Loyalty ID
Contents
Full Title or Meme
Many sales organizations have created plans to reward loyal customer with savings or other benefits accessible through continued used of their products.
Historical
Context
This paper is focused on two trends:
- The move from card based driver's licenses to smartphone based Mobile Driver's Licenses.
- Many sovereign states have been moving in the direction of a single user authentication process for all departments and agencies of the state.
Problems
- Even the landline phone was used for tracking as soon as it became ubiquitous. FBI wiretaps have been know to capture many types of criminal behavior.
- Smartphones are both incredibly complex and designed specifically to understand where they are as well as how they are being used.
Related IDs
- Self-issued Identifiers were first proposed commercially in the Microsoft Info Card.
- State Mandated Identification tries to tie all of the various identities that they maintain into a single collection of credentials under a single ID.
Use Cases
Washington State
This is a list of web sites that can be accessed from outside the state network and require ID credentials. There my be other sites that allow online access without credentials that later ask for them. In particular the DMV is in that category. Two duplicates were left out irrespective of their reality to avoid questions. More discussion on the use of the Driver's Licenses as the primary sort of the Identifier for residents of the state in the wiki page on MDL Considered Harmful which explains why the DL is not the best starting point.
Loyalty Cards
- Use Badge’s loyalty program API to build and launch digital loyalty cards with real-time updates, custom branding, and seamless mobile wallet integration.
Example
a store can validate a loyalty card stored in Apple Wallet or Google Wallet using cryptographic means, but it depends on how the card was issued and whether the system is designed to support secure validation.
How Cryptographic Validation Works
For More Details see wiki Mobile Payment
Apple Wallet
- Apple Wallet uses PassKit, where each pass (like a loyalty card) is a .pkpass file.
- These passes are digitally signed using a certificate issued by Apple.
- The signature ensures:
- The pass was issued by a trusted source.
- The pass hasn’t been tampered with.
- Stores can validate the pass by checking the signature and verifying the passTypeIdentifier and serialNumber against their backend systems.
Google Wallet
- Google Wallet uses JWT (JSON Web Tokens) or REST API-issued passes.
- Each loyalty card can include a signed JWT, which:
- Confirms authenticity.
- Can be verified using public keys.
Merchants can validate the JWT and check the issuer ID, class ID, and object ID to confirm the card is legitimate.
What This Means for Stores
- If your store issues loyalty cards using Apple’s or Google’s developer tools, you can build a backend system that:
- Verifies the cryptographic signature.
- Checks the card’s metadata (e.g., expiration, user ID, points).
- Ensures the card hasn’t been revoked or duplicated.
- This is far more secure than relying on barcodes or QR codes alone, which can be copied or spoofed.
VSC Code for server
starter blueprint for your Visual Studio Code (VSC) app that creates and installs loyalty cards for Apple Wallet and Google Wallet, with support for one-time use tokens.
@ Open VSC
- Create/Open source/reop/loyal
- View -> Terminal
- npm init -y
- npm install express dotenv axios jsonwebtoken
Project Structure
loyalty-card-app/ ├── src/ │ ├── apple/ │ │ └── generatePkPass.ts │ ├── google/ │ │ └── createGooglePass.ts │ ├── tokens/ │ │ └── generateToken.ts │ ├── routes/ │ │ └── loyaltyRoutes.ts │ └── server.ts ├── certs/ # Apple Wallet certificates ├── public/ # Static assets (logos, icons) ├── .env ├── package.json └── README.md
References
Other Material
- See the wiki page State Issued Identifier for some description of the Identifiers that are commonly issued.
- See the wiki page on Government
