How Are mDLs Issued?

Mobile driver's licenses are issued through a secure process that transforms DMV records into cryptographically signed, verifiable digital credentials, which are delivered to a resident's smartphone. The issuance process combines identity verification, cryptographic protection, and device binding to ensure that each mDL is authentic, tamper-resistant, and usable only by its rightful owner.

The DMV as issuer

The Department of Motor Vehicles serves as the issuing authority for mobile driver's licenses. According to AAMVA guidelines, issuing authorities must ensure the accurate and secure provisioning of mDLs onto the holder's device and confirm that the mDL app and device hardware meet the functional and security requirements.

Like physical driver's licenses, mDLs follow a lifecycle that includes issuance, renewal, updates, and revocation. While mDLs won't fully replace physical cards, they move more of these processes into secure digital workflows, reducing administrative overhead and expanding convenience for residents.

In-person issuance

In-person issuance mirrors traditional DMV workflows. Individuals bring physical documents and complete identity checks at a DMV office. A trained examiner inspects documents for authenticity, compares the applicant's face to photos on file, and confirms information against existing records. Once verified, the DMV provisions the mDL directly onto the person's phone.

This approach retains the human oversight of traditional processes while adding the security benefits of verifiable digital credentials. The examiner confirms the applicant's identity, and the DMV system generates a cryptographically signed credential that can't be forged or altered.

Remote issuance

Remote issuance supports residents who cannot easily access DMV offices, including those in rural areas, those with limited mobility, or those facing scheduling constraints. Credentials can be provisioned outside DMV facilities using secure digital processes and layered identity checks.

Remote issuance typically combines several verification methods. Document verification confirms that identity documents are genuine by examining security features and checking for signs of tampering. Facial matching confirms a one-to-one match between a selfie captured during the process and the photo on file with the DMV. Liveness detection ensures that the applicant is physically present and not using a photo, mask, or video replay to deceive the system.

Liveness checks may track head movements, analyze how skin reacts to light changes, or prompt users to follow on-screen instructions that confirm depth and geometry. These methods are evolving quickly across the industry, with growing guidance from standards bodies and identity programs on quality, accessibility, and fraud resistance.

Together, these tools enable identity verification without requiring an office visit while maintaining trust in credential authenticity.

Cryptography and device binding

Cryptography ensures that each mDL is securely tied to the owner's phone. When the DMV issues a mobile driver's license, the phone creates a unique cryptographic key inside its secure hardware, a separate, protected computing zone within the device.

The credential is then linked to that key, allowing it to be used only on that specific device. This device binding prevents someone from copying the credential to another phone. Even if the credential data were somehow extracted, it couldn't be used without the corresponding private key, which is locked inside the original device's secure element.

Once keys are generated and stored in the secure element, extracting them is practically impossible. They cannot be accessed through normal interfaces. An attacker would need to attempt a physical attack or exploit a significant vulnerability, an extremely unlikely scenario requiring specialized equipment and expertise.

The issuance workflow

In a typical issuance, the process flows through several steps. First, the resident initiates the request through a DMV portal or app. The system confirms their eligibility by verifying that they have a valid driver's license on file. For remote issuance, the identity proofing checks are performed digitally. For in-person issuance, a DMV employee conducts the verification.

Once identity is confirmed, the DMV system generates the credential data, name, birthdate, address, driving privileges, and other required fields. The system applies a digital signature using the DMV's signing key, typically secured in a hardware security module. The signed credential is then transmitted to the resident's wallet app, where it's bound to the device's unique keys.

Depending on program rules, risk signals, and applicant history, remote issuance can be completed quickly, though some applicants may be routed to additional verification steps or in-person review.

Privacy considerations in issuance

Best practices around data collection and retention are emerging for remote issuance workflows. For example, selfie images captured during facial matching can be automatically discarded after verification, leaving only the original image from the DMV's database. This minimizes data retention while maintaining the integrity of the verification process.

The issuance architecture can also prevent "issuer phone-home" tracking, ensuring that the DMV doesn't receive notifications every time the credential is used. This protects privacy by design, making the mDL function more like a physical card that doesn't report back to its issuer.

Standards and interoperability

mDL issuance follows international standards, primarily ISO/IEC 18013-5 for in-person verification and ISO/IEC 18013-7 for online use cases. These standards ensure that credentials issued in one state can be trusted and verified in another, and that mDLs are accepted at TSA checkpoints, by law enforcement, and across private-sector verifiers.

Some states also issue credentials in multiple formats, both ISO mDL and W3C Verifiable Credentials, expanding the range of use cases and ensuring compatibility with evolving verification systems. California's DMV Wallet, for example, issues mDLs in dual formats, supporting both in-person and online presentation scenarios.