Scytáles ISO 18013-5 Frequently Asked Questions

Frequently asked questions about the ISO 18013-5

Why the importance of being interoperable in a mobile identity solution?

With all the different use case scenarios, an mDL and an mDL validator will not only run on different operating systems but also be designed and developed by different vendors. This is why interoperability, enforced by the ISO 18013-5, is one of the key factors in opting for and achieving a functioning mDL ecosystem so that, for example, a Malaysian citizen with a driving privilege can be validated online by a rental officer in the same way upon renting a car in Sweden, Finland or any other place in the world. Scytáles ISO mDL/mID and validation products ensure full interoperability and are passing the various ISO 18013-5 tests.



Is it possible to have a mobile identity ecosystem where there is compatibility between iPhone and Android?

Not only is it possible, but Scytáles is also a true pioneer in the implementation of this solution within the ISO 18013-5. Our ISO Mobile Driving License (mDL) and Mobile ID (mID) are not only fully compliant with the standard but also supports online, offline, NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. As forerunners, we also support all the above combinations, i.e. iPhone to Android and vice versa and on all different interfaces.



Does Scytáles' ISO mDL support NFC, BLE, QR, Wifi Aware and Barcode?

Our ISO Mobile Driving Licence (mDL) and Mobile ID (mID) are not only fully compliant with the standard but also supports both online and offline scenarios, and NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. Scytáles is a frontrunner in the ISO international standardization work that is under development— ISO/IEC 18013-5, “Personal Identification – ISO-Compliant Driving Licence – Part 5: Mobile Driving Licence Application”.



Is it possible for an mDL/mID solution to include additional data from other licences or certificates, like from a fishing or hunting licence or Covid-19 vaccination passports?

With the Scytáles ISO mDL/mID you can connect to other trusted data sources and provide additional attributes or licences. One of the main advantages of being digital is that you can have your different IDs on your mobile wallet and keeping control at all times of the information you want to share. If you want to start with one ID and afterwards scale-up adding other IDs/Licences to your Mobile Identity Ecosystem, you must choose an ISO 18013-5 compliant solution. This is the case of Covid-19 testing and vaccination data, which is already mapped out in the “ISO/IEC 18013-5 mdoc for eHealth” document, which defines an international standard protocol for vaccination certificates or “Green Pass”. This ISO is the standard that not only models how to build these solutions but also ensures that different vendors can communicate seamlessly between them.



Can an mDL have extra security controls like, for instance, facial recognition?

Mobile phones today are incredible pieces of technology and users are getting more keen on security features such as using the fingerprint to authenticate or even facial recognition. Scytáles ISO-compliant mDL/mID products take advantage of these state-of-the-art technologies. Our products allow validators to additionally cross-check the identity of a person by using facial recognition mechanisms, thus ensuring the identification displayed is actually from the person that is presenting it.



Does the mDL solution employ data encryption?

All communications to central systems are performed securely over TLS and user data stored in the mobile device is encrypted, protected by a PIN code or biometric unlock, and stored in secure encrypted database mechanisms using device keys. Local communications during verification are also strongly encrypted, based on the key agreement mechanisms of ISO 18013-5 that uses session-generated keys. To further protect the data integrity, the mDL solution uses strong digital signatures based on the Trust List models of the ISO 18013-5. Validators also select trustworthy public key certificates to validate the integrity and genuine origin of mDL data, which deters and prevents tampering with mDL data.



Does the mDL application require a secure login on the mobile device?

To be able to access the Scytáles mDL/mID app, the user can either enter a PIN code or use biometric features to unlock, like fingerprints or facial recognition. A secure login helps protect data and the mDL itself from unauthorized usage. Even with a borrowed PIN, the ISO 18013-5 determines identity verification by the Validator at the time of usage through validation of the portrait image and comparison to the Holder.
Additionally, when a user first downloads the Scytáles mDL/mID app, they are asked to provide additional personally identifiable information and biometric matching to confirm their identity before populating the app with the user data. Operator supervised provisioning is also supported for in-office registration. By ensuring the mDL is provisioned to the correct person, and that only that same person can unlock the mDL for further usage, privacy and security can be preserved.



Frequently asked questions about the ISO mDL/mID implementation

Why the importance of being interoperable in a mobile identity solution?

With all the different use case scenarios, an mDL and an mDL validator will not only run on different operating systems but also be designed and developed by different vendors. This is why interoperability, enforced by the ISO 18013-5, is one of the key factors in opting for and achieving a functioning mDL ecosystem so that, for example, a Malaysian citizen with a driving privilege can be validated online by a rental officer in the same way upon renting a car in Sweden, Finland or any other place in the world. Scytáles ISO mDL/mID and validation products ensure full interoperability and are passing the various ISO 18013-5 tests.



Is it possible to have a mobile identity ecosystem where there is compatibility between iPhone and Android?

Not only is it possible, but Scytáles is also a true pioneer in the implementation of this solution within the ISO 18013-5. Our ISO Mobile Driving License (mDL) and Mobile ID (mID) are not only fully compliant with the standard but also supports online, offline, NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. As forerunners, we also support all the above combinations, i.e. iPhone to Android and vice versa and on all different interfaces.



Does Scytáles' ISO mDL support NFC, BLE, QR, Wifi Aware and Barcode?

Our ISO Mobile Driving Licence (mDL) and Mobile ID (mID) are not only fully compliant with the standard but also supports both online and offline scenarios, and NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. Scytáles is a frontrunner in the ISO international standardization work that is under development— ISO/IEC 18013-5, “Personal Identification – ISO-Compliant Driving Licence – Part 5: Mobile Driving Licence Application”.



Is it possible for an mDL/mID solution to include additional data from other licences or certificates, like from a fishing or hunting licence or Covid-19 vaccination passports?

With the Scytáles ISO mDL/mID you can connect to other trusted data sources and provide additional attributes or licences. One of the main advantages of being digital is that you can have your different IDs on your mobile wallet and keeping control at all times of the information you want to share. If you want to start with one ID and afterwards scale-up adding other IDs/Licences to your Mobile Identity Ecosystem, you must choose an ISO 18013-5 compliant solution. This is the case of Covid-19 testing and vaccination data, which is already mapped out in the “ISO/IEC 18013-5 mdoc for eHealth” document, which defines an international standard protocol for vaccination certificates or “Green Pass”. This ISO is the standard that not only models how to build these solutions but also ensures that different vendors can communicate seamlessly between them.



Can an mDL have extra security controls like, for instance, facial recognition?

Mobile phones today are incredible pieces of technology and users are getting more keen on security features such as using the fingerprint to authenticate or even facial recognition. Scytáles ISO-compliant mDL/mID products take advantage of these state-of-the-art technologies. Our products allow validators to additionally cross-check the identity of a person by using facial recognition mechanisms, thus ensuring the identification displayed is actually from the person that is presenting it.



Does the mDL solution employ data encryption?

All communications to central systems are performed securely over TLS and user data stored in the mobile device is encrypted, protected by a PIN code or biometric unlock, and stored in secure encrypted database mechanisms using device keys. Local communications during verification are also strongly encrypted, based on the key agreement mechanisms of ISO 18013-5 that uses session-generated keys. To further protect the data integrity, the mDL solution uses strong digital signatures based on the Trust List models of the ISO 18013-5. Validators also select trustworthy public key certificates to validate the integrity and genuine origin of mDL data, which deters and prevents tampering with mDL data.



Does the mDL application require a secure login on the mobile device?

To be able to access the Scytáles mDL/mID app, the user can either enter a PIN code or use biometric features to unlock, like fingerprints or facial recognition. A secure login helps protect data and the mDL itself from unauthorized usage. Even with a borrowed PIN, the ISO 18013-5 determines identity verification by the Validator at the time of usage through validation of the portrait image and comparison to the Holder.
Additionally, when a user first downloads the Scytáles mDL/mID app, they are asked to provide additional personally identifiable information and biometric matching to confirm their identity before populating the app with the user data. Operator supervised provisioning is also supported for in-office registration. By ensuring the mDL is provisioned to the correct person, and that only that same person can unlock the mDL for further usage, privacy and security can be preserved.



Frequently asked questions about the ISO mDL/mID

Is an mDL/mID a digital copy of a DL/ID card on the mobile phone?

It's true that an mDL/mID provisions a copy in the mobile phone of the same data as the physical DL/ID, signed by the respective issuer authority.
However, an mDL/mID can not be fully trusted only by showing it to a validator on the Holder's phone since, for instance, it is so easy to take a screenshot of the displayed ID and alter it.
This is why it is so important to adopt an ISO 18013-5 compliant solution: it ensures the interchange of trustworthy identity data between an mDL and a Reader device. The data can be transmitted between the two devices and then cryptographically verified to be authentic and untampered.



Do I have to share all info from my Mobile ID, like I have to with my physical ID?

