Difference between revisions of "Mobile Driver's License"

From MgmtWiki
Jump to: navigation, search
(State Wallets)
(Wallet Spread Sheet)
 
(96 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
User in control of a [[Mobile Driver's License]] and other apps that require high assurance control of credentials.
 
User in control of a [[Mobile Driver's License]] and other apps that require high assurance control of credentials.
 
==Context==
 
==Context==
* [https://www.scytales.com/post/is-a-universal-digital-driving-licence-around-the-corner iPhone and Android solutions] also have [[NFC]], [[QR]], [[Bluetooth]], [[Wifi Aware]] and [[Barcode]] readers technology thoroughly functional
+
* There remains continued confusion about whether a Driver's License is a card used for identification that should not be revoked for any reason other than fraud or an [[Authorization]] to access some resource (like the public roads) that can be revoked at any time.
 +
* The ISO standard 18013-5 focuses exclusively on the original purpose of the driver's license, the authorization of a person to operate a motor vehicle on the public roads. Anecdotal evidence (from Queensland) is that only about 1 in 50 (2%) of the request to show a driver's license correspond to this original purpose.
 +
* [https://www.scytales.com/post/is-a-universal-digital-driving-licence-around-the-corner iPhone and Android solutions] also have [[NFC]], [[QR Code]], [[Bluetooth]], [[Wifi Aware]] and [[QR Code|Barcode]] readers technology thoroughly functional
 
* The wiki page [[Smartphone Wireless]] contains information about the various radio bands used by mDL.
 
* The wiki page [[Smartphone Wireless]] contains information about the various radio bands used by mDL.
 
===Providers===
 
===Providers===
 
A real mix of enterprises that might be involved in the process:
 
A real mix of enterprises that might be involved in the process:
# Registered application provider = The AID of the mdoc consists of the registered application provider identifier (RID) ('A0 00 00 02 48') followed by the proprietary application identifier extension (PIX) (’04 00’). There is a very short non-normative descritpn of application testing in E.14.2. It is not helpful.
+
# Registered application provider = The AID of the mdoc consists of the registered application provider identifier (RID) ('A0 00 00 02 48') followed by the proprietary application identifier extension (PIX) (’04 00’). There is a very short non-normative description of application testing in E.14.2. It is not helpful.
 
#OpenID Provider (OP) 8.3.3.2.2 configuration information comes from the issuing authority OP in a discover process.
 
#OpenID Provider (OP) 8.3.3.2.2 configuration information comes from the issuing authority OP in a discover process.
 
#Master list Provider. The decentralized PKI trust model adopted by the mDL requires a mechanism to distribute and disseminate the set of certification authorities certificates from issuing authorities.  
 
#Master list Provider. The decentralized PKI trust model adopted by the mDL requires a mechanism to distribute and disseminate the set of certification authorities certificates from issuing authorities.  
#Technology provider - provide systems and Apps for issuing authorities to issue mDLs. They appear to be entirely controlled by issuing authority, but also work the mDL verifiers to ensure privancy,
+
#Technology provider - provide systems and Apps for issuing authorities to issue mDLs. They appear to be entirely controlled by issuing authority, but also work the mDL verifiers to ensure privacy,
 
===Comparison with VC & DID===
 
===Comparison with VC & DID===
 +
* The primary difference is that the mDL (and the [[EID]] focus on a direct link from the attributes to the real-world entity, while the DID is just a link to a signing key that requires VC's to get to really-world entities.
 
* From UL https://difdn.slack.com/files/U01M7L5AJQ0/F02FETU43DZ/cs676613_-_digital_credentials_promotion_campaign-white_paper-digital.pdf?origin_team=T4VKPCU00&origin_channel=C4WED8JSH
 
* From UL https://difdn.slack.com/files/U01M7L5AJQ0/F02FETU43DZ/cs676613_-_digital_credentials_promotion_campaign-white_paper-digital.pdf?origin_team=T4VKPCU00&origin_channel=C4WED8JSH
 +
* Theoretically a [[Mobile Driver's License]] could be encoded as described in wiki page [[Verifiable Cred V1.1 Normative]]. The big difference is the dependance of the mDL on [[Public Key Infrastructure]] (PKI) using [[X.509 Certificate]]s.
  
 
==Problems==
 
==Problems==
Line 19: Line 23:
 
# Organizations that accept user private information (aka PII) from the apps may be under state or federal regulations which require meaningful user consent for release. Standards should be written to define what "meaningful user consent" really means.
 
# Organizations that accept user private information (aka PII) from the apps may be under state or federal regulations which require meaningful user consent for release. Standards should be written to define what "meaningful user consent" really means.
 
# The biometric information and signature of the holder is optionally included in the mDL. This is information that should never be released from the person that holds it as is stated in an non-normative appendix. It is meant to be used for activation (C.1.6.4), but that is not described and E.12 says that "the mDL reader may implement biometric comparison of the person presenting the mDL to the portrait." The exact meaning of that last sentence is unclear.
 
# The biometric information and signature of the holder is optionally included in the mDL. This is information that should never be released from the person that holds it as is stated in an non-normative appendix. It is meant to be used for activation (C.1.6.4), but that is not described and E.12 says that "the mDL reader may implement biometric comparison of the person presenting the mDL to the portrait." The exact meaning of that last sentence is unclear.
References.
+
References:
 +
* [https://news.bloomberglaw.com/tech-and-telecom-law/mobile-drivers-licenses-face-privacy-scrutiny-ahead-of-ny-pilot Mobile Driver’s Licenses Face Privacy Scrutiny Ahead of NY Pilot] (2024-02-22) Bloombert Law
 
* [https://www.biometricupdate.com/202105/aclu-urges-hard-questions-on-mdls-to-protect-digital-id-privacy ACLU urges hard questions on mDLs to protect digital ID privacy ]  (2021-05-19)
 
* [https://www.biometricupdate.com/202105/aclu-urges-hard-questions-on-mdls-to-protect-digital-id-privacy ACLU urges hard questions on mDLs to protect digital ID privacy ]  (2021-05-19)
 
