New document security features facilitate migration from physical to digital credentials
Embedded security elements can work on both cards and mobile IDs
28 August, 2019
category: Biometrics, Contactless, Corporate, Digital ID, Government
As counterfeiters are increasingly able to simulate even the best physical credential, issuers and the identity industry are looking to a future where digital credentials are the highly secure norm.
But, for the time being, the physical credential remains the standard, and it is up to the vendor community to develop security features that work both on a physical card and in the digital space.
Even top-tier IDs produced in central issuance facilities are being spoofed in very realistic ways, with the best simulating both Level 1 visual security features and Level 2 covert security features
“When it comes to a traditional driver’s license vs. a mobile driver’s license, we need to realize that we are not in an either-or world,” says Teresa Wu, Vice President, Product Management at IDEMIA. “We are in a world where they both coexist.”
The initial roadmap for digital credentials has been laid out by the American Association of Motor Vehicle Administrators, along with the ISO Task Force on mobile driver’s license, and those standards are well regarded by the vendor community.
Using those guidelines, a valid driver’s license can be scanned anywhere in North America, allowing for a large degree of interoperability. And with state DMVs piloting, and even launching mobile driver’s licenses, it is clearly the future form for state-issued IDs.
In addition to convenience and functionality, the fight against counterfeit driver’s licenses is also hastening the move to mobile. “When it comes to fake driver’s licenses and state-issued IDs, the counterfeiters are advancing rapidly,” Wu says.
The push to move away from card-based identification is driven by the reality that a highly sophisticated network of overseas counterfeiters is flooding the US market with fake IDs. The lucrative sale of fake “drinking licenses” to teenagers in the United States have led counterfeiters to step up their game, investing in technology that can replicate even the most sophisticated physical card security features.
While drinking licenses are a serious problem, higher-level criminals also rely on these simulated IDs, and they are willing to pay higher prices than the teenager trying to get a beer.
Even top-tier IDs produced in central issuance facilities are being spoofed in very realistic ways, with the best simulating both Level 1 visual security features and Level 2 covert security features.
“When there is an ever-increasing scale of customer and you find threat actors who are willing to pay top dollar for a high-quality fake, this requires sophisticated design and technique to stay ahead of them,” explains Wu.
DMVs are looking at ways to create security features that can bridge the physical to digital realms and capitalize on biometric authentication in a more affordable way. There are three leading options – passwords, secure chips, and biometrics. These can be deployed alone or in combination. Passwords are simple but their management and security are well known challenges. Smartcards are highly secured but add cost for chips, card management and reader infrastructure. Biometrics link the actual person directly to the photo already stored in the government system of record using cameras already built into their mobile device.
New document security features work on both physical cards and mobile credentials
To raise the bar, the goal now is to create innovative security features that can be authenticated on both a physical card and on a mobile credential. This helps bridge the gap in security between the physical and digital credential and adds confidence in document authentication.
“When a security feature can be read on a physical ID and on a mobile driver’s license using the same reader technology – that’s high value,” Wu says.
When a security feature can be read on a physical ID and on a mobile driver’s license using the same reader technology – that’s high value
Whether on a card or mobile, the modern approach is to couple Level 1 features that don’t need sophisticated equipment to read with Level 2 machine-readable features that are extraordinarily difficult to spoof. The visual features let officials give the credential a quick review to see if it looks right, and then pair that with a Level 2 feature that requires equipment to validate.
“No single feature provides full protection,” Wu says. “So the key is to not bet everything on any single feature, no matter how secure it may be today.”
Relying on one “killer feature” would only present a single target for the counterfeiters to attack. It also poses a problem if the credential can’t be authenticated because a system required to validate it is not accessible.
That is where a hybrid, layered approach using multiple factors to authenticate the credential shines. This is considered best-practice for physical credentials, but this same progression of features should be integrated into the digital credentials as well.
This hybrid approach gives confidence in the mobile credential, and it also helps the cardholder because it makes validation a much faster process.
Use cases similar for cards and mobile credentials
Take a law enforcement use case, such as a traffic stop.
The officer should be able to do a quick glance at the ID, be it physical or a mobile driver’s license, and get a sense of its authenticity just based on the Level 1 features. If there is doubt, the officer could use his mobile phone to do a quick scan and verify some Level 2 features embedded in the license.
If questions still remain, the officer can go back to the cruiser to do a more diligent inspection.
“As we progress to mobile IDs, credentials need to be secure and they have to incorporate security features that work equally well on a digital device as on a physical credential,” says Wu “A secure design integrates visually identifiable features with machine readable features, and it does not rely on any single feature for authentication.”