All hail the secure driver license
States complying as REAL ID arrives
19 November, 2012
category: Biometrics, Government, Library, Smart Cards
States have more than a couple of reasons to improve their driver license processes. In January the bell tolls for states to comply with the oft-delayed REAL ID Act with potentially severe consequences for states that don’t meet the standards.
There has also been an influx of fake driver licenses and state IDs from China. For about $200, an individual can upload a photo and biographical data and receive an incredibly realistic fake ID complete with an encoded magnetic stripe, hologram and other visual security features. Bulk orders receive discounts making these sites particularly popular on college campuses. As of mid-August at least one of these sites had been shut down due the urging of Congressional leaders.
REAL ID came out of the Sept. 11, 2001 terrorist attacks. Vulnerabilities in state driver license issuance processes were exposed as hijackers obtained state-issued IDs even though they were not in the country legally.
To prevent such breakdowns in the future, REAL ID calls for standardized identity vetting and issuance processes as well as a national database so that states can check if individuals have already been licensed in other states.
The law has been controversial with many states calling it an unfunded mandate and some even passing legislation indicating that they would not comply. When U.S. Department of Homeland Security Sec. Janet Napolitano was governor of Arizona she signed a bill into law saying the state would not comply with the mandate.
Consequences for residents of states failing to comply could be severe. Documents issued by those states would no longer be acceptable for access to federal facilities and airports.
Overall, states are making their way to REAL ID compliance, according to a report from the Center for Immigration Studies released in February. Five states have already submitted REAL ID compliance packages to Homeland Security and 36 are materially compliant now or likely will be by the January 15, 2013 deadline. Even the states that passed legislation against REAL ID are making improvements to their processes, the report states.
The Delaware example
Delaware achieved compliance with REAL ID from Homeland Security in July 2010, says Jennifer Cohan, director of the Delaware DMV. Most changes were to the processes around identity vetting but there were also some changes to the actual ID documents.
Prior to 2010, Delaware didn’t conduct a Social Security confirmation or a residency check. Nor did they confirm that the applicant was in the country legally, Cohan says.
Today, Delaware conducts a Social Security check to make sure the number matches the name of the individual, a legal presence check and a residency check, Cohan says. Even applicants renewing existing documents need to bring in the additional documentation for the new IDs, which are scanned and stored.
With REAL ID the state changed its entire business flow. As soon as the applicant comes in for a license their photo is taken and the same clerk guides the applicant through the complete process. “The clerk never loses custody of the individual,” she says.
Facial recognition is run while the clerk validates and scans the applicant’s documentation, Cohan explains. A response from the facial recognition system takes just two to three minutes. The overall transaction time with the clerk and applicant is six minutes with wait times averaging 14 minutes.
Delaware differs from other REAL ID compliant states in that they have opted to stick with over-the-counter issuance of IDs. Most states are opting for central issuance to give them additional time to review applicant data and place additional security features in the document.
Delaware’s politicians wouldn’t allow central issuance, because residents like walking out the door with their ID, Cohan explains. The state also has only four DMV offices so creating secure rooms in each location to produce the documents wasn’t as difficult for them as it could be in larger states.
For residents who don’t care about access to federal facilities, Delaware offers a license that isn’t REAL ID compliant, Cohan says. The resident doesn’t have to proffer any of the documents or undergo any of the background checks. They receive a license that has big black type on it stating that it’s not for use as a federal ID. There have been residents who have returned and upgraded their license after the fact, she notes.
The state was aware of the stigma that REAL ID carries. When it first rolled out the new documents and processes it was not called a real ID compliant document. “We didn’t call it REAL ID because of the negative connotation,” Cohan says.
North Carolina opts for centralized issuance
The same is true in North Carolina, says Barbara Webb, assistant director of driver license certification for the Department of Motor Vehicle. The state isn’t marketing its new driver license processes as REAL ID, but rather as a more secure ID.
The vetting processes North Carolina implemented are similar to those in Delaware. A photo of the applicant is captured and the identity verification begins with Social Security, residency and legal presence checks. North Carolina is compliant with the 18 benchmarks for REAL ID compliance and working on the 39 comprehensive benchmarks (see REAL ID Benchmarks).
Where North Carolina differs is at issuance. The state started central issuance of driver licenses in 2008 and will be rolling out a new document in 2013, Webb says. The new ID has passed two security evaluations from the American Association of Motor Vehicle Administrators. A third evaluation is scheduled for early next year. The new ID will be made of polycarbonate and include laser engraving, grayscale imaging and a 3D photo.
North Carolina will conduct a three to four week issuance pilot next spring, Webb says. After the initial period it will evaluate how the processes went, regroup and start a full rollout. The state will use card printers from Datacard for the new IDs.
