Interest is high, but Roadblocks include standards, infrastructure, relying party acceptance
Security features are good to a point, but fake licenses often include passable security features too. If we’re going to implement mobile driver licenses by simply reproducing a card on the phone, we’re going to have a fraud problem.
Perhaps the answer to document fraud will be found in something not possible with a plastic card: connectivity. “There needs to be a backend verification process to ensure a digital driver license was issued by – and remains valid with – the proper authorities,” Purdy explains.
This means leveraging the technology behind the screen of a mobile device, says Dean. “You need to make sure the information is verified and not just a simple screen grab,” he explains. “I want to take the human element out of it and electronically verify the information that’s being shown on the screen.”
While connectivity can offer assurance, it can also be a problem if not available. Imagine that deserted stretch of highway and an officer needing to validate a license. A mobile driver license solution must work in both online and offline environments.
The numbers of relying parties – grocery stores, airline gate agents, nightclubs and law enforcement – that will need to read and confirm that data from a license is massive. The infrastructure to read these licenses will be essential to mobile license success.
There are a number of ideas being considered to electronically verify a mobile driver license. Using near field communication or Bluetooth Low Energy are two schools of thought. Being able to transmit information to a reader with a touch of a button to verify pertinent details could solve many problems. “You need to have a secure method of exchanging information that is ubiquitous to the entire population,” says Purdy.
With ubiquity a necessity, NFC and even Bluetooth may temporarily be ruled out going instead to an old-school solution that’s already familiar to driver licenses issuers across the country – the PDF 417 bar code, says Jon Ekers, global CIO and senior vice president at ABNote. “You have the bar code that is digitally signed privately and then a public key could validate that it’s been properly issued,” he adds.
But all of this is contingent on connectivity. Unless that app is pinging a database to show that the information is current, there will still be fraud concerns. “Offline transactions are a must but it’s choppy waters and we need to figure out how to do this,” Ekers says.
It is possible that the mobile driver license app could update in the background a couple of times each day to ensure data is relatively current, Ekers says. This could enable reasonable assurance of validity in offline use cases. Still, how to absolutely authenticate a mobile driver license in an offline environment remains a problem that needs to be solved, he says.
There is also a fine line of how much information needs to be shared and displayed with a mobile driver license. Does every grocery store checkout line need to be connected to a state DMV database to say an individual is over 21? “Do you want all these retailer and bars connecting to the DMV to do authentication?” asks Purdy.
If every grocery store and airline check-in point is pinging a state’s DMV database to verify info, it could quickly become overwhelm systems. A bar code or QR code could be used in place of real-time database checks without adding infrastructure as these relying parties already use bar code scanners. Instead of displaying personal information there could just be a red light/green light that enables the transaction to move forward.
Law enforcement not sold on mobile
Some industry executives say that law enforcement is nowhere near ready to embrace mobile licenses. How would officers work with these digital representations when pulling someone over? Would they take the mobile device back to a cruiser to verify information? What happens if the officer drops the mobile device? What if the individual receives an incriminating text while the officer is in possession of the device?
The biggest concern is that officers don’t want to handle a citizen’s device. It is a problem that could be addressed using Bluetooth, NFC or a bar code to enable an officer to use his own mobile device to collect necessary information from the individual’s device. From there, the officer’s device would handle the verification of the license data with the issuer.
HID’s Carroll explains how the system can make their jobs easier. “When appropriate, a secure mobile driver license platform would allow the authentication of a person’s ID from a safe distance using Bluetooth technology to give law enforcement officers more time to determine if a traffic stop is routine or more complex,” she says.
To ensure privacy, an officer’s mobile device would have to be equipped with the proper digital certificates to enable it to read the mobile driver license data. “A mobile credential would only be sent to a mobile device through a secure service by an authorized state licensing authority,” Carroll explains. “During use of the credential, a mutually authenticated channel would be established between the mobile device and the relying party application to ensure privacy.”