New standard will enable trustworthy mobile driving licence

What about situations that call for proof of identification and age? Many people already use their driving licence, which gives them more than the right to drive and also provides credible proof of identity. But wouldn’t it be great to have an easily accessible mobile version if needed, for digital transactions?

Interview with Peter Waggett

e-tech caught up with Peter Waggett who leads the work by IEC and ISO for the mobile driving licence (mDL) application standard – ISO/IEC 18013-5.

For over 30 years, IEC and ISO have been developing international standards, enabling people to conduct business across the world without having to worry about different formats. Waggett oversees the group covering cards and security devices for personal identification, which includes passports, driving licences and bank cards.

As digitalization evolves, situations in which there will be a need for secure online ID will increase and could cover:

• obtaining social services, voting, opening bank accounts
• car rental, hotel check-in, boarding a plane, access to government buildings, airport security
• entering a bar/club, purchasing age-restricted item

What standards do you develop?

“We’ve developed international standards, such as for machine readable passports and visas and bank cards, which ensure aspects like the data elements on these items, dimensions and testing, in the case of cards, for bendability, resistance to temperature or surface distortions. These standards have made it possible for people to travel to any airport in the world, enter that country, hire a car, get money out of an ATM machine and conduct normal business. Now, we’re looking to the future to see how we can move this to the next generation, which would be to continue these capabilities on mobile devices”, explains Waggett.

How will the new standard facilitate the mDL?

For several years, a number of countries have been running pilots and trials for the mobile driving licence. Finland, Norway, the UK, Argentina, Brazil, Thailand, parts of Australia and the US have made mobile driving licences available since the beginning of 2018, and more countries are following suit.

“In order for the mobile driving licence to be successful, it will need to be accessible and we’ll need to be able to trust the data. The mDL standard we’re developing provides mechanisms for both these aspects and is expected to be finalized in 2020”, says Waggett.

The new standard – ISO/IEC 18013-5.2, Information technology — Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence application (mDL) – describes interface specifications for the implementation of a driving licence on a mobile device, in other words, the interface between the mDL and the mDL reader.

It provides ways in which verifiers other than the mDL issuing authorities, such as police, government services, websites or apps, building access systems, can ensure that the photo and data of the mDL holder are authentic and therefore trustworthy.

The standard covers:

• attended use cases, when a person is present to check the identity of the mDL holder, for example, police during a roadside stop. It also makes provisions for connected and disconnected devices.
• unattended situations, such as vending machines for tobacco or alcohol, using connected or disconnected devices.
• access to certain websites, such as government services.

The technologies stipulated in the standard which enable the mobile device reader to make the verification include optical QR code, near field communication (NFC) and Bluetooth low energy (BLE).

How secure will the mDL be?

In order to maintain confidentiality, integrity and authenticity of the data exchange between the mDL and the reader, the standard addresses anti forgery, anti cloning, anti eavesdropping and anti unauthorized access, by using encryption and message authentication methods.

“There is a whole section of the standard which deals with security. This will help authenticate the origin of mDL data, how up to date it is, verify that it has not changed from the issuing authority and prevent unauthorized access to it. This also covers data privacy, which must be achieved if the mobile driving licence is to be adopted broadly”, remarks Waggett.

The standard also defines the principles for privacy protection. Some examples include making sure that the device reader only requests and receives data appropriate for the use case, and that the privacy protocol does not make users identifiable if they cannot already be identified by the transmitted data.

Looking ahead

Technology is radically changing how we live. According to Statista, the world mobile commerce share of e-commerce is expected to reach 72.9% globally by 2021. There are many more statistics that show a growing trend for using mobile devices to carry out many online transactions.

We create online accounts to do everything from ordering a cab, paying bills, shopping, to tracking our insurance claims, monitoring our health and making investments. It is not hard to imagine that one day we would no longer need the check out at the shopping centre, if items we buy are scanned to an app in our phones, which automatically bills our bank accounts or something similar for car sharing programmes. The arrival of the new mobile driving licence standard could not be more timely.