Are states speeding toward mobile driver licenses?
Interest is high, but Roadblocks include standards, infrastructure, relying party acceptance
25 April, 2016
category: Biometrics, Contactless, Digital ID, Government, NFC
A high-stakes standards game
It may sound straightforward, using Bluetooth or another technology to transmit license information to an officer in a cruiser. But for this to work states, vendors and law enforcement would all have to agree on a standardized approach. The American Association of Motor Vehicle Administrators is in the early stages of creating mobile driver license standards that would be used by all members, says Geoff Slagle, director at AAMVA.
The stakes are extremely high in this process. Many states are already evaluating mobile driver licenses, but all will need to agree to minimum standards so that each license can work in all other states. “You have to have the standards down, so mobile driver licenses can be leveraged regardless of the jurisdiction,” Slagle explains.
This doesn’t mean states will have to all use the same vendors, but they will have to make sure that the vendor they choose is using the standardized approach, Slagle says. He uses ice cream as an analogy. As long as systems are using the same ice cream base – a standardized secure mobile driver license – vendors can offer different add-ons – hot fudge, sprinkles or whipped cream. “The base has to have the ability to communicate in an electronic and trustworthy way,” he adds.
The standards will revolve around making sure that the application is secure and verifying that the credential is legitimate, Slagle says. “Right now you have people walking around with super secure cards, but you don’t know if the person holding it is connected to it,” he explains. “With mobile driver licenses, we believe we can achieve full confidence that the person interacting with it is the owner.”
Right now you have super secure cards, but you don’t know if the person holding it is connected to it. With mobile driver licenses, we believe we can achieve full confidence that the person interacting with it is the owner.
AAMVA hosted the first mobile driver license standards meeting in November 2015. With interest in mobile licenses so high the committee hopes to move quickly, but it will likely be late 2016 at the earliest with the spring of 2017 looking more realistic to have a finalized specification, says Slagle. Once the committee has finished its work the spec has to go through AAMVA’s Board of Director’s and members for a vote.
States already moving forward with mobile driver license tech will have to keep an eye on the work AAMVA is doing and try to stay on the same track. Iowa is keeping this in mind as it moves forward with its pilot, says Lowe. “The really big thing is making sure the mobile driver licenses are accepted state to state and accepted by law enforcement, retail and banking,” he explains. “What is the thing that will make them interoperable? That’s what we’re spending time working on.”
If states decide to go with different technology standards it will hamper the adoption of the technology, says Adam Madlin, solutions leader for Identity and Cybersecurity at Symantec. “If you can’t get all the states on board it will undermine interoperability,” he adds.
Mathtec’s Dean is concerned that mobile driver license technology may be out of date by the time standards emerge and gain widespread acceptance. “We’re going to spend the next couple of years working on standards and then another five to 10 years getting states on board,” explains Dean.
We’re going to spend the next couple of years working on standards and then another five to 10 years getting states on board. Mobile driver licenses may be out of date by the time standards are ready.
If biometrics or some other identification technology becomes prominent, they could eclipse the need for mobile license apps, suggests Dean. “Are we inventing a technology that will be leapfrogged?” he asks.
Driver licenses for the identity ecosystem
Iowa is looking even beyond that. The mobile driver license has potential to be used as a high-assurance digital credential to access other sites and services, Lowe says. That use case may take awhile to develop, but it’s on the road map.
Delaware wants the mobile driver license to be a credential to securely communicate with the DMV, Vien says. “If we do this right we can create a secure means of interacting with customers remotely,” he adds.
Lessons learned: Ever-changing mobile operating systems pose challenges
Iowa rolled out its mobile driver license pilot in August. The program was moving along when it hit a snag a few weeks in, says Mark Lowe, director of Iowa Department of Transportation’s Motor Vehicle Division. “When iOS 9 came out we had problems,” he explains.
It was an important lesson learned early on in the pilot. DMVs are used to issuing a credential and then not having to see the individual again until they come in years later for renewal. With the constant updates of mobile operating systems states will have to keep tabs to make sure updates don’t lock apps and render them unusable.
Iowa is running its pilot now on iOS devices, but when these systems roll out in larger numbers support will have to be available for all devices and operating systems. “You can’t just come up with a secure approach that works on iPhone or Android alone,” says Steve Purdy, director of business development for Government Affairs at Gemalto. “You need one that works on all operating systems and devices.”
How mobile driver licenses are verified also has to be ubiquitous across handsets, Purdy says. This may limit the verification technology to bar codes or Bluetooth Low Energy – a technology that has been standard on smart phones since 2012.
