You may be waiting a little longer than you'd hoped to leave that wallet behind.
16 Feb 2022, Source: Alex Dobie / Android Central
What you need to know
- New evidence shows that devices launching with Android 13 will require special hardware to support mobile driver's licenses (mDLs) and digital IDs.
- That hardware must be able to support Identity Credential Hardware Abstraction Layer (HAL) at feature version 202201 or later.
- Google cannot mandate this change for older devices supporting Android 13, but it will require it for new devices launching with the latest OS.
Ever since Android 11, Google has been building in the functionality to support digital IDs such as mobile driver's licenses (mDLs) on all of the devices running its latest mobile operating system, from budget handsets up to the best Android phones. However, now that more and more federal, state, and local governments are warming up to the idea of digital IDs — at least 30 states so far — and now that Apple has vowed to support this feature from iOS 15 onwards as well, Google is hoping to finally bring the functionality to fruition in Android 13.
Unfortunately, it appears that not every phone capable of running Android 13 will be able to hold digital I.D.s like mobile driver's licenses (mDLs) according to this blog post by Mishal Rahman, senior technical editor at Esper and former editor-in-chief at XDA Developers.
Feb 15, 2022 | Heather Vescent
In my physical wallet, my credit cards, driver’s license, health insurance card, public transit cards, vaccination card, and yearly pass to Joshua Tree are co-mingled. But what do these items really have in common? One ID card was issued by the California DMV, another ID card was issued by Santa. (I’m not kidding.) Some cards have personally identifiable data on them, others hold a balance for public transit or permit access to a national park free of charge until this summer. While the cards conform to a standard shape, what is on them and how I use them is very different. And yet, there are three separate industries racing to create “One (digital) wallet to rule them all.”
Payment companies see an opportunity to get into the digital identity space. Digital identity companies see an opportunity to aggregate your digital identities and identity data. And then you have cryptocurrencies, which have some transaction characteristics, but in my wallet, they resemble more a stock portfolio than a payment method or kind of identification. Does it make sense to integrate all these use cases into a single ‘wallet’?
The Payment Paradigm
In 2022, digital payments are fairly mature. I use Venmo, Zelle and Paypal to pay my handyman, for flowers at the farmers market, and to send friends cash. Credit cards are accepted on all these channels, plus I can physically use them. Depending on your hardware platform, you can activate a credit card to use on your phone for contactless payments. These are not different credit cards, they are the same credit card that I have ‘onboarded’ to each payment platform, or in other words, wallet. No matter what flavor of credit card you have, they interoperate with each other’s systems.
Crypto Wallet, Stock Market?
Crypto wallets are less about day to day transactions and more like stock portfolios since crypto prices fluctuate and we may want to buy or sell depending on the price.
Cryptocurrency is the other side of the same payments coin. Whereas traditional FinTech companies are traditionally risk averse and less likely to experiment, the crypto industry is all about experimentation down to challenging the basic philosophical beliefs of what money is. When the use case of using cryptocurrencies for daily transactions evaporated (at least in countries with a robust national currency) it shifted into a store of wealth assets – and attracted a lot of traditional money folks.
The crypto space is the newest entry to the scene (despite being around for over a decade) and the experimentation isn’t stopping anytime soon, despite KYC and other regulations. Does it make sense to integrate a volatile, experimental stock portfolio with the mature payment transaction industry? Especially since crypto wallet UI is practically nonexistent.
Digital Identity Data
Now what about digital identity? Despite digital identity’s necessity to do most anything on the internet, we don’t have any digitally native identification cards yet. A few of us may have a COVID credential QR code we keep in our images, and Apple just added the ability to add your vaccine card via QR code in iOS 15. But these are rare outliers.
One of the challenges with digital identity is that our identifying data comes from many places. Issuers of digital identity can be governments (as with driver’s licenses or voter registration), companies (health insurance, credit cards), and even our friends (my friend who gave me a license to Santa).
This is a very different situation from the payments paradigm where financial companies issue a credit card to buy something. Payment transactions is a narrower and specific use case, with companies controlling many touch points, from issuing credit cards to client-server digital transaction models.
Verified identity facilitates and smooths other kinds of transactions. We can be more relaxed and confident when we trust that someone is who they say they are – whether that be a person or a company. Verified data goes a long way to creating this kind of trust. But the square peg of data sharing can’t be fit into the round hole of payments, no matter how tempting it may look. And it doesn’t have to, because aggregation already exists in our accounting software, tax software, bank accounts and small business profit and losses statements.
Conclusion
While there are those who dream of One Wallet to rule them all, maybe that’s not the best metaphor.
It is not as sexy, and certainly an organization may have less control, but it may be better to figure out the interoperability rails necessary to support a diversity of consumer options for those who want different experiences. This is also good for the marketplace.
About the author
Heather Vescent is a digital identity industry thought leader and futurist with more than a decade of experience delivering strategic intelligence consulting to governments, corporations and entrepreneurs. Vescent’s research has been covered in the New York Times, CNN, American Banker, CNBC, Fox and the Atlantic. She is co-author of the The Secrets of Spies, The Cyber Attack Survival Manual and The Comprehensive Guide to Self Sovereign Identity.
