Mobile Driver's License

From MgmtWiki
Jump to: navigation, search

Full Title

User in control of a Mobile Driver's License and other apps that require high assurance control of credentials.

Context

Providers

A real mix of enterprises that might be involved in the process:

  1. Registered application provider = The AID of the mdoc consists of the registered application provider identifier (RID) ('A0 00 00 02 48') followed by the proprietary application identifier extension (PIX) (’04 00’). There is a very short non-normative descritpn of application testing in E.14.2. It is not helpful.
  2. OpenID Provider (OP) 8.3.3.2.2 configuration information comes from the issuing authority OP in a discover process.
  3. Master list Provider. The decentralized PKI trust model adopted by the mDL requires a mechanism to distribute and disseminate the set of certification authorities certificates from issuing authorities.
  4. Technology provider - provide systems and Apps for issuing authorities to issue mDLs. They appear to be entirely controlled by issuing authority, but also work the mDL verifiers to ensure privancy,

Comparison with VC & DID

Problems

State issued driver's licenses in North America have morphed into the default identity credential for residents whether by design or by circumstance. While it might seem to be helpful to try to break the problem down into the original purpose first, that is no longer an option. Even states that seek to create mobile versions of their own driver's licenses need to address the other purposes that existing legislation requires, such as control of alcohol and prescription medicines among many other existing purposes. So this section takes the practical view about what must be supported on day one of the availability of mobile state issued identification documents, aka driver's licenses.

Privacy

  1. States are sovereign, which means that they are not liable for any action where they have not accepted liability. Current practice indicates that mobile driver's licenses will only be available on smart phone apps that are supplied by the state and typically written under contract by in-state vendors. Any impact on these apps can only be enforced if the state's choose to do so. Still the states are wont to accept standards written to address these apps and so it would be good to see such standards approved for use.
  2. Organizations that accept user private information (aka PII) from the apps may be under state or federal regulations which require meaningful user consent for release. Standards should be written to define what "meaningful user consent" really means.
  3. The biometric information and signature of the holder is optionally included in the mDL. This is information that should never be released from the person that holds it as is stated in an non-normative appendix. It is meant to be used for activation (C.1.6.4), but that is not described and E.12 says that "the mDL reader may implement biometric comparison of the person presenting the mDL to the portrait." The exact meaning of that last sentence is unclear.

References.

Authenticity

  1. Apps can be created that mimic Mobile Driver's Licenses that either fool the user, or are intended to allow the user to fool the acceptor of the data. Where legal obligation exist to check the authenticity of user provided data, it is likely that apps will need to prove their authenticity to the reader. Specifications for proving authenticity should be written. Kantara currently has an implementer's draft of such an assurance statement.
  2. States are likely to require that smartphone apps meet certain criteria and a wont to accept existing specifications rather than write their own.
  3. Readers of Mobile Driver's Licenses were imagined in the ISO 18013-5 standard to be certified. Specifications for the certifications of reader that meet privacy and identity requirements are needed.
  4. In an ideal world the Mobile Driver's License would not even respond to requests for data from readers that were not certified.

Solutions

Android

Apple iOS

Testing

Connection Protocols

The language for defining the mDL is RFC 8610 CDDL. Occurrence is the one oddity. It is (1) one of the characters "?" (optional), "*" (zero or more), or "+" (one or more) or (2) of the form n*m for min and max. Also "tstr" = text string and "bstr" = byte string, and tdate is something like 1985-04-12T23:20:50.52Z.