* [https://slacker.ro/2020/10/28/privacy-preserving-features-in-the-mobile-driving-license/ Privacy-preserving features in the Mobile Driving License] 2020-10-28 David Zeuthen + 2 (Android Security and Privacy team)
 
* [https://slacker.ro/2020/10/28/privacy-preserving-features-in-the-mobile-driving-license/ Privacy-preserving features in the Mobile Driving License] 2020-10-28 David Zeuthen + 2 (Android Security and Privacy team)
Line 53: Line 58:
 
* [https://ims.ul.com/dangerous-conditions-ahead-navigating-security-issues-mobile-identity Dangerous Conditions Ahead: Navigating Security Issues in Mobile Identity] from UL
 
* [https://ims.ul.com/dangerous-conditions-ahead-navigating-security-issues-mobile-identity Dangerous Conditions Ahead: Navigating Security Issues in Mobile Identity] from UL
 
* C.1.6.5 purports to explain computer security controls without any regard for Zero trust principles. Somehow the network is considered secure if the router is in a locked closet, but the wifi or BLE will be visible to everyone.
 
* C.1.6.5 purports to explain computer security controls without any regard for Zero trust principles. Somehow the network is considered secure if the router is in a locked closet, but the wifi or BLE will be visible to everyone.
 +
 +
===North America===
 +
* [https://www.aamva.org/getmedia/c4fe2a21-91ff-449d-9df3-5a7e33cf3a8e/mDL-Implementation-Guidelines-1-0_2021.pdf Mobile Driver’s License (mDL) Implementation Guidelines Version 1.0] 2021-
 +
* [https://www.aamva.org/mDL-Resources/ AAMVA mDL Resources] including implementations guidelines with extensions to the ISO 18013-5 standard.
  
 
===US Federal Regulations===
 
===US Federal Regulations===
 +
* [https://www.dhs.gov/sites/default/files/publications/privacy-pia-tsa051-digitalidentitytechnologypilots-january2022.pdf Privacy Impact Assessment] for the Travel Document Checker Automation (2022-01-14) -Digital Identity Technology Pilots DHS Reference No. DHS/TSA/PIA-051.
 
* [https://www.federalregister.gov/documents/2021/04/19/2021-07957/minimum-standards-for-drivers-licenses-and-identification-cards-acceptable-by-federal-agencies-for Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver's Licenses] Federal Register 2021-04-19
 
* [https://www.federalregister.gov/documents/2021/04/19/2021-07957/minimum-standards-for-drivers-licenses-and-identification-cards-acceptable-by-federal-agencies-for Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver's Licenses] Federal Register 2021-04-19
 
* [https://www.federalregister.gov/documents/2021/09/16/2021-19812/notification-of-document-availability-and-reopening-of-comment-period-on-request-for-information Notification of Document Availability and Reopening of Comment Period on Request for Information: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver's Licenses] A Proposed Rule by the Homeland Security Department on 09/16/2021 that includes access to ISO 18013-5 via ANSI.
 
* [https://www.federalregister.gov/documents/2021/09/16/2021-19812/notification-of-document-availability-and-reopening-of-comment-period-on-request-for-information Notification of Document Availability and Reopening of Comment Period on Request for Information: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver's Licenses] A Proposed Rule by the Homeland Security Department on 09/16/2021 that includes access to ISO 18013-5 via ANSI.
  
 
===State Wallets===
 
===State Wallets===
 +
This section is focused on implementations in North America at present.
 +
* Maryland rolled out mDLs to smartphone users in 2022.60 The credentials are created by taking a photo of the front and back of their physical driver’s license and a short video of themselves, which is then sent to issuing authorities for verification. When the information is verified, the<ref>Jordan Pascale,''Maryland Launches Digital Version Of Driver’s License On IPhon'' DCist, (2022-05-26) https://dcist.com/story/22/05/26/maryland-digital-drivers-license/</ref> individual may add it to their Google or Apple wallets and, where accepted, use it in place of the physical credential
 +
* [https://www.skyharbor.com/media/PressReleases/2022/03/23/tsa-enables-arizona-residents-to-use-mobile-driver-s-license-or-state-id-for-verification-at-phoenix-sky-harbor-international-airport Phoenix AZ Sky Harbor Airport is accepting the AZ mDL at TSA gates.] 2022-03-23. and [https://www.apple.com/newsroom/2022/03/apple-launches-the-first-drivers-license-and-state-id-in-wallet-with-arizona/ Apple's announcement of that.]
 
* [https://www.macrumors.com/2021/10/14/florida-digital-id-apple-wallet-app-plans/ Florida will also use Apple Wallet] 2021-10-14 with a current list of all states supporting apple wallet.
 
* [https://www.macrumors.com/2021/10/14/florida-digital-id-apple-wallet-app-plans/ Florida will also use Apple Wallet] 2021-10-14 with a current list of all states supporting apple wallet.
 +
* Utah was feature in an [https://www.al.com/news/2021/05/mobile-drivers-licenses-pandemic-gives-boost-as-more-states-move-to-digital-ids.html article on the outlooks for mdl] that reported "Ryan Williams, with the Utah Driver's License Division, displays his cellphone with the pilot version of the state's mobile ID on Wednesday, May 5, 2021, in West Valley City, Utah. In Utah, over 100 people have a pilot version of the state's mobile ID, and that number is expected to grow to 10,000 by year's end. Widespread production is expected to begin at the start of 2022."  Pam Dixon, executive director of the World Privacy Forum was quoted saying “Most people want some kind of a hard token for their identity, but I don’t know how long that will last, I would imagine that at some point, maybe in a generation, maybe less, that people will accept a fully digital system.”
 