Article Topics
The IRS started a roll-out of ID.ME facial recognition, but ran into bad publicity and bad results. How that relates to something like Biometric Pre Check is not clear at this point. The big difference is that the person is present at the biometric scanner and not for ID.ME. Altho ID.ME was adding locations all around the country that could be used for this, and that is in addition to all the sites that the TSA has enabled for frequent traveler programs to get into the pre-check lines today.
The article on this issues from wired had this to say: https://www.wired.com/story/face-recognition-irs-verify-identity/
Even before the IRS controversy, at least one federal agency was skittish about using face recognition for online ID checks. The Social Security Administration warned NIST in 2020 of “privacy, usability, and policy concerns” about the technology. “In preliminary testing, we have found a sizable number of customers are uncomfortable submitting a photograph or lack the technical knowledge or hardware to do so successfully,” the agency wrote. It cited concerns about potential bias affecting minority groups and asked that alternatives be permitted. NIST is due to publish an updated draft of its digital identity guidelines this year, and after public comment will finalize it in 2023.
Added a link to the NYTimes reporting if you paid. I.R.S. Will Allow Taxpayers to Forgo Facial Recognition Amid Blowback - The New York Times (nytimes.com)
I was explaining the workgroup to someone in an email and the explanation included this:
We are trying to address the issue of how an “Alice” using a mobile credential, such as an ISO-compliant mobile Driving License (mDL) can trust that digital identity ecosystem she uses when she gets or uses a mobile credential. It’s not enough that the transactions themselves are secure. Alice should be able to trust not just the person or entity that she gets her mobile credential from (University ID card, Government ID card, Super Bowl ticket, etc). She should have a reasonable expectation that every entity upstream or downstream of her actual transaction will respect her privacy — i.e. only use or share her credentials for purposes related to why she used her mobile credential in the first place. This requires an ecosystem level of interoperable technical protocols and governance.
This struck me as a good start to explain what we want to do to potential implementors. Thoughts or comments are welcome.
| Jim Nash
Hawaiian legislators are finding the devil is in the details when it comes to mobile driving licenses (mDLs) while in Utah, they are learning that the technology is the devil.
Meanwhile, Apple continues to putter along with plans to get at least some Americans to put their license or state ID in its Wallet app.
Hawai’i House Bill 1686 would create a digital state ID pilot program, an idea that is gaining momentum in other states (and in numerous nations). In theory, mDLs would be less expensive for governments to manage and citizens to hold, update and replace.
Legislators in Hawai’i at the moment, however, are sussing out practical considerations like how automatic voter registration and other state programs can be tied into digital IDs.
Privacy concerns are real, of course. To date, no one has proved immune to breaches, and the biometric information on IDs, including driving licenses, is uniquely painful to lose control of.
But contrary to what seems like a popular misconception in some quarters of the United States, data on a state ID is not somehow only stored on the physical card.
Every bit of information on a paper or plastic driving license — starting with the license number — is by definition already on a state database. That does not change for mDLs.
Likewise, supermarket loyalty cards, insurance cards, vehicle titles, airline tickets, phone SIM cards, home warrantees, National Rifle Association cards, digital McDonald’s coupons, Netflix memberships, Home Depot receipts, game app registration forms, credit cards, phone numbers, email addresses, pickup truck loans, Telegram subscriptions and pet microchips are just the front end of electronic databases.
That might be news in Utah, where some state residents feel digitizing an ID will overturn democracy, lead to concentration camps, or even summon Satan. In reporting by The Salt Lake Tribune, it appears that a vocal segment of that state’s population sincerely hold one or more of those beliefs.
Some made their fears known during a state house committee meeting discussing the possibility of making a voluntary mDL project a permanent option.
Committee members ended the meeting without taking a vote.
At the same time, Apple is saying its customers will be able to add their driving license or other state ID to Wallet in “early 2022.” That might be April.
While not controversial the way state mDL programs can be, Apple has its doubters here. Interoperability questions abound, including: If Mark Zuckerberg tomorrow announced a Facebook mDL (no announcement is necessarily anticipated), would states adopting it need to follow each company’s standards and protocols?
That said, no less than the Transportation Security Administration, or TSA, is testing 122 credential authenticators to be ready for digital IDs.
The editors at MacRumors are all over developments here, including pawing through the second iOS 15.4 code line by line for clues about the feature.
After years of work with thought leaders in digital identity, the Open Identity Exchange (OIX) publishes its first full guide to ‘Trust Frameworks for Smart Digital ID.’ And that is a very careful use of the world ‘smart’ (and ‘guide’).
The overall aim of the OIX is to allow anyone to prove their identity anywhere. To achieve this, Trust Frameworks are needed. These are a set of principles, roles and responsibilities for all involved. The OIX community is not there yet: this is a guide to what that Trust Framework might and should look like. Version 1.0 is now available on the OIX website, as an interactive guide or full 65-page PDF. The team welcomes feedback.
