still a work in progress. “Shifting FIs to a new trust model will require a more consistent issuance process across states and territories, standardized holder verification techniques, enhancements to credential protocols to support access requirements, and trust establishment in the wallet as a key component of transactions.”

Following on that, consolidation and stability should be the key goals of those developing standards. “Standards Development Organizations (SDOs) have laid the essential technical foundation for the mDL ecosystem. However, as the market shifts from pilot to commercial deployment, the focus must turn to finalizing critical standards and consolidating specifications to ensure scalability.” This is of particular importance in creating a clear path to implementation for verifiers and Relying Parties (RPs).

In summary: it’s time to get cracking, for real. The foundations for an effective practical mDL ecosystem have been laid. Now comes the tough part: leaning away from innovation toward stability. Standards, practices and protocols should be aligning to create a cohesive ecosystem that actually works in the real world.

Article Topics

biometrics  |  digital identity  |  financial services  |  identity proofing  |  interoperability  |  KYC  |  mDL (mobile driver's license)  |  mDL verification  |  NCCoE  |  NIST