Key Takeaways

Global standards bodies and implementation guidelines make verifiable digital credentials portable, secure, and trustworthy at scale. ISO, IEC, and AAMVA define how digital IDs and broader digital documents should be modeled, secured, and verified, while frameworks from NIST, IEEE, and others guide privacy and deployment. These references help implementers achieve interoperability, protect users, and streamline digital identity across jurisdictions.

‍

ISO and IEC Overview

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are independent non-governmental organizations that create international standards across industries. ISO develops standards that advance safety, quality, and efficiency in areas ranging from technology to healthcare, while IEC focuses on global standards for electrical and electronic goods, infrastructure, energy access, and smart transportation systems. Together, their work supports interoperability, innovation, and safe use of technology worldwide.

In the digital identity space, ISO and IEC collaborate on standards for mobile driver’s licenses (mDLs) and mobile documents (mdocs). These standards aim to establish a consistent technical framework that protects user privacy, ensures cross-border recognition, and promotes secure, reliable credential use.

‍

ISO/IEC 18013 Series

The ISO/IEC 18013 family sets the foundation for driver’s licenses, including mDLs. Only Part 5 and Part 7 are finalized standards, while the others remain in draft development.

• ISO/IEC 18013-1 (Draft): Defines the physical characteristics and basic data set for ISO-compliant driver’s licenses, including size, layout, materials, and key personal data fields. The intent is to ensure consistent design and verifiable authenticity across jurisdictions.
  
  
• ISO/IEC 18013-2 (Draft): Provides guidelines for machine-readable technologies such as barcodes and RFID. It specifies which data elements should appear, how they are encoded, and how features should be positioned for cross-system interoperability.
  
  
• ISO/IEC 18013-3 (Draft): Covers access control, authentication, and integrity validation. This includes encryption, digital signatures, and biometric authentication to prevent tampering and unauthorized use.
  
  
• ISO/IEC 18013-4 (Draft): Outlines test methods for verifying card characteristics, machine-readable features, and the effectiveness of security mechanisms.
  
  
• ISO/IEC 18013-5 (Published): Defines requirements for mDL applications, including data elements, privacy protections, cryptographic safeguards, and secure communication protocols to ensure reliable presentation.
  
  
• ISO/IEC 18013-6 (Draft): Specifies test methods for mDL implementations, focusing on functionality, interoperability, and security in line with 18013-5.
  
  
• ISO/IEC 18013-7 (Standard): Provides a framework for add-on functions such as age verification, vehicle rental eligibility, and other extensions that expand mDL use cases while preserving security and trust.

Together, the 18013 standards explain how mDLs should be issued, secured, and verified in real time without requiring direct contact with issuers.

‍

ISO/IEC 23220 Series

Complementing the 18013 family, ISO/IEC 23220 expands the scope to mobile documents (mdocs), enabling digital wallets to hold multiple credential types beyond driver’s licenses. This includes diplomas, transcripts, training certificates, and other identity-related documents, all designed to interoperate securely.

• ISO/IEC 23220-1: Defines system architectures and the interfaces among issuers, holders, and verifiers during issuance and presentation.
  
  
• ISO/IEC 23220-2 (Draft): Creates a data model for interoperability, including mappings across formats like mDL data, JSON, and W3C Verifiable Credentials and Presentations.
  
  
• ISO/IEC 23220-3 (Draft): Specifies issuance and provisioning processes for organizations that create and distribute mdocs.
  
  
• ISO/IEC 23220-4: Defines presentation flows across device engagement (e.g., NFC, Bluetooth), server engagement, and transport over the internet such as HTTP.

By standardizing issuance and presentation, the 23220 family allows multiple credential types to coexist in one wallet while maintaining user privacy and system trust.

AAMVA Guidance

The American Association of Motor Vehicle Administrators (AAMVA) is a non-profit association of state, provincial, and territorial motor vehicle officials in North America. AAMVA develops model programs and guidance that member DMVs can adopt, fostering best practices, cross-border trust, and operational uniformity.

• mDL Implementation Guide: Supports issuing authorities in achieving technical interoperability, building trust among jurisdictions, and ensuring privacy-preserving mDL deployments.
  
  
• DL/ID Card Design Standards: Provides a framework for secure, uniform physical ID cards that strengthen interoperability and reduce exposure to identity theft and fraud.

Although primarily intended for issuing authorities and law enforcement, these guidelines also benefit private-sector verifiers by establishing trust in IDs issued by different jurisdictions.

‍

Other Key Standards and Playbooks

Several additional frameworks shape digital identity programs worldwide.

• IEEE 2410-2021: Establishes principles for biometric privacy, covering modalities such as fingerprints, face, voice, and iris scans. It emphasizes secure storage, informed consent, data minimization, and ethical handling of biometric information.
  
  
• NIST SP 800-63 Digital Identity Guidelines:
  ‍
  
  • Enrollment and Identity Proofing: Outlines verification at onboarding, with methods such as multi-factor, biometric, or knowledge-based checks.
    
    
  • Authentication and Lifecycle Management: Includes guidance on risk-based authentication, password policies, and continuous authentication.
    
    
  • Federation and Assertions: Provides patterns for federated identity so users can reuse credentials across systems.
    
    

Why These References Matter

While the guidelines are intended for use by federal agencies and organizations that provide services to the federal government, they are also widely used by private sector organizations as a best practices guide. Adopting these standards reduces fragmentation and improves privacy outcomes. Implementers gain predictable data models, reliable security controls, and interoperable presentation flows, while users benefit from portable credentials that work across agencies and industries. Aligning programs with these guidelines reduces operational risk, limits custom code, and strengthens fraud defenses.