Overall, the guide provides a detailed resource for defining, explaining and presenting what is meant by a digital ID by exploring the mechanisms that underpin it. These are the 30 elements, components and frameworks that the community believes should be used to build a global Trust Framework that will enable a successful and trusted digital ID.
Rules-based, derived and smart for now
The guide explores what is needed for a ‘smart’ digital ID. “The smart ID must be able to help the user through this process and this process is defined by the organization’s rules,” says Nick Mothershaw, chief identity strategist at the OIX during the launch event for the guide.
The ‘smart’ comes from the digital ID – whether as a smart wallet on a device or a cloud-based digital ID – being able to navigate an ID-dependent situation on behalf of a user via sets of rules. The user should not need to know the rules.
It does not yet incorporate AI. “What we’re encouraging here is a capability for the identity to understand rules and process rules on behalf of the user,” says Mothershaw, “An inevitable elevation of that is AI … the rules as we’ve painted them so far are coming in from the direction of the relying party.” For subsequent working groups the community will look at rules going the other way: “What about the rules for the user? AI definitely has a position there in terms of user behavior – for the user.” AI’s role as an agent for the user will also be informed by regulation such as that of the EU on the use of AI.
The system relies on the ID having rules engines which can understand what a relying party wants and provide them from either the user’s existing credentials or a derived credential. The guide explores the creation of derived credentials whether ad hoc for a specific use case or longer-term. An example might be a ‘COVID safe’ assurance being required which would come from a combination of the ID containing records for both a vaccination and a recent negative test.
Rationalized language for digital agnosticism
The guide also includes an extensive glossary of what all its terms are (for signed-in users). This is useful as devising an interoperable global digital ID basis is somewhat complex. There is also a rationale for why the community has chosen certain terms and not others.
The guide is both technology agnostic and ‘paradigm agnostic.’ It accommodates any type of technology architecture such as digital wallet or cloud-based. It is also suggesting components that would allow for a full range of identity systems that the IDs sit within, covering centralized, decentralized, self-sovereign and federated.
Posted: Feb 3, 2022 / 05:21 PM MST Updated: Feb 3, 2022 / 05:21 PM MST
HURRICANE, Utah (ABC4) – What started as a pilot program a year ago, is one step closer to becoming a new option for all Utah drivers.
“So far we have about 3,000 people that are in the pilot program for the mobile driver license, right now it’s being accepted in just a handful of locations across the state,” says Joe Dougherty, the spokesperson for the Utah Department of Public Safety.
Senate Bill 88 aims to make the pilot program, permanent.
“Money is on our phone, your health insurance card is on your phone, your auto insurance in on your phone, this kind of just brings Utah’s technology up to par,” says Senator Lincoln Fillmore, the Chief Sponsor for the bill.
Dougherty says they’re expecting it to be available to all Utahns this year.
“It uses the latest security standards, called ISO which is this internationally recognized standard for your data,” he says.
This map shows places accepting the mobile option, known as mDL. It ranges from shopping centers, government entities, to banks.
Dougherty says through an application on your smartphone, a unique QR code is generated, allowing users to share certain data. It even offers remote verification of a person’s record.
‘Money off the backs of poor people:’ How does corporate rental ownership affect Utah housing?
“Practiced it with one of our troopers and she was able to sit in her vehicle and verify my ID when I tapped ‘share by Bluetooth’,” says Dougherty.
A physical driver’s license card will still be accepted, officials say this is just an additional option for Utahns.
Officials say if this program moves to a permanent option, there will be a nominal fee for using the app.
For more information click here.
South Korea has introduced its mobile driver’s licenses (mDLs) with a trial version carrying the same legal status as the physical ID credential, but stored in a mobile phone app, Yonhap News reports.
The digital ID is the first mobile credential released in the country for the general population, though Yonhap notes there are several ID cards that have been digitized for schools, businesses, and public officials.
The trial version with full legal status was announced by the Ministry of Public Administration and Security and the National Police Agency, and will be issued at 14 driving test centers and police stations. Issuance is not restricted to residents of the areas where the centers are located, however.
The government plans for the mDLs to be made available to all Koreans starting in July. They can legally be used for ID at public and financial institutions, car rental and ride-sharing services, airports, hospitals passenger terminals and hospitality sector businesses, and for age verification at convenience stores and liquor stores. Not all of these businesses are currently ready to accept mDLs, however, according to the report.
The mDLs are built to enable limited disclosures of personal information, and are also intended to facilitate online transactions. The credentials include QR codes for scanning and a time display that changes in real-time to prevent counterfeiting.
mDL holders who lose their mobile device storing the credential can lock it by reporting the loss.
Usage history is stored only on the individual’s smartphone, and not transmitted to a central server, authorities say.
The mDLs are issued following face-to-face verification, Yonhap reports, but the outlet also publishes a government graphic on the issuance process which appears to depict the use of selfie biometrics in one of the final steps. The report notes that the user scans the IC chip of their physical driver’s license with their smartphone, and then performs identity verification.
mDLs are currently in development in many countries around the world, with recent developments in the U.S. and Czech Republic.