* [https://www.apple.com/newsroom/2021/09/apple-announces-first-states-to-adopt-drivers-licenses-and-state-ids-in-wallet/ Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet] 2021-09-01 Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah are among the first states to bring state IDs and driver’s licenses in Wallet to their residents
 
* [https://www.apple.com/newsroom/2021/09/apple-announces-first-states-to-adopt-drivers-licenses-and-state-ids-in-wallet/ Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet] 2021-09-01 Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah are among the first states to bring state IDs and driver’s licenses in Wallet to their residents
* [https://www.wdel.com/news/a-delaware-mobile-id-is-now-a-reality/article_b2089148-80f8-11eb-b913-4b1d47d47021.html A Delaware mobile ID is now a reality] 2021-03-10 The app requires users to capture and upload their physical ID as well as a live selfie to compare against the individual’s file with the Delaware DMV. According to state officials, security features, including strong encryption standards, help fight identity theft. "You don't need passwords or usernames because it's based on your biometrics," said DMV spokesperson Marinah Carver. "You can not use your mobile ID without inputting either your face or your fingerprint. "We're not sharing that data with anyone else, and it can't be accessed through a third party."  In addition to safety, Carver said a contactless ID as part of a digital wallet is also a healthier option in a post-COVID world. The program is voluntary and optional and by law. A person is still required to carry their physical credential as applicable for age and identity verification.  "You can try it for a bit," said Carver. "If it's not for you, you can opt back out. It's certainly not a replacement at this time to your physical credential." Carver said the mobile ID has not yet been accepted in a law enforcement setting. The [https://dmv.de.gov/mobileID/ DVM] offers apps on Apple and Android stores. It allows both a straight scan of the back of the card, or a privacy preserving one of the bar code only from the physical care or a QR code. At the user's discretion.
+
* [https://www.wdel.com/news/a-delaware-mobile-id-is-now-a-reality/article_b2089148-80f8-11eb-b913-4b1d47d47021.html A Delaware mobile ID is now a reality] 2021-03-10 The app requires users to capture and upload their physical ID as well as a live selfie to compare against the individual’s file with the Delaware DMV. According to state officials, security features, including strong encryption standards, help fight identity theft. "You don't need passwords or usernames because it's based on your biometrics," said DMV spokesperson Marinah Carver. "You cannot use your mobile ID without inputting either your face or your fingerprint. "We're not sharing that data with anyone else, and it can't be accessed through a third party."  In addition to safety, Carver said a contactless ID as part of a digital wallet is also a healthier option in a post-COVID world. The program is voluntary and optional and by law. A person is still required to carry their physical credential as applicable for age and identity verification.  "You can try it for a bit," said Carver. "If it's not for you, you can opt back out. It's certainly not a replacement at this time to your physical credential." Carver said the mobile ID has not yet been accepted in a law enforcement setting. The [https://dmv.de.gov/mobileID/ DVM] offers apps on Apple and Android stores. It allows both a straight scan of the back of the card, or a privacy preserving one of the bar codes only from the physical care or a QR code. At the user's discretion.
 
* [https://iowadot.gov/mvd/Mobile-ID Iowa Mobile ID] mID is [https://www.johnsoncitypress.com/idemia-mobile-id-for-iowa-dot-passes-uls-mdl-conformity-assessment/article_733dd8f0-e519-57ec-bfa9-4f4c6efd4a84.html reported by IDEMIA to be the first with UL certification] 2021-03-11.  
 
* [https://iowadot.gov/mvd/Mobile-ID Iowa Mobile ID] mID is [https://www.johnsoncitypress.com/idemia-mobile-id-for-iowa-dot-passes-uls-mdl-conformity-assessment/article_733dd8f0-e519-57ec-bfa9-4f4c6efd4a84.html reported by IDEMIA to be the first with UL certification] 2021-03-11.  
 
* [https://mycolorado.state.co.us/ Award-winning myColorado™ App Offers Residents a Contactless Digital ID] Colorado is the first state in the nation to offer residents the option to electronically transmit digital identification, vehicle registration and proof of insurance to law enforcement. They require the state trooper to show you a QR code first. Interestingly the feature has been extended to allow the phone's camera to scan the QR code, which indicates that the URL just sends the data from the DMV to the trooper's computer. After that the user has the option to give the cop what she wants, or dig out the paper version of all 3 documents. The business use of the mDL is a simple display of the back of the physical DL on the screen of the phone so the merchants can scan the 2d barcode in the same way as with the physical DL. It appears that Colorado was involved in app development at some level. Users add their identification in the myColorado app by taking a selfie with the in-app camera as well as a photo of their physical driver’s license or state ID. Several authentication points, including the selfie, the physical card’s bar code and the resident’s phone number are then verified against Division of Motor Vehicles records. The state government is using an identity verification and management platform from Ping Identity Holding Corp., which is based in Denver. The development of Colorado’s digital-ID application started in early 2019 and has cost about $800,000. Much of the effort has involved interacting with state agencies and merchants on features and adoption. Theresa Szczurek has been Colorado’s chief information officer since January 2020. “We discovered that proof of identification without carrying the wallet was really the killer app,” said Ms. Szczurek, who was chief executive of Radish Systems LLC for nine years before becoming state CIO in January. Radish, based in Boulder, Colo., sells software that integrates visuals into phone calls.
 
* [https://mycolorado.state.co.us/ Award-winning myColorado™ App Offers Residents a Contactless Digital ID] Colorado is the first state in the nation to offer residents the option to electronically transmit digital identification, vehicle registration and proof of insurance to law enforcement. They require the state trooper to show you a QR code first. Interestingly the feature has been extended to allow the phone's camera to scan the QR code, which indicates that the URL just sends the data from the DMV to the trooper's computer. After that the user has the option to give the cop what she wants, or dig out the paper version of all 3 documents. The business use of the mDL is a simple display of the back of the physical DL on the screen of the phone so the merchants can scan the 2d barcode in the same way as with the physical DL. It appears that Colorado was involved in app development at some level. Users add their identification in the myColorado app by taking a selfie with the in-app camera as well as a photo of their physical driver’s license or state ID. Several authentication points, including the selfie, the physical card’s bar code and the resident’s phone number are then verified against Division of Motor Vehicles records. The state government is using an identity verification and management platform from Ping Identity Holding Corp., which is based in Denver. The development of Colorado’s digital-ID application started in early 2019 and has cost about $800,000. Much of the effort has involved interacting with state agencies and merchants on features and adoption. Theresa Szczurek has been Colorado’s chief information officer since January 2020. “We discovered that proof of identification without carrying the wallet was really the killer app,” said Ms. Szczurek, who was chief executive of Radish Systems LLC for nine years before becoming state CIO in January. Radish, based in Boulder, Colo., sells software that integrates visuals into phone calls.
Line 70: Line 84:
 
* [https://www.blogto.com/tech/2020/10/ontario-phones-physical-id/ Ontario program] with potential to eliminate our need to carry around physical health cards, driver's licenses and other forms of provincially-issued ID.  blogTO (2020-11)
 
* [https://www.blogto.com/tech/2020/10/ontario-phones-physical-id/ Ontario program] with potential to eliminate our need to carry around physical health cards, driver's licenses and other forms of provincially-issued ID.  blogTO (2020-11)
  
 +
===Wallet Spread Sheet===
  
Note that some of these organizations are just associations of large [[Enterprise]]s.
 
