Business Imperative
How important is it to keep your personal information out of the hands of others? To be more specific, what measures do you take to safeguard your driver’s license on a day-to-day basis? A driver’s license contains plenty of key information about you, and when it comes to eye color, height, or weight, it may seem innocuous, but malicious actors can use your birth date or home address for something far more dangerous.
With just a few pieces of information, someone could steal your identity, apply for credit cards or loans in your name, or even apply for state benefits. Consider the number of times you present your license for routine verification, such as checking into a hotel, renting a car, setting up an online bank account, or purchasing age-restricted products.
Online services that use a driver’s license as a form of identity verification typically ask that you take photographs of both the front and back of your license and upload them. While there are many responsible identity verification vendors who protect this data well, not every app or website may be handling that sensitive data securely, and that could be a ripe target for hackers.
Mobile Driver’s Licenses (mDL) offer a secure alternative for verifying your identity online, where application developers can request only the bare minimum of information they need and where end users can explicitly consent to what information is being shared. At Auth0, we are exploring how to make it easier for developers to add mDL verification in applications.
What is a Mobile Driver’s License (mDL)?
An mDL is a digital driver’s license that conforms to a series of specifications and standards laid out by the International Organization for Standardization (ISO). These documents dictate how issuers should implement a driver’s license in association with a mobile device, as well as how one device can verify the validity of an mDL on another device through various flows. To learn more about mobile driver’s licenses, check out mdl.me!
In an mDL ecosystem, there are three to four main parties. The first party is the holder/subject which is the person to which the license is issued. The second party is the issuer of the credential. The issuer is the Department of Motor Vehicles for most US jurisdictions, but could be another government entity. The last required party is the verifier, the organization or person ensuring the credential is authentic.
One example is the California DMV (i.e., the issuer). The California DMV allows license holders (i.e., the holder/subject) to request an mDL via their website and can electronically issue an mDL to a digital wallet on the holders’ mobile phone. People can then present the mDL as a form of identification to businesses that accept it as a valid proof of identity. The business would either need to implement a verification system or use a third party to verify the authenticity of the presented credential by decrypting the signature with the Issuer’s public encryption key.
This is where the potential fourth party can come in. To get the key, the issuer needs to host it somehow via public key infrastructure (PKI) like an identifier registry. They could do this on their website, or they could entrust another entity, like the AAMVA Digital Trust Service, to do this for them. The verifier can retrieve their key directly from the issuer or from that trust service. This is where Auth0 comes in.
By leveraging mDLs, your business can offer a more secure, convenient, and privacy-focused way to verify customer information compared to traditional physical licenses, enable faster transactions, and reduce the risk of fraud. And your end-users will love the ease and convenience this integration provides. Utilizing their mDLs offers touchless transactions, selective disclosure of personal information, data protection, and so much more.
Verifying mDLs with Auth0
The movement towards digital credentials is growing. As mentioned before, the ISO standard is the underpinning of a growing ecosystem of interoperable services for digital driver’s license usage, and it has been implemented by 16 US states with another 16 states in the process of doing so. New states and government entities are conducting research and pilot programs; legislative agendas are including bills to create and issue mDLs, and key partners (e.g. TSA, liquor stores, and credit unions) are accepting these credentials.
Auth0 is evolving our Labs implementation of Verifiable Credentials into the Mobile Driver’s License Verification Service that enables you to enrich user profiles with verified information during signup and login flows and perform ad-hoc verification checks. Auth0 functions as the verifier and validates the authenticity of a presented mDL and makes it easy for customers to get the requested information your application needs. mDL verification not only streamlines existing business processes but also allows users more control over their information.
This Early Access release facilitates a number of remote presentation use cases where mDL verification is required during an online transaction, including:
- Age Verification
- License and Driving Privileges Validation
- Prove your Identity: as mentioned above, many countries use driver’s licenses as proof of identity, and mDLs can be considered an equivalent to proving someone’s identity
- Improve business processes involving Know Your Customer (KYC) and Anti-Money Laundering (AML)
How Do I Use Auth0’s mDL Solution?
The Early Access release of Auth0’s mDL Verification API will enable you to perform an ad-hoc mobile driver’s license verification either within your existing application or within an existing authorization flow by utilizing the Verify Credentials Forms widget. This Early Access release only supports the ISO/IEC TS 18013-7:2024 standard and the REST API, also known as Web API, protocol.
The steps outlined in our documentation support this by allowing you to create a Verification Template, initiate a Verification Presentation Request, and check the request’s status for the desired claims.
The Verification Template defines the fields you will ask the wallet to provide, such as family name, date of birth, or address. The template supports a specific list of claims as defined by the ISO/IEC TS 18013-7:2024 standard, the AAMVA VICAL as the sole Certificate Authority (CA), and credentials in the form of a mDoc.
The Verification Presentation Request is created by your application and initiates a verification flow by making a call to the Auth0 Verification API and returns a URL with the presentation request information for the user’s wallet to consume. Your application presents the URL - ideally in the form of a clickable link or a QR code - to the user to prompt them to share their credential with your application.
Once the user is prompted to present their credential, your application polls the presentation requests status via our Verification API to determine if the user consented to share their credential. If the presentation is successful, the API will return the JSON from the presentation.
How Do I Get Access to This Early Access Feature?
If you’re interested in using the mDL Verification API Early Access feature, please fill out the EA Terms and Conditions form. We are limiting the number of customers for whom this will be enabled and will reach out to you with more details. In the meantime, we encourage you to read our documentation or try out our Hands-On Lab!
Relevant Documentation: