Scytáles ISO 18013-5 Frequently Asked Questions

Frequently asked questions about the ISO 18013-5

Is an mDL/mID a digital copy of a DL/ID card on the mobile phone?


It's true that an mDL/mID provisions a copy in the mobile phone of the same data as the physical DL/ID, signed by the respective issuer authority.
However, an mDL/mID can not be fully trusted only by showing it to a validator on the Holder's phone since, for instance, it is so easy to take a screenshot of the displayed ID and alter it.
This is why it is so important to adopt an ISO 18013-5 compliant solution: it ensures the interchange of trustworthy identity data between an mDL and a Reader device. The data can be transmitted between the two devices and then cryptographically verified to be authentic and untampered.




Do I have to share all info from my Mobile ID, like I have to with my physical ID?


Besides offering convenient availability of your identity without requiring access to a physical credential, an ISO-compliant mobile Identity / Driving Licence also allows you to share only the necessary attributes for the transaction, rather than all ID/DL attributes. For example, a bar employee verifying your age does not need to know your name or address., and with the Scytáles mID/mDL you can share only your age and photo. Scytáles ISO-compliant solutions additionally supplements controlled access to your identity information and protection against unauthorized use, supported by capabilities of the smart device platform, like the usage of a PIN code and/or biometrics.




How can I get my mDL/mID?


Even if the Scytáles ISO mDL/mID is available in your App Store and due to the sensitiveness of this issue, the Issuing Authority needs to confirm and perform the enrollment process. This validation is going to be similar to opening a bank account nowadays, for example.
To enrol your ID card on your mobile device, you can either choose an in-person process or a self-guided process. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video-call, photo validation and other methods).




Is my mDL/mID going to be accepted as an official identification document?


Once the ISO 18013-5 is published, your mDL/mID is not only going to be officially accepted, but you can also use it everywhere and across-borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, both you and any Validator have the assurance that the mobile document presented is official, interoperable and secure. Since presently there is only one ISO standardized mDL/mID in production, the one that UTAH DLD has tapped Scytáles and technology partner GET Group NA to provide the Utahns in a pilot program 2021, you should be extra careful with the solution you choose. Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as of today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.




Can I use my mobile identity at home? Or is it only usable in person?


You can use your mDL/mID whenever and however you want, as long as it is ISO 18013-5 compliant. The ISO defines both ways to identify yourself, attended or unattended. This means that you can be safely and comfortably at home and use your mDL/mID to, for instance, open a bank account.




What happens to my mDL/mID if I switch phones?


For security reasons, ISO 18013-5 states that the end-user data is not transferrable to a new device. The enrollment process uses device-specific keys to authenticate the ID data and to protect the information transmitted.
When you switch to a new phone, you must re-enrol your ID either through a self-guided or in-person process. This is a quick process and happens fairly seldom.





Frequently asked questions about the ISO mDL/mID implementation

What if I don’t have a data connection or wifi available? How is my data verified?


With an ISO-compliant solution, it is possible to share and validate the information of a Mobile Driving Licence (mDL) stored on a secure smart device even when there is no connection. In this scenario, the Validator (e.g. a police officer) requests the mDL Holder to transmit identity attributes over communication channels supported by both devices. Data is transmitted from the Holder’s device over a secure encrypted channel to the Validator’s reader, along with a cryptographic signature from the Issuer proving that the data have not been altered. The reader can also check that the mDL data was transmitted by the device to which it was originally issued. This technology is already developed into all Scytáles ISO-compliant products.




Why should I trust an mDL/mID verification from a Validator device?


The ISO 18013-5 determines two ways to validate the data - an online and an offline method - none of which requires users to hand over their device. On the one hand, an online mode provides the quickest data retrieval and ensures the freshest data, thus is recommended whenever an Internet connection is available. In this scheme, the Validator obtains a token through QR Code, NFC, BLE or via the Internet from the mDL/mDL Holder phone. The Validator device then uses that token to request and receive the ID data directly from the Issuing Authority, using Signer Certificates to secure and authenticate the connection. On the other hand, when there is no connectivity to the central system (no data or Internet connection), the Validator retrieves the ID info directly from the mDL/mID device via NFC, BLE or WifiAware. The offline scenario applies enforced mechanisms to protect the connection between the devices and the Validator uses Signer Certificates to validate the integrity and authenticity of the data.




Can someone verify my mDL/mID without physically handling my mobile device?


An mDL/mID Holder does not have to hand over their device at any point of the verification process and has complete control over the data shared with a Validator.
The ISO 18013-5 defines principles for data privacy and security by design. By enabling tap, nearby and distance data communications, the Holder always handles their mobile device and controls which of their data is shared. The closest your phone gets to a Validator device is when is tapped for an NFC connection, similar to payment implementations today.




What devices and platforms accept an mDL and can be a Validator? Can I verify it on Windows or integrate it into my POS device?


The ISO 18013-5 is device agnostic provided the Validator device has either an Internet connection (online retrieval) or available hardware to communicate with the mDL device (a camera for scanning QR codes, Bluetooth, NFC to tap, or WiFi Aware for offline transmission. Scytáles has an ISO-compliant Validator Toolkit for building validators on iOS, Windows, and Android platforms. Since some of these are in Java, additional platforms or custom purpose devices are easily supported.





