What is the ISO/IEC 18013-5?

The ISO/IEC 18013-5 standard defines an mDL as a driving licence which resides on a mobile device or requires a mobile device as part of the process to gain access to the driver licence. This Global standard is being developed by the members of the International Organization for Standardization (ISO/IEC JTC1/SC17/WG10), ultimately serving billions of mDL holders and the mDL relying party community. ISO/IEC 18013 consists of the following parts, under the general title Personal identification -ISO-compliant driving licence:

• Part 1: Physical characteristics and basic data set. Part 1 describes the basic terms for this document including physical characteristics, basic data element set, visual layout, and physical security features;

What is Scytáles’ role in the ISO 18013-part 5 working group?

Scytáles is a strong driving force in the ISO working group for the mDL and we are fully compliant with this standard as per today. ​ We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.

Why the importance of being interoperable in a mobile identity solution?

With all the different use case scenarios, an mDL and an mDL validator will not only run on different operating systems but also be designed and developed by different vendors. ​ This is why interoperability, enforced by the ISO 18013-5, is one of the key factors in opting for and achieving a functioning mDL ecosystem so that, for example, a Malaysian citizen with a driving privilege can be validated online by a rental officer in the same way upon renting a car in Sweden, Finland or any other place in the world. ​ Scytáles ISO mDL/mID and validation products ensure full interoperability and are passing the various ISO 18013-5 tests.

Is it possible to have a mobile identity ecosystem where there is compatibility between iPhone and Android?

Not only is it possible, but Scytáles is also a true pioneer in the implementation of this solution within the ISO 18013-5. Our ISO Mobile Driving License (mDL) and Mobile ID (mID) are not only fully compliant with the standard but also supports online, offline, NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. As forerunners, we also support all the above combinations, i.e. iPhone to Android and vice versa and on all different interfaces.

What if I don’t have a data connection or wifi available? How is my data verified?

With an ISO-compliant solution, it is possible to share and validate the information of a Mobile Driving Licence (mDL) stored on a secure smart device even when there is no connection. ​ In this scenario, the Validator (e.g. a police officer) requests the mDL Holder to transmit identity attributes over communication channels supported by both devices. Data is transmitted from the Holder’s device over a secure encrypted channel to the Validator’s reader, along with a cryptographic signature from the Issuer proving that the data have not been altered. The reader can also check that the mDL data was transmitted by the device to which it was originally issued. ​ This technology is already developed into all Scytáles ISO-compliant products.

Does Scytáles' ISO mDL support NFC, BLE, QR, Wifi Aware and Barcode?

Our ISO Mobile Driving Licence (mDL) and Mobile ID (mID) are not only fully compliant with the standard but also supports both online and offline scenarios, and NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. Scytáles is a frontrunner in the ISO international standardization work that is under development— ISO/IEC 18013-5, “Personal Identification – ISO-Compliant Driving Licence – Part 5: Mobile Driving Licence Application”.

Do I have to share all info from my Mobile ID, like I have to with my physical ID?

Besides offering convenient availability of your identity without requiring access to a physical credential, an ISO-compliant mobile Identity / Driving Licence also allows you to share only the necessary attributes for the transaction, rather than all ID/DL attributes. ​ For example, a bar employee verifying your age does not need to know your name or address., and with the Scytáles mID/mDL you can share only your age and photo. ​ Scytáles ISO-compliant solutions additionally supplements controlled access to your identity information and protection against unauthorized use, supported by capabilities of the smart device platform, like the usage of a PIN code and/or biometrics.

Is an mDL/mID a digital copy of a DL/ID card on the mobile phone?

It's true that an mDL/mID provisions a copy in the mobile phone of the same data as the physical DL/ID, signed by the respective issuer authority.
However, an mDL/mID can not be fully trusted only by showing it to a validator on the Holder's phone since, for instance, it is so easy to take a screenshot of the displayed ID and alter it.
This is why it is so important to adopt an ISO 18013-5 compliant solution: it ensures the interchange of trustworthy identity data between an mDL and a Reader device. The data can be transmitted between the two devices and then cryptographically verified to be authentic and untampered.

Is it possible for an mDL/mID solution to include additional data, like from a fishing or hunting licence?

With the Scytáles ISO mDL/mID you can connect to other trusted data sources and provide additional attributes or licences. One of the main advantages of being digital is that you can have your different IDs on your mobile wallet and keep the control at all times of the information you want to share. ​ If you want to start with one ID and afterwards scale-up adding other IDs/Licences to your Mobile Identity Ecosystem, you must choose an ISO 18013-5 compliant solution. ​ This ISO is the standard that not only models how to build these solutions but also ensures that different vendors can communicate seamlessly between them.

Can an mDL have extra security controls like, for instance, facial recognition?

Mobile phones today are incredible pieces of technology and users are getting more keen on security features such as using the fingerprint to authenticate or even facial recognition. ​ Scytáles ISO-compliant mDL/mID products take advantage of these state-of-the-art technologies. ​ Our products allow validators to additionally cross-check the identity of a person by using facial recognition mechanisms, thus ensuring the identification displayed is actually from the person that is presenting it.

