Today it is imperative that we look out for our citizens, community, family and friends. We must do our best to avoid physical contact with others and adopt new interaction models which can be reliable and safe. Mobile identity helps you to never get in touch with others, even with officers, when you have to identify yourself. Your ID can be verified while keeping a safe distance by using NFC, Bluetooth or QR Codes on your mobile phone.
The International Organization for Standardization (ISO) is developing a standard that describes the requirements to enable verifiers not affiliated with or associated with the issuing authority to gain access to and authenticate the information on a mobile device. Besides, it also outlines how the holder of the driving licence can decide what information to release to a verifier while being able to update information frequently and to authenticate information at a high level of confidence.
Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as per today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.
Once the ISO 18013-5 is published, your mDL/mID is not only going to be officially accepted, but you can also use it everywhere and across-borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, both you and any Validator have the assurance that the mobile document presented is official, interoperable and secure. Since presently there are not any ISO standard mDL/mIDs or Validators in production, you should be extra careful with the solution you choose.
In this article, we cover five security features that enhance an ISO-compliant mobile identity. You can also read more about the ISO 18013-5 here.
1. An mDL/mID is more than just a digital copy of a DL/ID card on the mobile phone
An mDL/mID provisions a copy in the mobile phone of the same data as a physical DL/ID, signed by the respective issuer authority. However, and unlike the card, an mDL/mID can not be fully trusted only by showing it to a validator on the holder's phone since it is so easy to take a screenshot of the displayed ID and alter it. That is why an ISO 18013-5 compliant solution comes into force: it ensures the interchange of reliable identity data between an mDL and a Reader device. The transmitted data is always cryptographically verified if it is authentic and untampered.
The ISO 18013-5 determines two ways to validate the data - an online and an offline method - none of which requires users to hand over their device. On the one hand, an online mode provides the quickest data retrieval and ensures the freshest data, thus is recommended whenever an Internet connection is available. In this scheme, the Validator obtains a token through QR Code, NFC, BLE or via the Internet from the mDL/mDL holder phone. The Validator device then uses that token to request and receive the ID data directly from the Issuing Authority, using Signer Certificates to secure and authenticate the connection. On the other hand, when there is no connectivity to the central system (no data or Internet connection), the Validator retrieves the ID info directly from the mDL/mID device via NFC, BLE or WifiAware. The offline scenario applies enforced mechanisms to protect the connection between the devices and the Validator uses Signer Certificates to validate the integrity and authenticity of the data.
Scytáles ISO-compliant mDL/mID products yet goes a bit further and also take advantage of new state-of-the-art technologies to add extra security controls like, for example, facial recognition. Our products allow validators to additionally cross-check the identity of a person by using facial recognition mechanisms, thus ensuring the identification displayed is actually from the person that is presenting it.
2. An mDL/mID ensures data privacy and control
As stated above, an mDL/mID holder does not have to hand over their device at any point of the verification process and has complete control over the data shared with a Validator. The ISO 18013-5 defines principles for data privacy and security by design. By enabling tap, nearby and distance data communications, the holder always handles their mobile device and controls which of their data is shared. The closest your phone gets to a Validator device is when it is tapped for an NFC connection, similar to payment implementations today.
An mDL/mID Holder does not have to hand over their device at any point of the verification process and always has complete control over the data they chose to share with a Validator.
3. Scale-up is possible by adding other IDs/Licences (for example hunting licence) to your Mobile Identity Ecosystem
With the Scytáles ISO mDL/mID you can connect to other trusted data sources and provide additional attributes or licences. One of the main advantages of being digital is that you can have your different IDs on your mobile wallet and keep the control at all times of the information you want to share. If you start with one ID and afterwards scale-up adding other IDs/Licences to your Mobile Identity Ecosystem, you must choose an ISO 18013-5 compliant solution. This ISO is the standard that not only models how to build these solutions but also ensures that different vendors can communicate seamlessly between them.
One of the main advantages of being digital is that you can have your different IDs on your mobile wallet and keep the control at all times of the information you want to share.
4. Enrolment of a mobile identity remotely or in-person
Due to the sensitiveness of this issue, the Issuing Authority needs to confirm and perform the enrolment process, even if the Scytáles ISO mDL/mID is available in your App Store. This validation is going to be similar to, for example, opening a bank account. To enrol your ID card to your mobile device, you can either choose an in-person process or a self-guided process. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video-call, photo validation and other methods).
5. Re-enrolment is easy
For security reasons, the ISO 18013-5 states that the end-user data is not transferable to a new device. The enrollment process uses device-specific keys to authenticate the ID data and to protect the information transmitted. When you switch to a new phone, you must re-enrol your ID either through a self-guided or in-person process. It is a quick process and happens fairly seldom.