Addressing Mobile Driver’s License Security

Around the world, physical forms of identification are quickly giving way to digital ID credentials on mobile phones (also called electronic identification or eID). For example, in the U.S. and some Canadian provinces, legislation regarding the mobile driver’s license (mDL) and test pilots are well under way.

The mDL aims to make sharing select personal information between license holders and verifying parties (e.g., merchants or law enforcement officers) safer, more convenient and more secure than when using a plastic driver’s license. Physical licenses can more easily become damaged, replicated by counterfeiters or contain outdated information. Also, in many cases, they offer more of the owner’s personally identifiable information than the situation requires. The mDL owner has control over the data they share or keep private. For instance, instead of having to reveal the owner’s name, home address and full birthdate to gain entry to a nightclub or purchase alcohol, the owner can select to share only their photo and a confirmation that they are of legal age.

ISO/IEC 18013-5:2021, published in September 2021, sets the minimum technical and functional requirements for mDL interoperability, security and privacy. Many jurisdictions in the U.S., Canada and even worldwide are introducing mobile driver’s licenses based on this standard.

Like physical driver’s licenses, mDLs are issued by a government authority, such as a Department of Motor Vehicles (DMV) in the U.S. The DMV provisions information to an mDL app on the license holder’s mobile device. The verifying party needs an mDL reader to communicate with the mDL app and authenticate the data. Available mDL readers range from apps that work on smartphones to solutions that integrate with point-of-sale terminals or electronic cash register systems.

Data privacy and protection

In addition to the increased data privacy and convenience, mDLs provide to license owners, verifying parties also benefit.

• Simple fraud detection – Because the data on an mDL is digitally signed and linked to the issuing authority, transmitted data can be quickly authenticated. The mDL reader indicates whether authentication is successful or not. In addition, all data transmitted between the mDL app on the license holder’s mobile device and the mDL reader is encrypted.
• Clear and quick license holder identification – The verifying party receives a digital facial image of the legitimate license holder, which can be displayed in a larger format than on a physical driver’s license.
• Improved data accuracy – The verifying party receives an exact digital copy of the mDL owner’s data, eliminating the risk of human error when writing down long numbers or unfamiliar names. An mDL also has the capability to regularly refresh and update the license holder’s credentials in real time — no more outdated information.
• Reliable records – Verifying parties have an automatic audit trail to prove they performed the legally required checks.

mDL testing and certification

UL Solutions offers testing and certification services to determine if mDL applications and mDL readers comply with ISO/IEC 18013-5 requirements for interoperability, security and privacy. We also offer off-the-shelf tools you can use to test your mDL app or reader for ISO/IEC compliance prior to certification. In addition, we assess mDL cybersecurity, focusing on protection against cloning, forgery or theft by malicious applications, compromised smartphones and data leakage.