Overall trends
The January deadline not withstanding and regardless of whether a state has said it’s pro or con REAL ID, jurisdictions are making improvements to their documents, says John Hilliard, senior director of sales and business development at MorphoTrust USA. Some 41 states use MorphoTrust system for their driver license systems. “When you look at states across the country, REAL ID or not, they are making processes more secure,” he says.
Hilliard has been around driver licenses since 1984 when he started issuing IDs at the New York Department of Motor Vehicles. He did that until 2007 when he joined Homeland Security as a senior advisor to help with the implementation provisions of REAL ID. After 14-months at Homeland Security, Hilliard moved to his current position at L-1 Identity Systems, which is now known as MorphoTrust.
DMV directors across the country are instituting more secure issuance processes, Hilliard says. Along with the Social Security verification and legal presence checks, states are also deploying document verification technology. These systems scan passports, driver licenses and other ID cards for security features and tell the clerk if they are valid.
States are also using facial recognition biometrics to make sure the individual only has one license under one name, Hilliard says. Photos are taken as soon as the applicants steps up to the counter so there’s plenty of time to run the photo through a database. “Facial recognition is extremely effective in making sure a person does not get more than one license,” he adds.
To give states more time to verify documents, many are also moving from over-the-counter issuance to central issuance. Hilliard says more than 20 of the states MorphoTrust works with are going to central issuance. Central issuance also means states don’t have to be as concerned about securing the different DMV locations across a state.
Interstate data sharing remains elusive
The area states are struggling with most is the verification of breeder documents, such as birth certificates, Hilliard says.
This challenge isn’t new. Each county in each state is responsible for birth certificate issuance. Standardization and security features vary widely. “In the U.S. there are more than 14,000 types of birth certificates and the reality is they’re all paper based,” he explains. “There’s a lack of consistency across the U.S. as to what a birth certificate looks like, so it’s hard to keep the front line person trained.”
There are efforts underway to create an online system to verify birth certificate data with Social Security numbers to make sure the information matches, Hilliard explains. The delay with this system is that the vast majority of birth certificate information is paper based and no electronic version exists.
Another REAL ID provision that won’t be ready to go by January is the driver license verification system called for in the law. If an individual walks into a DMV with a license from another state this system is intended to enable officials to check the validity of the license with the other state as well as cancel it when the individual receives the new document in the new states. “It will send in a request to other states and see if they have that same individual licensed,” Hilliard explains. “It’s designed to make sure that the person is only licensed in one state.”
Because some states have decided not to comply with REAL ID, this system will not be operational by January. However, tests with a handful of states continue, Hilliard says.
Increasing document security
In addition to better identity verification, states are also increasing the security of the ID cards, Hilliard says. With an influx of high-quality fake IDs from China, the challenge is adding strong security features that a bank clerk or bar bouncer can readily spot yet can’t be easily duplicated. Add this new adversary to the ever-present threats from terrorist groups and identity thieves and the need for increased document security features reaches unprecedented levels.
“The reality is the well funded bad guys are trying to find ways to compromise the security features on a card,” Hilliard says. “And they’re coming up with ultra-violet features that are close enough to survive scrutiny.”
Holograms and ultra-violet features aren’t as secure as previously believed, especially for those who may not be well trained to spot slight differences, says Shane Cunningham, marketing and communications manager at Digital Identification Solutions, which provides card printers to driver license programs in five U.S. states and three states in Mexico. “You need to be able to spot a fake in an easy visual way, without ultra violet or microprint,” he adds.
The cat and mouse game that document security experts play with counterfeiters never ends. For the past year, ID experts at 3M have been helping law enforcement officials analyze some of the counterfeit IDs they have found. “The overt features are so good that law enforcement and credential experts aren’t able to tell the difference,” says Tony Ronquillo, business development manager at 3M Security Systems.
Adding security features makes it more difficult for counterfeiters but it also makes it more difficult for those trying to authenticate the documents. “You can create an ID with the highest technology anyone has ever seen but the problem is without the proper tools in the hands of the people evaluating those documents, how can they tell the difference?” Ronquillo asks.
There’s a fine line issuing agencies walk, making a document secure but not making it confusing, says Steve Rhyner, senior product development specialist at 3M Security Systems. “More security doesn’t equal higher security,” he explains. “Criminals find more complex documents easier (to fake) because they’re so confusing people aren’t sure what to look at.”
States are also hesitant to remove existing security features because people expect to see them, Rhyner says.
A relatively new solution that states are deploying is a floating image that has a tactile feature so when an individual runs a finger across it he feels something, says Ronquillo.
Laser engraving is another solution to the security problem that many states are considering, Cunningham says. Laser engraving not only provides a visual feature but there’s the tactile element that an inspector can feel where the laser burned the image or text into the card.