Why should I trust an mDL/mID verification from a Validator device?

The ISO 18013-5 determines two ways to validate the data - an online and an offline method - none of which requires users to hand over their device. ​ On the one hand, an online mode provides the quickest data retrieval and ensures the freshest data, thus is recommended whenever an Internet connection is available. In this scheme, the Validator obtains a token through QR Code, NFC, BLE or via the Internet from the mDL/mDL Holder phone. The Validator device then uses that token to request and receive the ID data directly from the Issuing Authority, using Signer Certificates to secure and authenticate the connection. ​ On the other hand, when there is no connectivity to the central system (no data or Internet connection), the Validator retrieves the ID info directly from the mDL/mID device via NFC, BLE or WifiAware. The offline scenario applies enforced mechanisms to protect the connection between the devices and the Validator uses Signer Certificates to validate the integrity and authenticity of the data.

Can someone verify my mDL/mID without physically handling my mobile device?

An mDL/mID Holder does not have to hand over their device at any point of the verification process and has complete control over the data shared with a Validator.
The ISO 18013-5 defines principles for data privacy and security by design. By enabling tap, nearby and distance data communications, the Holder always handles their mobile device and controls which of their data is shared. The closest your phone gets to a Validator device is when is tapped for an NFC connection, similar to payment implementations today.

What happens to my mDL/mID if I switch phones?

For security reasons, the ISO 18013-5 states that the end-user data is not transferrable to a new device. The enrollment process uses device-specific keys to authenticate the ID data and to protect the information transmitted.
When you switch to a new phone, you must re-enrol your ID either through a self-guided or in-person process. This is a quick process and happens fairly seldom.

How can I get my mDL/mID?

Even if the Scytáles ISO mDL/mID is available in your App Store and due to the sensitiveness of this issue, the Issuing Authority needs to confirm and perform the enrollment process. This validation is going to be similar to opening a bank account nowadays, for example.
To enrol your ID card to your mobile device, you can either choose an in-person process or a self-guided process. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video-call, photo validation and other methods).

Is my mDL/mID going to be accepted as an official identification document?

Once the ISO 18013-5 is published, your mDL/mID is not only going to be officially accepted, but you can also use it everywhere and across-borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, both you and any Validator have the assurance that the mobile document presented is official, interoperable and secure.
Since presently there are not any ISO standard mDL/mIDs or Validators in production, you should be extra careful with the solution you choose. Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as per today.
We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.

When is the final ISO 18013-5 going to be published?

ISO 18013–5 standard is in Draft International Standard phase with a plan to publish in 2020. The current document is available from the ISO Repository. Revisions and the latest versions are available within ISO Committees, regional standards organizations, liaisons to the ISO mDL team (JTC1/SC27/WG10), and from partner trade alliances such as Secure Technology Alliance.

Can I use my mobile identity at home? Or is it only usable in person?

You can use your mDL/mID whenever and however you want, as long as it is ISO 18013-5 compliant. This ISO defines both ways to identify yourself, attended or unattended. This means that you can be safely and comfortably at home and use your mDL/mID to, for instance, open a bank account.

What devices and platforms accept an mDL and can be a Validator? Can I verify it on Windows or integrate it into my POS device?

The ISO 18013-5 is device agnostic provided the Validator device has either an Internet connection (online retrieval) or available hardware to communicate with the mDL device (a camera for scanning QR codes, Bluetooth, NFC to tap, or WiFi Aware for offline transmission. Scytáles has an ISO-compliant Validator Toolkit for building validators on iOS, Windows, and Android platforms. Since some of these are in Java, additional platforms or custom purpose devices are easily supported.

Does the mDL solution employ data encryption?

All communications to central systems are performed securely over TLS and user data stored in the mobile device is encrypted, protected by a PIN code or biometric unlock, and stored in secure encrypted database mechanisms using device keys. Local communications during verification are also strongly encrypted, based on the key agreement mechanisms of ISO 18013-5 that uses session-generated keys. To further protect the data integrity, the mDL solution uses strong digital signatures based on the Trust List models of the ISO 18013-5. Validators also select trustworthy public key certificates to validate the integrity and genuine origin of mDL data, which deters and prevents tampering with mDL data.

Does the mDL application require a secure login on the mobile device?

T o be able to access the Scytáles mDL/mID app, the user can either enter a PIN code or use biometric features to unlock, like fingerprints or facial recognition. A secure login helps protect data and the mDL itself from unauthorized usage. Even with a borrowed PIN, the ISO 18013-5 determines identity verification by the Validator at the time of usage through validation of the portrait image and comparison to the Holder.
Additionally, when a user first downloads the Scytáles mDL/mID app, they are asked to provide additional personally identifiable information and biometric matching to confirm their identity before populating the app with the user data. Operator supervised provisioning is also supported for in-office registration. By ensuring the mDL is provisioned to the correct person, and that only that same person can unlock the mDL for further usage, privacy and security can be preserved.