Frequently asked questions about the ISO mDL/mID

Is an mDL/mID a digital copy of a DL/ID card on the mobile phone?


It's true that an mDL/mID provisions a copy in the mobile phone of the same data as the physical DL/ID, signed by the respective issuer authority.
However, an mDL/mID can not be fully trusted only by showing it to a validator on the Holder's phone since, for instance, it is so easy to take a screenshot of the displayed ID and alter it.
This is why it is so important to adopt an ISO 18013-5 compliant solution: it ensures the interchange of trustworthy identity data between an mDL and a Reader device. The data can be transmitted between the two devices and then cryptographically verified to be authentic and untampered.




Do I have to share all info from my Mobile ID, like I have to with my physical ID?


Besides offering convenient availability of your identity without requiring access to a physical credential, an ISO-compliant mobile Identity / Driving Licence also allows you to share only the necessary attributes for the transaction, rather than all ID/DL attributes. For example, a bar employee verifying your age does not need to know your name or address., and with the Scytáles mID/mDL you can share only your age and photo. Scytáles ISO-compliant solutions additionally supplements controlled access to your identity information and protection against unauthorized use, supported by capabilities of the smart device platform, like the usage of a PIN code and/or biometrics.




How can I get my mDL/mID?


Even if the Scytáles ISO mDL/mID is available in your App Store and due to the sensitiveness of this issue, the Issuing Authority needs to confirm and perform the enrollment process. This validation is going to be similar to opening a bank account nowadays, for example.
To enrol your ID card on your mobile device, you can either choose an in-person process or a self-guided process. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video-call, photo validation and other methods).




Is my mDL/mID going to be accepted as an official identification document?


Once the ISO 18013-5 is published, your mDL/mID is not only going to be officially accepted, but you can also use it everywhere and across-borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, both you and any Validator have the assurance that the mobile document presented is official, interoperable and secure. Since presently there is only one ISO standardized mDL/mID in production, the one that UTAH DLD has tapped Scytáles and technology partner GET Group NA to provide the Utahns in a pilot program 2021, you should be extra careful with the solution you choose. Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as of today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.




Can I use my mobile identity at home? Or is it only usable in person?


You can use your mDL/mID whenever and however you want, as long as it is ISO 18013-5 compliant. The ISO defines both ways to identify yourself, attended or unattended. This means that you can be safely and comfortably at home and use your mDL/mID to, for instance, open a bank account.




What happens to my mDL/mID if I switch phones?


For security reasons, ISO 18013-5 states that the end-user data is not transferrable to a new device. The enrollment process uses device-specific keys to authenticate the ID data and to protect the information transmitted.
When you switch to a new phone, you must re-enrol your ID either through a self-guided or in-person process. This is a quick process and happens fairly seldom.





Frequently asked questions about the ISO mDL/mID Validation

What if I don’t have a data connection or wifi available? How is my data verified?


With an ISO-compliant solution, it is possible to share and validate the information of a Mobile Driving Licence (mDL) stored on a secure smart device even when there is no connection. In this scenario, the Validator (e.g. a police officer) requests the mDL Holder to transmit identity attributes over communication channels supported by both devices. Data is transmitted from the Holder’s device over a secure encrypted channel to the Validator’s reader, along with a cryptographic signature from the Issuer proving that the data have not been altered. The reader can also check that the mDL data was transmitted by the device to which it was originally issued. This technology is already developed into all Scytáles ISO-compliant products.




Why should I trust an mDL/mID verification from a Validator device?


The ISO 18013-5 determines two ways to validate the data - an online and an offline method - none of which requires users to hand over their device. On the one hand, an online mode provides the quickest data retrieval and ensures the freshest data, thus is recommended whenever an Internet connection is available. In this scheme, the Validator obtains a token through QR Code, NFC, BLE or via the Internet from the mDL/mDL Holder phone. The Validator device then uses that token to request and receive the ID data directly from the Issuing Authority, using Signer Certificates to secure and authenticate the connection. On the other hand, when there is no connectivity to the central system (no data or Internet connection), the Validator retrieves the ID info directly from the mDL/mID device via NFC, BLE or WifiAware. The offline scenario applies enforced mechanisms to protect the connection between the devices and the Validator uses Signer Certificates to validate the integrity and authenticity of the data.




Can someone verify my mDL/mID without physically handling my mobile device?


An mDL/mID Holder does not have to hand over their device at any point of the verification process and has complete control over the data shared with a Validator.
The ISO 18013-5 defines principles for data privacy and security by design. By enabling tap, nearby and distance data communications, the Holder always handles their mobile device and controls which of their data is shared. The closest your phone gets to a Validator device is when is tapped for an NFC connection, similar to payment implementations today.




What devices and platforms accept an mDL and can be a Validator? Can I verify it on Windows or integrate it into my POS device?


The ISO 18013-5 is device agnostic provided the Validator device has either an Internet connection (online retrieval) or available hardware to communicate with the mDL device (a camera for scanning QR codes, Bluetooth, NFC to tap, or WiFi Aware for offline transmission. Scytáles has an ISO-compliant Validator Toolkit for building validators on iOS, Windows, and Android platforms. Since some of these are in Java, additional platforms or custom purpose devices are easily supported.