  
 
{|border="1" padding="2" width="799px"
 
{|border="1" padding="2" width="799px"
| State || Code || Provider || ISO || Notes  
+
| State || Code || Provider || ISO || Notes  
 +
|-
 
|-
 
|-
 +
| ALABAMA|| AL|| Idemia || ||  eID - [https://abc3340.com/news/local/alabamas-digital-drivers-license-what-you-need-to-know has been around since 2015 w/o much use]
 
|-
 
|-
|ALABAMA|| AL
+
|ALASKA ||AK|| || ||  
 
|-
 
|-
|ALASKA ||AK
+
|AMERICAN SAMOA||AS|| || ||  
 
|-
 
|-
|AMERICAN SAMOA||AS
+
|[https://azdot.gov/motor-vehicles/driver-services/mobile-id ARIZONA] ||AZ || Idemia on Apple || yes || MID 2021-03 - accepted by TSA at Sky Harbor 2022-03-23 [https://na.idemia.com/dmv/mobile-id/ mobile ID app]
 
|-
 
|-
|[https://azdot.gov/motor-vehicles/driver-services/mobile-id ARIZONA]||AZ || Idemia || yes || MID - scans CARD
+
|ARKANSAS||AR || || || authorized Digital copy for $10
 
|-
 
|-
|ARKANSAS||AR
+
|CALIFORNIA || CA ||[https://www.dmv.ca.gov/portal/ca-dmv-wallet/ own app] that's [https://blog.spruceid.com/spruceid-partners-with-ca-dmv-on-mdl/ dev @ Spruce]||yes + PoA || California is currently running a pilot for [https://cdt.ca.gov/digitalid/ California’s Digital ID Project] rolled out mid 2023 FREE to all
 
|-
 
|-
|CALIFORNIA ||CA
+
|COLORADO || CO || Thales pilot|| not at first ||[https://mycolorado.gov/colorado-digital-id myColorado] is a state-sponsored app that offers proof of identification, age, and address within the state. By 2022-10 they included Apple (ISO?)
 
|-
 
|-
|COLORADO || || || no
+
|CONNECTICUT || CT|| || || Connecticut is working with Apple to develop virtual IDs 2022
 
|-
 
|-
|CONNECTICUT CT
+
|DELAWARE || DE || Idemia || yes || MID - holder MUST be able to present physical card on request
 
|-
 
|-
|DELAWARE || DE || Idemia || yes || MID - scans CARD
+
|DISTRICT OF COLUMBIA|| DC|| || ||  
 
|-
 
|-
|DISTRICT OF COLUMBIA|| DC
+
|FEDERATED STATES OF MICRONESIA||FM|| || ||  
 
|-
 
|-
|FEDERATED STATES OF MICRONESIA||FM
+
|FLORIDA || FL || [https://www.thalesgroup.com/en/markets/digital-identity-and-security/government/driving-licence/digital-driver-license Thales] || || Apple Wallet - Ron Hurtibise South Florida Sun Sentinel 2023-04-02 Very little use - card still required
 
|-
 
|-
|FLORIDA FL
+
|GEORGIA || GA||  Apple ||yes || [https://www.iphonelife.com/content/how-to-add-drivers-license-to-apple-wallet Apple Wallet] and [https://dds.georgia.gov/georgia-licenseid/ga-digital-drivers-license TSA acceptance (2023-05-18)]
 
|-
 
|-
|GEORGIA GA
+
|GUAM || GU|| || ||
 
|-
 
|-
|GUAM GU
+
|HAWAII || HI|| || || apple later
 
|-
 
|-
|HAWAII HI
+
|IDAHO || ID|| || ||
 
|-
 
|-
||DAHO ID
+
|ILLINOIS || IL|| || ||  
 
|-
 
|-
||LLINOIS IL
+
|INDIANA || IN|| || ||  
 
|-
 
|-
||NDIANA IN
+
| IOWA || IA ||Iowa Mobile ID app by Idemia || || 2023-08-29 '''with TSAPreCheck''' can present ID on phone when departing from @fly_CID and @dsmairport = Apple later
 
|-
 
|-
||OWA IA
+
|KANSAS || KS|| || ||  
 
|-
 
|-
|KANSAS KS
+
|KENTUCKY || KY|| || || Apple later 2022
 
|-
 
|-
|KENTUCKY KY
+
|LOUISIANA || LA|| home-grown both holder and verifier ||claims yes || LA Wallet cost user $6 + fee on verification - very high penetration of market- includes VAX status
 
|-
 
|-
|LOUISIANA LA
+
|MAINE || ME|| || ||
 
|-
 
|-
|MAINE ME
+
|MARSHALL ISLANDS || MH|| || ||
 
|-
 
|-
|MARSHALL ISLANDS MH
+
|MARYLAND || MD|| Thales pilot on Apple & Google ||yes||Early with Apple - [https://www.theverge.com/2022/12/15/23510774/google-digital-state-id-cards-android-13-wallet-app-maryland 2022-12-15 testing with Google]
 
