The International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), and the American Association for Motor Vehicle Administrators (AAMVA) have published standards and guidelines that outline recommended approaches for mobile driver's license implementations. Below are summaries of what each organization recommends, along with links to their documentation.
After the ISO/IEC and AAMVA guidelines, other relevant standards and regulations shaping the global digital identity landscape have been included.
ISO/IEC 18013 and 23220
The International Organization for Standardization (ISO) is a non-governmental organization that develops and publishes international standards in various industries to promote international cooperation. ISO standards cover areas such as technology, food safety, energy, and healthcare, ensuring quality, safety, and efficiency while promoting international trade. ISO also provides training and support for the use and implementation of its standards. Overall, its work helps advance the global economy and improve quality of life by promoting safe, reliable, and consistent technology use.
The International Electrotechnical Commission (IEC) is another non-governmental organization whose mission is to create international standards. The IEC's standards underpin quality infrastructure and international trade in electrical and electronic goods. The organization facilitates technical innovation, affordable infrastructure development, efficient and sustainable energy access, smart urbanization and transportation systems, climate change mitigation, and increases the safety of people and the environment.
ISO and IEC also work on standards for mobile driver's licenses, with the aim of providing a common technical framework and promoting the safe and secure use of this technology. ISO/IEC 18013-5, for example, specifies requirements for security, data elements, and information exchange between the mobile device and authorized parties. Other standards within this code group are in active development, and all aim to ensure the reliability and consistency of mobile driver's licenses, supporting user data protection and protecting driver privacy. See below for summaries of the seven parts of this standard. It is important to note that only ISO/IEC 18013-5 is published as a standard, while the remaining parts are in progress drafts.
- ISO/IEC 18013-1 (Draft): Personal identification — ISO-compliant driving license Part 1: Physical characteristics and basic data set. This standard defines the physical characteristics and basic data set for a driver's license to be considered ISO-compliant. The standard is intended to facilitate the development of standardized driver's licenses that can be used in a variety of contexts, both domestically and internationally. The physical characteristics specified in the standard include the size and layout of the card, as well as the materials and security features used to ensure its integrity and authenticity. The basic data set includes information such as the driver's name, address, date of birth, and license number.
- ISO/IEC 18013-2 (Draft): Personal identification — ISO-compliant driving license Part 2: Machine-readable technologies. This standard provides guidelines for the design and implementation of machine-readable technologies, such as barcodes and RFID, for use in driver's licenses. The standard also specifies the data elements that should be included in machine-readable formats, as well as the encoding schemes and data structures that should be used to ensure compatibility and interoperability across different systems. It also defines the positioning and layout of machine-readable features on the driver's license and provides recommendations for testing and validation of the technology.
- ISO/IEC 18013-3 (Draft): Personal Identification — ISO-compliant driving license Part 3: Access control, authentication, and integrity validation. This standard provides guidelines for the design and implementation of security features and mechanisms that can help to prevent unauthorized access, tampering, or counterfeiting of driver's license data. This includes measures such as encryption, digital signatures, and biometric authentication, as well as guidelines for managing access to the data stored on the license.
- ISO/IEC 18013-4 (Draft): Personal identification — ISO-compliant driving license Part 4: Test methods. This standard provides guidelines for testing the physical characteristics, basic data set, machine-readable technologies, access control, authentication, and integrity validation mechanisms specified in the other parts of the ISO/IEC 18013 series. This includes methods for verifying the accuracy and completeness of data elements, the readability and functionality of machine-readable technologies, and the effectiveness and robustness of security features and mechanisms.
- ISO/IEC 18013-5 (Published): Personal identification — ISO-compliant driving license Part 5: Mobile driving license (mDL) application. This standard provides guidelines for the data elements that should be included in the mDL, as well as the security and privacy considerations that must be taken into account. It also outlines the requirements for functionality and interoperability of mDL applications, such as the use of digital signatures, biometric authentication, and secure communication protocols.
- ISO/IEC AWI TS 18013-6 (Draft): Personal identification — ISO-compliant driving license Part 6: mDL test methods. This technical specification provides a framework for testing the functionality, security, and interoperability of mDL applications, including the use of digital signatures, biometric authentication, and secure communication protocols. The goal is to ensure that mDL applications meet the requirements and standards set forth in ISO/IEC 18013-5, which specifies the design and implementation of mDL applications that conform to ISO standards for driver's licenses.
- ISO/IEC AWI TS 18013-7 (Draft): Personal identification — ISO-compliant driving license Part 7: Mobile driving license (mDL) add-on functions. The technical specification defines a framework for add-on functions that can be incorporated into mDL applications, such as features for age verification, identity verification, and vehicle rental. The goal is to provide a standardized approach for developing and implementing add-on functions that are compatible with ISO standards for driver's licenses and mDLs.
In addition to the 18013 series, the ISO & IEC are also developing the 23220 series on electronic ID documents (also known as mobile documents or mdocs). The identity documents captured by the mdoc umbrella include mobile driver's licenses, but also include many other types of ID documents and identifiers, and sets a standard for issuing digital credentials that fosters interoperability between document types. For example, the mdoc issuance standard can be utilized by universities to create and issue transcripts, diplomas, training and safety certificates, and the like. Each of these credentials has the technical capacity to be interoperable with each other and with mobile driver's licenses.
