Robust mobile ID offering ready to go when ISO 18013-5 launches later this year
The idea of the GET Mobile Driver’s License (mDL) offering – or GET Group NA’s other mobile ID products – is to enable citizens and issuing agencies to expand the trustworthiness of a physical card to the digital realm. A well-designed mDL can enable law enforcement, customs and other authorities – as well as retail locations and corporations – to authenticate users via electronic methods. And it can open doors to a host of new personalized services while protecting privacy.
Virtually every industry that serves the public is in a race to use digital technology to make services more efficient and more personal. None of them want to compromise privacy, just deliver better service.
As with anything digital — communication, payments, identity, etc. — security is a prime concern. So too is privacy. Users of a mobile driver’s license will want to give out the minimum personal information needed to satisfy specific authentication cases. mDL systems should be user-centric with control of data sharing in the user’s hands.
That’s one of the main messages of a recent SecureIDNews interview with David Kelts, GET Group NA’s Director Product Development for Mobile. The company’s GET Mobile ID is designed as a form of secure digital ID, one that conforms to ISO 18013-5, a standard currently in development for the mDLs that are slowly but steadily finding approval among state lawmakers in the U.S.
“People start off with the idea that a mobile driver’s license will have the same content as the physical card, basically put the card on the phone and show it to others,” Kelts says. “But there are no security mechanisms to protect an image of an ID shown on a phone screen, and thus we should not be trusting the act of showing an image on a screen to obtain a secure service.”
Mobile driver’s license security
A GET white paper on mobile driver’s licenses and mobile IDs put the problem another way. “Unlike physical cards mobile phone screens do not have ‘linked and layered’ security features, and data displayed on a mobile phone screen cannot and should not be trusted.” Other electronic security mechanisms are required so that, “citizens can use their ID everywhere — at point of sale, for fast entry into every establishment, at the roadside, across borders.”
Indeed, that idea requires a new way of thinking about mobile ID, a way of thinking that goes beyond just considering the work of putting data on a screen. “We want to get beyond that limited concept of mobile ID and avoid it,” says Kelts. “Don’t rely on the screen but instead rely on security measures and techniques.”
The emerging ISO standard creates a mobile ID ecosystem through which relevant, required personally identifying information can be ‘tapped and transmitted’ though web, NFC, Bluetooth or Wi-Fi Aware connections. Data is shared securely from a mobile driver’s license to a verifier device used by a relying party – such as a law enforcement officer, TSA agent, rental car attendant, or retail clerk. The mDL user has significant control over his or her data, approving what data elements are to be shared prior to transmission.
“The standard is about the interchange of data,” Kelts explains. “The current standard supports a couple interchange models, but there are already other extensions in development that will allow relying parties to have choices – tap, nearby, distance, and even over the Internet. I believe it is crucial for the relying party to have flexibility in their interactions with consumers.”
So how and where would this mobile ID system work in the real world, beyond the police or travel authorities checking mobile driver’s licenses? Restaurants are one possibility. Diners could check in via the mobile ID and share their age data so that they don’t have to do that at the table when ordering alcohol.
And the process can go beyond that. “You can personalize the experience, and that can be really helpful for businesses,” Kelts says. “Virtually every industry that serves the public is in a race to use digital technology to make services more efficient and more personal. None of them want to compromise privacy, just deliver better service.”
TSA and federal building access are other examples. “Everybody talks about liquor stores and traffic stops because these are the most obvious use cases, but a well-designed mDL can serve all kinds of other functions,” he says.
Mobile driver’s license roots
Kelts has been working with the committee crafting the ISO 18013-5 standard since its inception, and he expects the standard to be published later this year. Originally, some 20 companies were involved, but that number has grown to about 50. Even Apple and Google are now participating.
He said that the ISO standard heading toward publication has two distinct models: online and offline. In the online model a token is sent from an mDL to the verifier via QR code or NFC, and the verifier, or service provider, uses that token to obtain the data required for the transaction. This is ideal for quick, secure authentication of transactions when the verifier is connected to the Internet. Future extensions will permit token exchange over Bluetooth and the web.
The ISO 18013-5 standard is designed for minimum data sharing, user-centric approval of data to be shared, and resistance to tracking usage by any authority
There is also an offline model that works without Internet connectivity. When the mDL and the verifier are not connected via the Internet, they can use short-range wireless communication protocols like NFC, Bluetooth or WiFi Aware for the data transmission. “In this way, they can share data, see that it was signed by issuing authority, and trust the other party to the transaction,” Kelts says.
Both the online and offline models are unified in one vital sense. In either case, the relying party can see that the data was signed by the issuing authority. “This shows the flexibility in the design of the interchanges from ISO 18013-5,” explains Kelts. “The standard is always designed for minimum data sharing, user-centric approval of data to be shared, and resistance to tracking usage by any authority.”
GET Mobile Driver’s License offering
GET mobile driver’s license offerings are ready to go as soon as the standard is published, says Kelts. “We have both sides ready to go — the mDL side and the verifier side, and because we are nimble, we can be responsive to consumers and roll out new features far more rapidly than others in the market.”
He believes the company offers the most mature implementation of the ISO standard. GET Group offers complete solutions for both DMVs and relying parties, and they also offer toolkits and SDKs so that DMVs and companies can create their own applications.
In this way, developers can build it into their own devices using a GET toolkit. For example, the maker of point-of-sale payment terminals might opt to build an age-verification tool into the POS so that the clerk in a grocery store or convenience store does not have to use a secondary device — or their own mobile phone — to conduct this part of the purchase transaction.
When asked how quickly he expects deployment of mDLs following the standard’s publication, Kelts is optimistic and points out that GET is already seeing meaningful interest from state DMVs.
Still, as is often the case with technology adoption, it will fall to first movers to set the pace. “After some early rollouts, others will get to witness the advantages, and there will be really swift movement to adopt,” he says.
In addition, he believes citizens will demand it, so this will speed up deployments. “In 2020 we will see both the first movers and the more mainstream uptick,” he concludes.