|-
 
|-
|MARYLAND MD
+
|MASSACHUSETTS || MA|| || ||
 
|-
 
|-
|MASSACHUSETTS MA
+
|MICHIGAN || MI|| || ||
 
|-
 
|-
|MICHIGAN MI
+
|MINNESOTA || MN|| || ||
 
|-
 
|-
|MINNESOTA MN
+
|MISSISSIPPI || MS|| Idemia|| || Apple later
 
|-
 
|-
|MISSISSIPPI MS
+
|MISSOURI || MO|| || ||
 
|-
 
|-
|MISSOURI MO
+
|MONTANA || MT|| || ||
 
|-
 
|-
|MONTANA MT
+
||NEBRASKA || NE|| || ||
 
|-
 
|-
 +
|NEVADA || NV|| || ||
 
|-
 
|-
||NEBRASKA NE
+
|NEW HAMPSHIRE || NH|| || ||  
 
|-
 
|-
|NEVADA NV
+
|NEW JERSEY || NJ|| || ||
 
|-
 
|-
|NEW HAMPSHIRE NH
+
|NEW MEXICO || NM|| || ||
 
|-
 
|-
|NEW JERSEY NJ
+
|NEW YORK || NY||proprietary or maybe [https://news.bloomberglaw.com/tech-and-telecom-law/mobile-drivers-licenses-face-privacy-scrutiny-ahead-of-ny-pilot Idemia]? ||no ||  [https://www.news10.com/news/ny-news/nys-wallet-app-to-shut-down-what-will-happen-to-covid-19-vaccine-digital-passes/ Excelsior Pass Plus and NYS Wallet Apps discontinued 2023-07-28]
 
|-
 
|-
|NEW MEXICO NM
+
|NORTH CAROLINA || NC|| || ||
 
|-
 
|-
|NEW YORK NY
+
|NORTH DAKOTA || ND|| || ||
 
|-
 
|-
|NORTH CAROLINA NC
+
|NORTHERN MARIANA ISLANDS || MP|| || ||
 
|-
 
|-
|NORTH DAKOTA ND
+
|OHIO || OH|| || || [https://mail.google.com/mail/u/0/#inbox/FMfcgzGrbHnhdQPkFQjBkCFzBwxJtjWR?projector=1&messagePartId=0.1 Legislation introduced 22-09-27] working with apple 2022
 
|-
 
|-
|NORTHERN MARIANA ISLANDS MP
+
|OKLAHOMA || OK || Idemia || yes || MID 2019 - scans CARD - Apple later
 
|-
 
|-
|OHIO OH
+
|OREGON || OR|| || ||
 
|-
 
|-
|OKLAHOMA || OK || Idemia || yes || MID - scans CARD
+
|PALAU || PW|| || ||  
 
|-
 
|-
|OREGON OR
+
|PENNSYLVANIA || PA|| || ||
 
|-
 
|-
|PALAU PW
+
|PUERTO RICO || PR|| || || Apple later
 
|-
 
|-
|PENNSYLVANIA PA
+
|RHODE ISLAND || RI|| || ||
 
|-
 
|-
|PUERTO RICO PR
+
|SOUTH CAROLINA|| SC|| || ||
 
|-
 
|-
|RHODE ISLAND RI
+
|SOUTH DAKOTA || SD|| || ||
 
|-
 
|-
|SOUTH CAROLINA|| SC
+
|TENNESSEE || TN || || || HB556 in 2015 - RFP 2020-12
 
|-
 
|-
|SOUTH DAKOTA SD
+
|TEXAS || TX|| || ||
 
|-
 
|-
|TENNESSEE TN
+
|UTAH || UT|| [https://getgroupna.com/solutions/mobileid/ GET] & [https://www.scytales.com/ Scytales]|| yes || Apple later - [https://dpsnews.utah.gov/select-utah-state-liquor-store-locations-to-begin-accepting-mobile-drivers-licenses-to-confirm-legal-age-for-alcohol-purchases/ test mdl in Alcohol purchases] You can use it at Salt Lake Airport (SLC) when TSA PreCheck verifies your identity (2023-03-01) Apple later
 
|-
 
|-
|TEXAS TX
+
|VERMONT || VT|| || ||
 
|-
 
|-
|UTAH UT
+
|VIRGIN ISLANDS || VI|| || ||
 
|-
 
|-
|VERMONT VT
+
|VIRGINIA || VA|| || ||
 
|-
 
|-
|VIRGIN ISLANDS VI
+
|WASHINGTON || WA|| || || [https://www.geekwire.com/2023/new-bill-aims-to-allow-digital-drivers-licenses-in-washington-state/ bill aims to allow digital driver’s licenses in Washington state] 2023-01 = [https://idscan.net/state-digital-id/washington-mobile-drivers-licenses-soon-to-come/ (DOL) is actively assessing technical infrastructure to maximize interoperability, utility, and privacy protection for mDLs]
 
|-
 
|-
|VIRGINIA || VA
+
|WEST VIRGINIA || WV|| || ||
 
|-
 
|-
|WASHINGTON || WA
+
|WISCONSIN || WI|| || ||  
 
|-
 
|-
|WEST VIRGINIA || WV
+
|WYOMING || WY|| Thales pilot || ||  
 
|-
 
|-
|WISCONSIN || WI
+
|Province/Territory || Abbreviation
 
|-
 
|-
|WYOMING || WY
+
|BRITISH COLUMBIA || BC|| || ||  
 
|-
 
|-
|Province/Territory Abbreviation
+
|ALBERTA || AB|| || ||
 
|-
 
|-
|BRITISH COLUMBIA || BC
+
|SASKATCHEWAN || SK|| || ||  
 
|-
 
|-
|ALBERTA || AB
+
|MANITOBA || MB|| || ||  
 
|-
 
|-
|SASKATCHEWAN || SK
+
|ONTARIO || ON|| || || [https://www.blogto.com/tech/2020/10/ontario-phones-physical-id/ Announced future plans]
 