Security

US Federal Regulations

State Wallets

  • Florida will also use Apple Wallet 2021-10-14 with a current list of all states supporting apple wallet.
  • Utah was feature in an article on the outlooks for mdl that reported "Ryan Williams, with the Utah Drivers License Division, displays his cellphone with the pilot version of the state's mobile ID on Wednesday, May 5, 2021, in West Valley City, Utah. In Utah, over 100 people have a pilot version of the state's mobile ID, and that number is expected to grow to 10,000 by year's end. Widespread production is expected to begin at the start of 2022." Pam Dixon, executive director of the World Privacy Forum was quoted saying “Most people want some kind of a hard token for their identity, but I don’t know how long that will last, I would imagine that at some point, maybe in a generation, maybe less, that people will accept a fully digital system.”
  • Apple announces first states signed up to adopt driver’s licenses and state IDs in Apple Wallet 2021-09-01 Arizona, Connecticut, Georgia, Iowa, Kentucky, Maryland, Oklahoma, and Utah are among the first states to bring state IDs and driver’s licenses in Wallet to their residents
  • A Delaware mobile ID is now a reality 2021-03-10 The app requires users to capture and upload their physical ID as well as a live selfie to compare against the individual’s file with the Delaware DMV. According to state officials, security features, including strong encryption standards, help fight identity theft. "You don't need passwords or usernames because it's based on your biometrics," said DMV spokesperson Marinah Carver. "You can not use your mobile ID without inputting either your face or your fingerprint. "We're not sharing that data with anyone else, and it can't be accessed through a third party." In addition to safety, Carver said a contactless ID as part of a digital wallet is also a healthier option in a post-COVID world. The program is voluntary and optional and by law. A person is still required to carry their physical credential as applicable for age and identity verification. "You can try it for a bit," said Carver. "If it's not for you, you can opt back out. It's certainly not a replacement at this time to your physical credential." Carver said the mobile ID has not yet been accepted in a law enforcement setting. The DVM offers apps on Apple and Android stores. It allows both a straight scan of the back of the card, or a privacy preserving one of the bar code only from the physical care or a QR code. At the user's discretion.
  • Iowa Mobile ID mID is reported by IDEMIA to be the first with UL certification 2021-03-11.
  • Award-winning myColorado™ App Offers Residents a Contactless Digital ID Colorado is the first state in the nation to offer residents the option to electronically transmit digital identification, vehicle registration and proof of insurance to law enforcement. They require the state trooper to show you a QR code first. Interestingly the feature has been extended to allow the phone's camera to scan the QR code, which indicates that the URL just sends the data from the DMV to the trooper's computer. After that the user has the option to give the cop what she wants, or dig out the paper version of all 3 documents. The business use of the mDL is a simple display of the back of the physical DL on the screen of the phone so the merchants can scan the 2d barcode in the same way as with the physical DL. It appears that Colorado was involved in app development at some level. Users add their identification in the myColorado app by taking a selfie with the in-app camera as well as a photo of their physical driver’s license or state ID. Several authentication points, including the selfie, the physical card’s bar code and the resident’s phone number are then verified against Division of Motor Vehicles records. The state government is using an identity verification and management platform from Ping Identity Holding Corp., which is based in Denver. The development of Colorado’s digital-ID application started in early 2019 and has cost about $800,000. Much of the effort has involved interacting with state agencies and merchants on features and adoption. Theresa Szczurek has been Colorado’s chief information officer since January 2020. “We discovered that proof of identification without carrying the wallet was really the killer app,” said Ms. Szczurek, who was chief executive of Radish Systems LLC for nine years before becoming state CIO in January. Radish, based in Boulder, Colo., sells software that integrates visuals into phone calls.
  • Identity Services for myColorado™ Mobile App Powered by Ping Identity report from PING dated 2019-11-12.
  • Louisiana adds vaccine status to digital driver’s License App 2021-05-07
  • NBC News reports that Calvin Fabre, president of Envoc, a software firm in Baton Rouge, Louisiana, that helped develop a mobile app to display digital driver's licenses in Louisiana, said most drivers under 40 won't go back home if they forget their plastic license — "but if they forget their phone, they always turn around." It looks like Envoc programs in .NET and Xamarin.
  • [https://www.govtech.com/news/Digital-Drivers-License-Pilot-Comes-to-Wyoming.html Wyoming is piloting a digital driver's license} base on Gemalto technology. (2017-10-05) for only 100 people. The app isn’t connected to the Internet, so there’s virtually no risk of someone tracking a user’s whereabouts or personal information based on when they open the license, said Steve Purdy, Gemalto’s vice president of state government programs. In order to enter the app, people have to enter a five-digit password or use fingerprint identification. “All it does is show your photo and whether or not you’re 21,” Purdy said. Gemalto provides the existing card license to WY.
  • Ontario program with potential to eliminate our need to carry around physical health cards, driver's licenses and other forms of provincially-issued ID. blogTO (2020-11)