The rollout will be slow, first enabling secure electronic transactions with the DMV and then other state services and other relying parties. North Carolina, Georgia and Virginia are already using DMV data to confirm the peoples’ identities when setting up credentials to access different state services.
Those projects are being done with pilot funds from the National Strategy for Trusted Identities in Cyberspace. But there aren’t many state agencies that wouldn’t love to have access to their state’s DMV records, says Mathtec’s Dean. “In every state that I talk to, all the agencies want access to the driver license data to verify information,” he explains. “The DMV is the one government agency where people have to establish identity face-to-face in a physical location.”
Standards will be important in this aspect of mobile driver licenses too, says Symantec’s Madlin. “You have to get all states on board or it won’t have real adoption,” he explains. “As states become the trusted source of identity they can expand their citizen applications, broaden adoption and spur greater success.”
Online identity vetting has been a difficult proposition. If states start issuing a digital credential based on in-person identity vetting that solves a lot of problems. “DMVs and mobile driver licenses have a role to play in the bigger identity picture,” says Madlin.
The possible applications for mobile driver licenses are endless. The dream of a virtual wallet that combines driver license, payments and a digital identity has been discussed for years but might be around the corner. It promises to change the way citizens interact with DMVs, government agencies and other relying parties. But it will require massive effort to create the standards and build the infrastructure necessary to make this dream a reality.
Numerous states proposed legislation in 2015, more expected in pending sessions
by Joseph Hoellerer, Manager of Government Relations, Security Industry AssociationMobile driver license legislation was introduced in ten states during 2015 – Arizona, California, Delaware, Illinois, Iowa, Kentucky, New Jersey, North Dakota, Tennessee and Texas. Generally, bills either directed a feasibility study for mobile driver license implementation, or directed certain state agencies – notably licensing commissions – to set up and carry out a program.Outcomes were mixed. In Texas, a law was passed directing state officials to carry out a mobile driver license feasibility study. Tennessee went a step further initiating the creation of an actual program.Conversely, lawmakers in California approved legislation directing the state’s Department of Motor Vehicles to initiate a study. Gov. Jerry Brown (D) vetoed the bill, however, stating, “While the idea of a digital license sounds innovative, it poses numerous technical difficulties. Given the many new responsibilities that the Department of Motor Vehicles is already dealing with, I don’t believe this bill is advisable.”Despite a veto-proof margin and support from every Democratic legislator that voted on the measure, a veto override is not expected. It would be the first veto override under the Brown Administration, a precedent that California Democrats have so far been unwilling to set.
In the remaining seven states, mobile driver license bills did not see further action in 2015 sessions. Three of these states – Delaware, Illinois and New Jersey – are technically still considering the legislation from carryover sessions, but it is unclear whether any will see further legislative action in 2016.
Members of the Security Industry Association (SIA) specializing in identity management technology are advising policymakers on what it would take to create and deploy a successful and secure program. Last November, representatives from HID Global testified before the Kentucky Joint Committee on Transportation regarding legislative proposals to provide citizens with mobile licenses on a voluntary basis.
Throughout the hearing, witnesses emphasized that mobile driver licenses should remain an optional alternative and legislation should not mandate the discontinuance of physical driver licenses. They stressed that convenience should not substitute for efficacy and security.
Witnesses identified key stakeholders that should be a part of crafting any solution to ensure it meets the unique needs of the state:
Citizens need demonstrable assurances that their personal information will be protected against unauthorized use
Law enforcement officials must ensure any changes in procedure enhance their ability to protect the communities they serve
Federal authorities and state licensing authorities must be assured that any potential operational issues that may arise will not compromise their ability to provide accurate identifiable information.
Another potential obstacle for states is complying with REAL ID, a law passed by Congress in 2005 that established minimum-security standards for state-issued driver licenses and identification cards. Currently, 23 states and territories are compliant with the REAL ID and 27 others have received extensions. Seven states and territories have neither complied nor been granted an extension.
Indications are that mobile driver license compliance would track overall with a state’s driver license and identification program. Presumably, a mobile driver license that meets issuance, data, security and other requirements of REAL ID would be considered compliant in a state whose program is REAL ID compliant. Prior to implementation, policymakers should decide how mobile driver license features fit into their state’s policy on REAL ID requirements and be cognizant of additional legislative measures that may need to take place in the future pursuant to REAL ID.
On the federal side, while Congress has yet to consider any legislation dealing with mobile driver licenses, several government agencies reportedly see potential value in incorporating their use into everyday operations. Take, for example, the Transportation Security Administration’s airport check-in points of entry. Once this technology is properly tested, the confluence of boarding passes and identification on a single mobile device could add security and streamline processes. Similar identification confirmation mechanisms could be deployed in our nation’s ports and other high-security entry points.