|-
 
|-
|MANITOBA || MB
+
|QUEBEC || QC|| || ||  
 
|-
 
|-
|ONTARIO || ON
+
|NEW BRUNSWICK || NB|| || ||  
 
|-
 
|-
|QUEBE || QC
+
|NOVA SCOTIA || NS|| || ||  
 
|-
 
|-
|NEW BRUNSWICK || NB
+
|PRINCE EDWARD ISLAND || PE|| || ||  
 
|-
 
|-
|NOVA SCOTIA || NS
+
|NEWFOUNDLAND || NF|| || ||  
 
|-
 
|-
|PRINCE EDWARD ISLAND || PE
+
|NORTHWEST TERRITORIES || NT|| || ||  
 
|-
 
|-
|NEWFOUNDLAND || NF
+
|YUKON ||YT|| || ||  
 
|-
 
|-
|NORTHWEST TERRITORIES || NT
+
|[https://www.nsw.gov.au/projects/digital-driver-licence New South Wales] ||NSW||thales || ||3.9 million opt-in to mDL 2022 [https://blog.dvuln.com/blogs/servicensw-digital-superbad But Problems detected early] Also [https://news.ycombinator.com/item?id=21471091 lots of blog chatter about apple & google]
 
|-
 
|-
|YUKON ||YT
+
|Ukraine || || || ||First implementation to not require a plastic card as well 22-12-09
 
|}
 
|}
  
 
===User Problems===
 
===User Problems===
# Why is there no way to validate [scan] the QR code I was given?
+
Q indicates a question from a real user.
 +
# Q Why is there no way to validate [scan] the QR code I was given?
 +
# Navigating to Apple Store from Google on a PC hangs.
 +
# At a minimum your mobile phone number is known to the State DMV/MID.
 +
# The Idemia apps scan the physical card and allow the user to display the front or the bar code from the back of the card. (Not part of ISO as of 2022.)
 +
# The current process is a long back and forth (user facing / verifier facing) process. (not the tap and go experience expected.)
 +
## Open the Mobile ID app.
 +
## Go to the "Me"/home screen.
 +
## Tap the "Share" icon next to "Generate privacy code."
 +
## Present the QR code for scanning to initiate the connection with the verifying device.
 +
## Accept (or Decline) the request to share information under "IDs."
  
 
==References==
 
==References==
 +
<references />
 +
===Other Material===
 +
* [https://upgradedpoints.com/travel/digital-drivers-licenses/ Everything You Need To Know About Digital Driver’s Licenses (2023)]
 +
* [https://www.statista.com/statistics/198029/total-number-of-us-licensed-drivers-by-state/ Number of driver's licenses per state.]
 
* [https://wiki.idesg.org/wiki/index.php/Mobile_Driver%27s_License#References IDESG / Kantara wiki on mDL]
 
* [https://wiki.idesg.org/wiki/index.php/Mobile_Driver%27s_License#References IDESG / Kantara wiki on mDL]
 
* [[Mobile Driver's License Presentation]] maps [[ISO 18013-5]] wallet presentation to [https://identity.foundation/presentation-exchange/spec/v1.0.0/ DIF Presentation Exchange].
 
* [[Mobile Driver's License Presentation]] maps [[ISO 18013-5]] wallet presentation to [https://identity.foundation/presentation-exchange/spec/v1.0.0/ DIF Presentation Exchange].
Line 232: Line 263:
 
* [https://getgroupna.com/solutions/mobileid/ GET Group Mobile Driver's License]
 
* [https://getgroupna.com/solutions/mobileid/ GET Group Mobile Driver's License]
 
* [https://www.securetechalliance.org/wp-content/uploads/Mobile-Drivers-License-WP-FINAL-Update-March-2020-4.pdf The Mobile Driver’s License (mDL) and Ecosystem] Secure Technology Alliance 2020-03
 
* [https://www.securetechalliance.org/wp-content/uploads/Mobile-Drivers-License-WP-FINAL-Update-March-2020-4.pdf The Mobile Driver’s License (mDL) and Ecosystem] Secure Technology Alliance 2020-03
 +
* Also see the wiki page [[MDL Considered Harmful]] for a list of some of the challenges faces by the mDL.
  
 
[[Category: Glossary]]
 
[[Category: Glossary]]
Line 237: Line 269:
 
[[Category: Identifier]]
 
[[Category: Identifier]]
 
[[Category: Mobile]]
 
[[Category: Mobile]]
 +
[[Category: Credential]]
 +
[[Category: Legislation]]

Latest revision as of 18:07, 24 February 2024

Full Title

User in control of a Mobile Driver's License and other apps that require high assurance control of credentials.

Context

  • There remains continued confusion about whether a Driver's License is a card used for identification that should not be revoked for any reason other than fraud or an Authorization to access some resource (like the public roads) that can be revoked at any time.
  • The ISO standard 18013-5 focuses exclusively on the original purpose of the driver's license, the authorization of a person to operate a motor vehicle on the public roads. Anecdotal evidence (from Queensland) is that only about 1 in 50 (2%) of the request to show a driver's license correspond to this original purpose.
  • iPhone and Android solutions also have NFC, QR Code, Bluetooth, Wifi Aware and Barcode readers technology thoroughly functional
  • The wiki page Smartphone Wireless contains information about the various radio bands used by mDL.

Providers

A real mix of enterprises that might be involved in the process:

  1. Registered application provider = The AID of the mdoc consists of the registered application provider identifier (RID) ('A0 00 00 02 48') followed by the proprietary application identifier extension (PIX) (’04 00’). There is a very short non-normative description of application testing in E.14.2. It is not helpful.
  2. OpenID Provider (OP) 8.3.3.2.2 configuration information comes from the issuing authority OP in a discover process.
  3. Master list Provider. The decentralized PKI trust model adopted by the mDL requires a mechanism to distribute and disseminate the set of certification authorities certificates from issuing authorities.
  4. Technology provider - provide systems and Apps for issuing authorities to issue mDLs. They appear to be entirely controlled by issuing authority, but also work the mDL verifiers to ensure privacy,

Comparison with VC & DID

Problems

State issued driver's licenses in North America have morphed into the default identity credential for residents whether by design or by circumstance. While it might seem to be helpful to try to break the problem down into the original purpose first, that is no longer an option. Even states that seek to create mobile versions of their own driver's licenses need to address the other purposes that existing legislation requires, such as control of alcohol and prescription medicines among many other existing purposes. So this section takes the practical view about what must be supported on day one of the availability of mobile state issued identification documents, aka driver's licenses.