This means that a mobile driver's license app on a driver's phone could easily hold multiple types of personal/identity-related documents at once. Here is a brief summary of each of the four parts of the standard for mobile documentation, ISO/IEC 23220:
- ISO/IEC 23220-1: ISO/IEC 23220-1 creates definitions for generic system architectures of mobile eID-Systems, thereby specifying what the interfaces between various entities involved in issuance/presentation look like.
- ISO/IEC 23220-2: ISO/IEC 23220-2 defines a data model for interoperability between mobile eID-systems via data format translation. For example, -2 lists a Common Development and Distribution License data model mapping fields across different data formats used by mobile driver's licenses, JSON, W3C Verifiable Credentials and Verifiable Presentations, etc. This standard is still in draft form.
- ISO/IEC 23220-3: ISO/IEC 23220-3 relays the issuance/provisioning process for organizations creating and distributing mobile identity documents. This standard is still in draft form.
- ISE/IEC 23220-4: ISO/IEC 23220-4 defines a document presentation flow for mobile eID-Systems. This includes device engagement, such as NFC and Bluetooth, and server engagement, as well as methods to transport credentials over the Internet, such as HTTP.
AAMVA Driver's License Guides
The Association of American Motor Vehicle Administrators (AAMVA) is a non-profit organization that represents state, provincial, and territorial officials in the United States and Canada who administer and enforce motor vehicle laws. The group also counts associations, organizations, and businesses that share an interest in its goals as members.
AAMVA creates model programs that DMVs across the US and Canada can choose to implement, allowing for best practices to be followed, and for motor vehicle programs to have uniformity and reciprocity across state lines. AAMVA also houses a research and development program and serves as an advocate and liaison between its members and other government bodies, as well as the private sector.
- AAMVA mDL Implementation Guide: The goal of this document is to inform and equip Issuing Authorities to achieve the following: 1) technical interoperability between different Issuing Authorities’ mDL programs, i.e., an Issuing Authority being able to read an mDL issued by any other Issuing Authority; 2) trust in different Issuing Authorities’ mDLs; and 3) privacy-preserving implementations of mDLs.
- Driving License / Identification Card Design Standards: This document provides a standard for the design of driver licenses (DL) and identification (ID) cards issued by AAMVA member jurisdictions. The intent of the standard is to improve the security of the DL/ID cards issued by AAMVA’s members and to improve the level of interoperability among cards issued by all jurisdictions. AAMVA respects the fact that each jurisdiction’s laws and regulations determine its driver's license issuance process and its associated card requirements. As a result, the intent of this document is to provide jurisdictions with guidance on the driver's license/ID card design standards in order to provide a reliable source of identification and, at the same time, reduce a cardholder’s exposure to identity theft and fraud.
This standard was developed by AAMVA for the production and use of government-issued driver's license/identification card documents (DL/IDs). Private institutions and other organizations may benefit from DL/ID uniformity established by this standard, but the functional requirements are primarily for the benefit of issuing authorities and law enforcement.
While the guidelines and standards listed above are those that are currently the most relevant for the implementation of mobile driver’s licenses, the following regulations, playbooks, guidelines, and standards are also important to be considered for those wanting to dive a bit further into the topic of digital identity.
Other Standards and Guidelines in Digital Identity
- IEEE 2410 Standard: IEEE 2410-2021 is a standard developed by the Institute of Electrical and Electronics Engineers Standards Association (IEEE) for biometric privacy that provides guidelines for ensuring the privacy of individuals in the collection, storage, use, and sharing of biometric data. It also establishes principles for ethical behavior, transparency, and informed consent related to biometric data. The standard is intended for use by a wide range of stakeholders, including developers, manufacturers, service providers, and users of biometric technologies. It covers a variety of biometric modalities, including fingerprints, facial recognition, voice recognition, and iris scans. The IEEE 2410-2021 standard includes provisions for minimizing the collection and retention of biometric data, as well as for secure storage and protection of the data that is collected. It also addresses the issue of data sharing, emphasizing the need for explicit consent and the use of secure protocols for sharing biometric data.
- NIST Special Publication 800-63: Digital Identity Guidelines: NIST Special Publication 800-63 is a set of digital identity guidelines developed by the National Institute of Standards and Technology (NIST). These guidelines provide technical requirements for federal agencies implementing digital identity services. The guidelines cover users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. The guidelines are organized into three parts:
- Enrollment and Identity Proofing - This document outlines the processes and methods for verifying the identity of users when they first enroll in a system. It includes guidance on using multi-factor authentication, biometric authentication, and knowledge-based authentication.
- Authentication and Lifecycle Management - This document outlines best practices for managing the authentication process throughout a user's lifecycle. It includes guidance on risk-based authentication, password policies, and continuous authentication.
- Federation and Assertions - This document provides guidance on how to implement federated identity systems that allow users to use their identities across multiple systems. It includes guidance on identity providers, attribute providers, and relying parties.
While the guidelines are intended for use by federal agencies and organizations that provide services to the federal government, they are also widely used by private sector organizations as a best practices guide.