Wallet Spread Sheet

Note that some of these organizations are just associations of large Enterprises.

State Code Provider ISO Notes
[ ALABAMA .AL Idemia eID - has been around since 2015 w/o much use
ALASKA AK
AMERICAN SAMOA AS
ARIZONA AZ Idemia yes MID 2021-03 - scans CARD
ARKANSAS AR authorized Digital copy for $10
CALIFORNIA CA vetoed by Gov 2015
COLORADO CO Thales pilot no
CONNECTICUT CT Apple later
DELAWARE DE Idemia yes MID - holder MUST be able to present physical card on request
DISTRICT OF COLUMBIA DC
FEDERATED STATES OF MICRONESIA FM
FLORIDA FL Thales Apple Wallet - pilot 2021
GEORGIA GA Apple Wallet
GUAM GU
HAWAII HI
DAHO ID
LLINOIS IL
INDIANA IN
IOWA IA started testing 2014 - Apple later
KANSAS KS
KENTUCKY KY Apple later
LOUISIANA LA home-grown LA Wallet cost user $6
MAINE ME
MARSHALL ISLANDS MH
MARYLAND MD Thales pilot Apple later
MASSACHUSETTS MA
MICHIGAN MI
MINNESOTA MN
MISSISSIPPI MS
MISSOURI MO
MONTANA MT
NEBRASKA NE
NEVADA NV
NEW HAMPSHIRE NH
NEW JERSEY NJ
NEW MEXICO NM
NEW YORK NY
NORTH CAROLINA NC
NORTH DAKOTA ND
NORTHERN MARIANA ISLANDS MP
OHIO OH
OKLAHOMA OK Idemia yes MID 2019 - scans CARD - Apple later
OREGON OR
PALAU PW
PENNSYLVANIA PA
PUERTO RICO PR
RHODE ISLAND RI
SOUTH CAROLINA SC
SOUTH DAKOTA SD
TENNESSEE TN HB556 in 2015 - RFP 2020-12
TEXAS TX
UTAH UT Apple later - test mdl in Alcohol purchases 2021-11-01
VERMONT VT
VIRGIN ISLANDS VI
VIRGINIA VA
WASHINGTON WA
WEST VIRGINIA WV
WISCONSIN WI
WYOMING WY Thales pilot
Province/Territory Abbreviation
BRITISH COLUMBIA BC
ALBERTA AB
SASKATCHEWAN SK
MANITOBA MB
ONTARIO ON
QUEBE QC
NEW BRUNSWICK NB
NOVA SCOTIA NS
PRINCE EDWARD ISLAND PE
NEWFOUNDLAND NF
NORTHWEST TERRITORIES NT
YUKON YT

User Problems

Q indicates a question from a real user.

  1. Q Why is there no way to validate [scan] the QR code I was given?
  2. Navigating to Apple Store from Google on a PC hangs.
  3. At a minimum your mobile phone number is known to the State DMV/MID.
  4. The Idemia apps scan the physical card and allow the user to display the front or the bar code from the back of the card. (Not part of ISO.)
  5. The current process is a long back and forth (user facing / verifier facing) process. (not the tap and go experience expected.)
    1. Open the Mobile ID app.
    2. Go to the "Me"/home screen.
    3. Tap the "Share" icon next to "Generate privacy code."
    4. Present the QR code for scanning to initiate the connection with the verifying device.
    5. Accept (or Decline) the request to share information under "IDs."

References