Privacy

  1. States are sovereign, which means that they are not liable for any action where they have not accepted liability. Current practice indicates that mobile driver's licenses will only be available on smart phone apps that are supplied by the state and typically written under contract by in-state vendors. Any impact on these apps can only be enforced if the state's choose to do so. Still the states are wont to accept standards written to address these apps and so it would be good to see such standards approved for use.
  2. Organizations that accept user private information (aka PII) from the apps may be under state or federal regulations which require meaningful user consent for release. Standards should be written to define what "meaningful user consent" really means.
  3. The biometric information and signature of the holder is optionally included in the mDL. This is information that should never be released from the person that holds it as is stated in an non-normative appendix. It is meant to be used for activation (C.1.6.4), but that is not described and E.12 says that "the mDL reader may implement biometric comparison of the person presenting the mDL to the portrait." The exact meaning of that last sentence is unclear.

References:

Authenticity

  1. Apps can be created that mimic Mobile Driver's Licenses that either fool the user, or are intended to allow the user to fool the acceptor of the data. Where legal obligation exist to check the authenticity of user provided data, it is likely that apps will need to prove their authenticity to the reader. Specifications for proving authenticity should be written. Kantara currently has an implementer's draft of such an assurance statement.
  2. States are likely to require that smartphone apps meet certain criteria and a wont to accept existing specifications rather than write their own.
  3. Readers of Mobile Driver's Licenses were imagined in the ISO 18013-5 standard to be certified. Specifications for the certifications of reader that meet privacy and identity requirements are needed.
  4. In an ideal world the Mobile Driver's License would not even respond to requests for data from readers that were not certified.

Solutions

Android

Apple iOS

Testing

Connection Protocols

The language for defining the mDL is RFC 8610 CDDL. Occurrence is the one oddity. It is (1) one of the characters "?" (optional), "*" (zero or more), or "+" (one or more) or (2) of the form n*m for min and max. Also "tstr" = text string and "bstr" = byte string, and tdate is something like 1985-04-12T23:20:50.52Z.

Security

North America

US Federal Regulations

State Wallets

This section is focused on implementations in North America at present.

  • Maryland rolled out mDLs to smartphone users in 2022.60 The credentials are created by taking a photo of the front and back of their physical driver’s license and a short video of themselves, which is then sent to issuing authorities for verification. When the information is verified, the[1] individual may add it to their Google or Apple wallets and, where accepted, use it in place of the physical credential
  • Phoenix AZ Sky Harbor Airport is accepting the AZ mDL at TSA gates. 2022-03-23. and Apple's announcement of that.
  • Florida will also use Apple Wallet 2021-10-14 with a current list of all states supporting apple wallet.
  • Utah was feature in an article on the outlooks for mdl that reported "Ryan Williams, with the Utah Driver's License Division, displays his cellphone with the pilot version of the state's mobile ID on Wednesday, May 5, 2021, in West Valley City, Utah. In Utah, over 100 people have a pilot version of the state's mobile ID, and that number is expected to grow to 10,000 by year's end. Widespread production is expected to begin at the start of 2022." Pam Dixon, executive director of the World Privacy Forum was quoted saying “Most people want some kind of a hard token for their identity, but I don’t know how long that will last, I would imagine that at some point, maybe in a generation, maybe less, that people will accept a fully digital system.”
  • Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet 2021-09-01 Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah are among the first states to bring state IDs and driver’s licenses in Wallet to their residents
  • A Delaware mobile ID is now a reality 2021-03-10 The app requires users to capture and upload their physical ID as well as a live selfie to compare against the individual’s file with the Delaware DMV. According to state officials, security features, including strong encryption standards, help fight identity theft. "You don't need passwords or usernames because it's based on your biometrics," said DMV spokesperson Marinah Carver. "You cannot use your mobile ID without inputting either your face or your fingerprint. "We're not sharing that data with anyone else, and it can't be accessed through a third party." In addition to safety, Carver said a contactless ID as part of a digital wallet is also a healthier option in a post-COVID world. The program is voluntary and optional and by law. A person is still required to carry their physical credential as applicable for age and identity verification. "You can try it for a bit," said Carver. "If it's not for you, you can opt back out. It's certainly not a replacement at this time to your physical credential." Carver said the mobile ID has not yet been accepted in a law enforcement setting. The DVM offers apps on Apple and Android stores. It allows both a straight scan of the back of the card, or a privacy preserving one of the bar codes only from the physical care or a QR code. At the user's discretion.
  • Iowa Mobile ID mID is reported by IDEMIA to be the first with UL certification 2021-03-11.
  • Award-winning myColorado™ App Offers Residents a Contactless Digital ID Colorado is the first state in the nation to offer residents the option to electronically transmit digital identification, vehicle registration and proof of insurance to law enforcement. They require the state trooper to show you a QR code first. Interestingly the feature has been extended to allow the phone's camera to scan the QR code, which indicates that the URL just sends the data from the DMV to the trooper's computer. After that the user has the option to give the cop what she wants, or dig out the paper version of all 3 documents. The business use of the mDL is a simple display of the back of the physical DL on the screen of the phone so the merchants can scan the 2d barcode in the same way as with the physical DL. It appears that Colorado was involved in app development at some level. Users add their identification in the myColorado app by taking a selfie with the in-app camera as well as a photo of their physical driver’s license or state ID. Several authentication points, including the selfie, the physical card’s bar code and the resident’s phone number are then verified against Division of Motor Vehicles records. The state government is using an identity verification and management platform from Ping Identity Holding Corp., which is based in Denver. The development of Colorado’s digital-ID application started in early 2019 and has cost about $800,000. Much of the effort has involved interacting with state agencies and merchants on features and adoption. Theresa Szczurek has been Colorado’s chief information officer since January 2020. “We discovered that proof of identification without carrying the wallet was really the killer app,” said Ms. Szczurek, who was chief executive of Radish Systems LLC for nine years before becoming state CIO in January. Radish, based in Boulder, Colo., sells software that integrates visuals into phone calls.
  • Identity Services for myColorado™ Mobile App Powered by Ping Identity report from PING dated 2019-11-12.
  • Louisiana adds vaccine status to digital driver’s License App 2021-05-07
  • NBC News reports that Calvin Fabre, president of Envoc, a software firm in Baton Rouge, Louisiana, that helped develop a mobile app to display digital driver's licenses in Louisiana, said most drivers under 40 won't go back home if they forget their plastic license — "but if they forget their phone, they always turn around." It looks like Envoc programs in .NET and Xamarin.
  • [https://www.govtech.com/news/Digital-Drivers-License-Pilot-Comes-to-Wyoming.html Wyoming is piloting a digital driver's license} base on Gemalto technology. (2017-10-05) for only 100 people. The app isn’t connected to the Internet, so there’s virtually no risk of someone tracking a user’s whereabouts or personal information based on when they open the license, said Steve Purdy, Gemalto’s vice president of state government programs. In order to enter the app, people have to enter a five-digit password or use fingerprint identification. “All it does is show your photo and whether or not you’re 21,” Purdy said. Gemalto provides the existing card license to WY.
  • Ontario program with potential to eliminate our need to carry around physical health cards, driver's licenses and other forms of provincially-issued ID. blogTO (2020-11)