Added document security features pushes migration to centralized issuance
Laser engraving pushes states to a central issuance model, says Mary Olson, senior marketing manager for government solutions at Datacard. The cardholder’s personal information is burned into the card with the laser providing security from alteration as well as the tactile security feature.
This type of personalization takes time and is another reason why states are moving to central issuance, says Olson. “About 90% of the recent requests for proposals from state driver license agencies has been for central issuance,” she says. “It’s a trend we’ve seen for the last five to six years.”
While the REAL ID Act was controversial when first passed it has lead states to improve identity vetting and document security. As counterfeiters become more advanced it’s only a matter of how states will continue to combat emerging threats.
Smart card driver licenses on the horizon?
After the Sept. 11, 2001 terrorist attacks there was significant discussion around the use of smart cards for driver licenses. This discussion faded, but has picked up again in recent years. Still, most agree any rollouts are likely years away.
“Over the last year we have had some significant conversations with states about issuing smart cards,” says Mary Olson, senior marketing manager for government solutions at Datacard.
One group behind these efforts is the National Association of State Chief Information Officers. Different state agencies issue many different types of identity documents, and the organization sees an opportunity for consolidation of services around a single state issued smart card.
Instead of having each agency issue these different documents there could be one agency issuing a smart card for all the different purposes, says Neville Pattinson, senior vice president of government sales at Gemalto. “It’s time to consider centralizing identity management and enabling other benefits to the card,” he says.
Medicaid benefits, food stamps, and driver licenses are just some of the applications that could potentially be placed on a state-issued ID card, Pattinson says. “This would enable a central point for managing citizen identities and using that identity for multiple applications,” he adds.
18 benchmarks for REAL ID compliance
- Mandatory facial image capture which state must retain
- Applicant must sign a declaration under penalty of perjury that the information presented is true and correct
- Applicant must present at least one of a finite list of source documents when establishing identity
- Require documentation of Date of birth, Social Security Number, Address of principal residence, and Evidence of lawful status
- State must have a documented exceptions process
- Make reasonable efforts to ensure that the applicant does not have more than one DL or ID
- Verify lawful status through SAVE
- Verify Social Security account numbers through SSOLV
- Issue DL and IDs that contain integrated security features
- Surface of cards must include basic information regarding the cardholder
- Mark fully compliant DL and IDs with a DHS-approved security marking
- Issue temporary or limited-term licenses to all individuals with temporary lawful status and tie license validity to the end of lawful status
- Have a documented security plan for DMV operations
- Have protections in place to ensure the security of personally identifiable information
- Fraudulent document recognition training and security awareness for DMV employees
- Background checks for employees with access to personally identifiable information
- Commit to be in full compliance with Subparts A through D on or before May 11, 2011
- Clearly state on the face of non-compliant DLs or IDs that the card is not acceptable for official purposes, except for licenses renewed or reissued under* 37.27
National driver license database stalled
One of the more controversial components of REAL ID is the driver license verification hub, a database that would link states and make sure individuals don’t hold licenses in more than one state.
In 2008, Missouri was awarded $17 million to lead the development of the verification hub, which is intended to serve as a central point for motor vehicle departments to validate an applicant’s source documents. States would be able to verify the identity, legal presence and Social Security number of an applicant through this common interface.
Four other states–Florida, Indiana, Nevada, and Wisconsin–were each awarded $1.2 million to partner with Missouri for testing and implementation of the system. Information on the current status of the hub is not available, but it has not been released for state use.
Still, the challenge of checking breeder document validity is being solved through a new system created by the National Association for Public Health Statistics and Information Systems. The Electronic Verification of Vital Events network permits queries of in-state and out-of-state vital records.
Using the Web application a DMV employee enters certain information from a birth certificate. This information is sent to the issuing state and it comes back with a match or no match within seconds. Some 44 states are online with the system and another five are in the process of rolling it out.
Defining the issuance models
Over-the-counter issuance:
This model provides on-site issuance while and individual waits. It enables immediate verification that the information on the license is correct and allows for fast reprints and replacement issuance. It also provides a level of customer service that cannot be replicated by an off-site operation.
It can prove challenging for the issuing agency, however, because it requires the deployment of equipment, printers and card stock to every point in the decentralized network of issuance locations.
Centralized issuance:
The centralized, off-site issuance model moves the printing of the ID to a separate location. Finished licenses are later mailed to the local office or directly to the applicant’s address.
Real ID compliance is pushing more states toward a centralized issuance model as they strive to increase document security features. Laser engraving, high-end holography and other features can be cost prohibitive in decentralized environments, but the higher priced equipment can be affordable when centralized in single location.