Besides offering convenient availability of your identity without requiring access to a physical credential, an ISO-compliant mobile Identity / Driving Licence also allows you to share only the necessary attributes for the transaction, rather than all ID/DL attributes. For example, a bar employee verifying your age does not need to know your name or address., and with the Scytáles mID/mDL you can share only your age and photo. Scytáles ISO-compliant solutions additionally supplements controlled access to your identity information and protection against unauthorized use, supported by capabilities of the smart device platform, like the usage of a PIN code and/or biometrics.



How can I get my mDL/mID?

Even if the Scytáles ISO mDL/mID is available in your App Store and due to the sensitiveness of this issue, the Issuing Authority needs to confirm and perform the enrollment process. This validation is going to be similar to opening a bank account nowadays, for example.
To enrol your ID card on your mobile device, you can either choose an in-person process or a self-guided process. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video-call, photo validation and other methods).



Is my mDL/mID going to be accepted as an official identification document?

Once the ISO 18013-5 is published, your mDL/mID is not only going to be officially accepted, but you can also use it everywhere and across-borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, both you and any Validator have the assurance that the mobile document presented is official, interoperable and secure. Since presently there is only one ISO standardized mDL/mID in production, the one that UTAH DLD has tapped Scytáles and technology partner GET Group NA to provide the Utahns in a pilot program 2021, you should be extra careful with the solution you choose. Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as of today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.



Can I use my mobile identity at home? Or is it only usable in person?

You can use your mDL/mID whenever and however you want, as long as it is ISO 18013-5 compliant. The ISO defines both ways to identify yourself, attended or unattended. This means that you can be safely and comfortably at home and use your mDL/mID to, for instance, open a bank account.



What happens to my mDL/mID if I switch phones?

For security reasons, ISO 18013-5 states that the end-user data is not transferrable to a new device. The enrollment process uses device-specific keys to authenticate the ID data and to protect the information transmitted.
When you switch to a new phone, you must re-enrol your ID either through a self-guided or in-person process. This is a quick process and happens fairly seldom.



Frequently asked questions about the ISO mDL/mID Validation

Is an mDL/mID a digital copy of a DL/ID card on the mobile phone?

It's true that an mDL/mID provisions a copy in the mobile phone of the same data as the physical DL/ID, signed by the respective issuer authority.
However, an mDL/mID can not be fully trusted only by showing it to a validator on the Holder's phone since, for instance, it is so easy to take a screenshot of the displayed ID and alter it.
This is why it is so important to adopt an ISO 18013-5 compliant solution: it ensures the interchange of trustworthy identity data between an mDL and a Reader device. The data can be transmitted between the two devices and then cryptographically verified to be authentic and untampered.



Do I have to share all info from my Mobile ID, like I have to with my physical ID?

Besides offering convenient availability of your identity without requiring access to a physical credential, an ISO-compliant mobile Identity / Driving Licence also allows you to share only the necessary attributes for the transaction, rather than all ID/DL attributes. For example, a bar employee verifying your age does not need to know your name or address., and with the Scytáles mID/mDL you can share only your age and photo. Scytáles ISO-compliant solutions additionally supplements controlled access to your identity information and protection against unauthorized use, supported by capabilities of the smart device platform, like the usage of a PIN code and/or biometrics.



How can I get my mDL/mID?

Even if the Scytáles ISO mDL/mID is available in your App Store and due to the sensitiveness of this issue, the Issuing Authority needs to confirm and perform the enrollment process. This validation is going to be similar to opening a bank account nowadays, for example.
To enrol your ID card on your mobile device, you can either choose an in-person process or a self-guided process. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video-call, photo validation and other methods).



Is my mDL/mID going to be accepted as an official identification document?

Once the ISO 18013-5 is published, your mDL/mID is not only going to be officially accepted, but you can also use it everywhere and across-borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, both you and any Validator have the assurance that the mobile document presented is official, interoperable and secure. Since presently there is only one ISO standardized mDL/mID in production, the one that UTAH DLD has tapped Scytáles and technology partner GET Group NA to provide the Utahns in a pilot program 2021, you should be extra careful with the solution you choose. Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as of today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.



Can I use my mobile identity at home? Or is it only usable in person?

You can use your mDL/mID whenever and however you want, as long as it is ISO 18013-5 compliant. The ISO defines both ways to identify yourself, attended or unattended. This means that you can be safely and comfortably at home and use your mDL/mID to, for instance, open a bank account.



What happens to my mDL/mID if I switch phones?

For security reasons, ISO 18013-5 states that the end-user data is not transferrable to a new device. The enrollment process uses device-specific keys to authenticate the ID data and to protect the information transmitted.
When you switch to a new phone, you must re-enrol your ID either through a self-guided or in-person process. This is a quick process and happens fairly seldom.