Wallet Spread Sheet

State Code Provider ISO Notes
ALABAMA AL Idemia eID - has been around since 2015 w/o much use
ALASKA AK
AMERICAN SAMOA AS
ARIZONA AZ Idemia on Apple yes MID 2021-03 - accepted by TSA at Sky Harbor 2022-03-23 mobile ID app
ARKANSAS AR authorized Digital copy for $10
CALIFORNIA CA own app that's dev @ Spruce yes + PoA California is currently running a pilot for California’s Digital ID Project rolled out mid 2023 FREE to all
COLORADO CO Thales pilot not at first myColorado is a state-sponsored app that offers proof of identification, age, and address within the state. By 2022-10 they included Apple (ISO?)
CONNECTICUT CT Connecticut is working with Apple to develop virtual IDs 2022
DELAWARE DE Idemia yes MID - holder MUST be able to present physical card on request
DISTRICT OF COLUMBIA DC
FEDERATED STATES OF MICRONESIA FM
FLORIDA FL Thales Apple Wallet - Ron Hurtibise South Florida Sun Sentinel 2023-04-02 Very little use - card still required
GEORGIA GA Apple yes Apple Wallet and TSA acceptance (2023-05-18)
GUAM GU
HAWAII HI apple later
IDAHO ID
ILLINOIS IL
INDIANA IN
IOWA IA Iowa Mobile ID app by Idemia 2023-08-29 with TSAPreCheck can present ID on phone when departing from @fly_CID and @dsmairport = Apple later
KANSAS KS
KENTUCKY KY Apple later 2022
LOUISIANA LA home-grown both holder and verifier claims yes LA Wallet cost user $6 + fee on verification - very high penetration of market- includes VAX status
MAINE ME
MARSHALL ISLANDS MH
MARYLAND MD Thales pilot on Apple & Google yes Early with Apple - 2022-12-15 testing with Google
MASSACHUSETTS MA
MICHIGAN MI
MINNESOTA MN
MISSISSIPPI MS Idemia Apple later
MISSOURI MO
MONTANA MT
NEBRASKA NE
NEVADA NV
NEW HAMPSHIRE NH
NEW JERSEY NJ
NEW MEXICO NM
NEW YORK NY proprietary or maybe Idemia? no Excelsior Pass Plus and NYS Wallet Apps discontinued 2023-07-28
NORTH CAROLINA NC
NORTH DAKOTA ND
NORTHERN MARIANA ISLANDS MP
OHIO OH Legislation introduced 22-09-27 working with apple 2022
OKLAHOMA OK Idemia yes MID 2019 - scans CARD - Apple later
OREGON OR
PALAU PW
PENNSYLVANIA PA
PUERTO RICO PR Apple later
RHODE ISLAND RI
SOUTH CAROLINA SC
SOUTH DAKOTA SD
TENNESSEE TN HB556 in 2015 - RFP 2020-12
TEXAS TX
UTAH UT GET & Scytales yes Apple later - test mdl in Alcohol purchases You can use it at Salt Lake Airport (SLC) when TSA PreCheck verifies your identity (2023-03-01) Apple later
VERMONT VT
VIRGIN ISLANDS VI
VIRGINIA VA
WASHINGTON WA bill aims to allow digital driver’s licenses in Washington state 2023-01 = (DOL) is actively assessing technical infrastructure to maximize interoperability, utility, and privacy protection for mDLs
WEST VIRGINIA WV
WISCONSIN WI
WYOMING WY Thales pilot
Province/Territory Abbreviation
BRITISH COLUMBIA BC
ALBERTA AB
SASKATCHEWAN SK
MANITOBA MB
ONTARIO ON Announced future plans
QUEBEC QC
NEW BRUNSWICK NB
NOVA SCOTIA NS
PRINCE EDWARD ISLAND PE
NEWFOUNDLAND NF
NORTHWEST TERRITORIES NT
YUKON YT
New South Wales NSW thales 3.9 million opt-in to mDL 2022 But Problems detected early Also lots of blog chatter about apple & google
Ukraine First implementation to not require a plastic card as well 22-12-09

User Problems

Q indicates a question from a real user.

  1. Q Why is there no way to validate [scan] the QR code I was given?
  2. Navigating to Apple Store from Google on a PC hangs.
  3. At a minimum your mobile phone number is known to the State DMV/MID.
  4. The Idemia apps scan the physical card and allow the user to display the front or the bar code from the back of the card. (Not part of ISO as of 2022.)
  5. The current process is a long back and forth (user facing / verifier facing) process. (not the tap and go experience expected.)
    1. Open the Mobile ID app.
    2. Go to the "Me"/home screen.
    3. Tap the "Share" icon next to "Generate privacy code."
    4. Present the QR code for scanning to initiate the connection with the verifying device.
    5. Accept (or Decline) the request to share information under "IDs."

References

  1. Jordan Pascale,Maryland Launches Digital Version Of Driver’s License On IPhon DCist, (2022-05-26) https://dcist.com/story/22/05/26/maryland-digital-drivers-license/

Other Material