You’re in the airport security line struggling to get your driver’s license out of your wallet. After retrieving it, you drop your identification (ID) and continue toward the checkpoint unaware you don’t have one of the most essential documents needed to get through security. Thankfully, someone behind you finds and returns your wayward ID just as you reach the travel document checker.
Currently, physical government-issued IDs, primarily driver’s licenses, are must-haves for security checkpoints such as those at the nation’s airports staffed by agents of the Transportation Security Administration (TSA). These days, though some passengers show passports or other IDs, the majority do present driver’s licenses at airport checkpoints. As adults, we cannot fly on a commercial airliner without a physical ID; for now, that is.
You may be interested to learn that physical driver’s license holders may soon be able to apply for Mobile Driver’s Licenses (mDLs) stored on smartphones if they want to move to a digital ID, thanks to a collaborative project involving the Science and Technology Directorate (S&T), National Institute of Standards and Technology (NIST), and TSA.
The mDL movement is driven by two primary factors: 2020’s REAL ID Modernization Act and market-driven initiatives to develop secure, privacy-protecting, and easy-to-use technologies for managing digital identities. The former allows states to accept electronic presentation of identity and lawful status information, pending DHS implementing regulations.
MDL adoption is not as easy as the state motor vehicle department emailing electronic driver’s licenses. Its implementation requires an ecosystem (e.g., reader devices, cyber infrastructure, security and privacy standards, and Public Key Infrastructure services) to support the provisioning, issuance, acceptance, and authentication of mDLs, which will not have the physical characteristics, such as embedded and invisible security features, that current government IDs possess.
Through the Next Generation Identity: Mobile Driver’s License project, S&T, TSA, and NIST are working cooperatively and with nongovernmental organizations to develop that framework along with security, privacy, and authentication protections, as well as standards, so DHS and its components can accept mDLs.
In support of the overall project, S&T’s Biometric and Identity Technology Center (BI-TC) is conducting industry studies to assess the integrity, risk, and trustworthiness of Digital Identities, such as mDL, for potential DHS acceptance and use. Also, it is working alongside NIST on the standards-development process and conducting interoperability testing and development of privacy and security recommendations.
“S&T is looking at criteria, processes, and tests that will help DHS and its components assess if a specific mDL implementation is trustworthy and interoperable,” said BI-TC Director Arun Vemury. “This determination will help DHS components decide whether they want to adopt an mDL solution as part of their existing operations or even new operations.”
Once a solution is selected for DHS use-cases, S&T also is examining how the department can onboard an ecosystem, specifically how mDLs issued by state motor vehicle departments work on different mobile device platforms and whether these varying mDLs are interoperable on the different reader systems that could be adopted by DHS components.
Vemury added that S&T is working alongside an mDL and Digital Identity Working Group that was established by several DHS components to draft criteria, develop a review process, and refine the onboarding process for mDL implementations.
The biggest hurdle to overcome in the move to digital IDs is ensuring each mDL is authentic, which is the focus of TSA’s work for the mDL project.
The following three groups are involved in the issuance and use of driver’s licenses:
- The issuing authority, which are the state licensing agencies.
- The credential and the user, meaning the actual driver’s license and you, its user.
- The relying party, such as DHS, TSA, and other federal and state government agencies, as well as law enforcement, airlines, and other travel-related businesses that rely on photo IDs to verify identity or grant security and related access privileges to the license holder.
Collectively, these groups are part of the Triangle of Trust Framework for issuing, using, and trusting driver’s licenses, whether physical or digital. As a “Relying Party” in this framework, TSA must be able to authenticate that an mDL is a person’s legitimate ID, said Jason Lim, the agency’s Identity Management Capability Manager.
TSA is developing a system to authenticate mDL by using a Public Key Infrastructure (PKI) framework, which is a set of roles, policies, hardware, software, and procedures that govern the creation, management, distribution, usage, storage, and revocation of digital certificates and management of public-key encryption.
“In this model, TSA will receive the public keys from issuing authorities and cache the data on digital identity reader devices so we can authenticate an mDL was issued by a state agency and belongs to the person who is presenting the electronic ID at a security checkpoint,” said Lim.
Lim added that the use of a centralized PKI to authenticate electronic IDs is one of the largest governance issues challenging acceptance of mDLs for TSA security checkpoints and other government uses.
Meanwhile, NIST is leading efforts to develop standards that will underpin mDL authentication and the adoption of cross-functional readers and other technology that will support implementation of mDLs. State driver’s license and identity-document issuers, financial service entities, and technology developers are driving the wider development of standardized technologies and processes to empower a digital-identity ecosystem. NIST actively is involved in the standards-development process with these industry groups and international standards bodies.
NIST also is leading development of an interagency report that will provide recommendations for mDL security and privacy. This effort will span areas ranging from creating security and privacy guidelines that will define how to implement an mDL ecosystem to defining requirements for the people who will manage the PKI framework to ensure the keys are secure and remain so. They also are looking at the provisioning of mDLs and how much control the issuer maintains once an mDL is issued, such as replacing a lost mDL and revoking one.
“The focus of this joint project is to build an ecosystem to implement mDLs,” said S&T’s Vemury. “Once this project is completed, we believe we will create a digital identity ecosystem that replicates and potentially improves upon today’s physical ID system.”