09 February, 2017
By Andre Boysen, SecureKey
Today there are more than two million apps in Apple’s App Store, which is why the phrase, “there’s an app for that” is so common. In fact, some people don’t even carry a physical wallet at all times since “digital wallets” are such popular features on smartphones. Needless to say, there is an app for just about everything. Everything except for digital identity.
It needs to be said up front that mobile driver licenses (mDLs) will be very useful and powerful for consumers to interact with State DMVs and everywhere identity information is required – although there are a lot of details to be worked out on how these virtual identities will work. How will officers read and validate the information stored on the device? How will other relying parties? Work is underway to put standards in place that will make this all happen.
Interesting, mDLs may not even be used for driving. If pulled over for an infraction, giving your phone to the officer to take back to the cruiser is problematic. First, what is the implied consent for the officer to examine other things on the phone other than the mDL? And many people would want to use the phone to occupy themselves while the officer is busy in the cruiser.
Rather than on the road, mobile licenses may find their greatest utility enabling citizens to verify their identity digitally. Ultimately, the goal is to have citizens’ primary proof of identity to be extended to the online world, enabling online transactions and state services securely and efficiently.
The implementation of digital identities is well underway in more than a dozen states; however, there are security considerations that need to be addressed to ensure mDLs are protected and legitimate. The first is the necessity for an authoritative source to verify the digital identity. The mDL application needs to verify that when a digital identity is created it indeed belongs to the true individual. As of right now, the Department of Motor Vehicles acts as the authoritative source, which solves the need for authorization, but it’s not enough.
Although the identity is initially checked with a single authoritative source, it raises a second security consideration: the need for multiple trusted sources to verify the identity. If there is only one source of authority and that source was to be compromised, then the digital identities would be at risk. Therefore, strong authentication is only achieved when multiple sources such as the DMV, banks, mobile network operators, credit bureaus or others are able to cross verify the identity. This eliminates the potential for the single authoritative source to ever be the fraud vector. As a result, both the individual and provider can have confidence that the identities are secure and legitimate.
As states consider what innovations are required for mDL, it is important to consider what works well today and what needs to be improved.
The notion of combining digital ID with street ID is quickly becoming a reality. In order to ensure the use of mDLs and other forms of verification – like passports and birth certificates – is as secure as the physical entities themselves, there needs to be a system of cross verification by multiple sources.
SecureKey is working with Canada’s largest financial institutions, federal and provincial governments, telecom operators and other trusted partners to develop and deliver a national identity verification ecosystem in Canada that is being hailed as the largest consumer-centric and privacy-by-design digital identity service initiative to date. The application utilizes blockchain technology and is built upon the success of SecureKey Concierge, a secure federated authentication network SecureKey has already established in Canada. Additionally, it will also use biometrics to ensure the identity of the person logging in.
The use of multiple trusted sources verifying the digital identity is the critical factor of this application, and what will potentially make it a model of success for others to follow. Once we reach that point, we’ll finally be able to answer the question of digital identity with “there’s an app for that.”
Evaluating driver license properties
Driver license properties that need to be improved:
- The authenticity of the document cannot be checked today by most destination services, like banks, rental agencies and airports
- Credible fake documents are easy to pass off as legitimate, especially when they are from out of state.
- The DL provides too much data for many use cases. For example, name and address are not required to prove age at a bar.
- More than one valid document can be in circulation. There is no way to take a lost or stolen document out of service.
- The lack of a network service to demonstrate legitimate possession of the active card. It is the lack of network service that enables effortless identity theft today
Driver license properties to keep:
- The DL is widely accepted across public and private sector as an identity document
- The state does not know where the document has been presented or how often
- Issuing a card today means those that don’t want an mDL can continue on as they are (for example, requiring a mobile phone to drive seems like an odd requirement). It will also take time for the rest of the economy to ready backend systems to accept mDL-driven processes.