by

by Dave Tushie, Magellan Consulting, Inc., ICMA Standards and Technical Representative

With the recent implementation of social distancing around the world, resulting from the coronavirus pandemic, our digital dependency has become even greater. Individuals are subscribing and logging in to a range of digital services, including payment applications. What is critical in each of these interactions is the role that identity plays in enabling trust and the need to prove who we are, safely and conveniently, wherever we are.

As we accelerate toward more digital interactions and the verification associated with those kinds of transactions, coordinating physical and virtual world credentials becomes increasingly important. Not only does the credential have to verify that you are who you say you are, but the credential itself must be a validly issued document from an authenticated authority. This applies in both spheres, physical and virtual.

In North America, the states, U.S. territories and Canadian provinces are the issuing authorities for driver licenses that are the defacto government issued IDs for most citizens. In much of the rest of the world, national ID cards are issued by sovereign nations to their citizens, separate from driver licenses.

As reported in prior articles, the ISO Standard effort to bring a useful, universal, mobile (digital) solution to the marketplace is being managed by the ISO/IEC  JTC1/SC17/WG10 Motor Vehicle Driver License and related documents group. The standard being developed is ISO/IEC 18013 ISO compliant driving license. Part 5 of this standard defines the mobile driver license (or mDL). Considerable work has ensued over the last year to bring this technology to a published standard. There are high expectations that publication of the issued standard could be completed later this year. A related, additional Part 6 has recently been initiated, which will deal with the test method requirements of this digital credential.

A number of jurisdictions are currently in a holding period waiting for the ISO Standards to publish before moving further ahead. The American Association of Motor Vehicle Administrators (AAMVA), which has all of the North American jurisdictions as its members, continues to have more and more states move ahead with proof of concept/pilot programs. A major hurdle is ISO Standards work since the states and provinces want to be in compliance and aligned with those documents.  European countries are also driving this initiative and likewise continue to focus on assisting members with pilots, noting that challenges being experienced in the United States are also being experienced in other regions of the world as well.

The mDL is seen as the first implementation of an electronic ID (eID). Like financial cards currently, this is seen as requiring a companion card being issued with an mDL application. AAMVA has issued a guidance document to jurisdictions interested in mobile driver license. The document is available on their public web site.

Another standards initiative is proposing to leverage the commands, protocols and communications of existing ISO/IEC 7816 smart card technology and apply it more broadly to eID applications. This work is being conducted by ISO/IEC JTC1/SC17/WG4 Generic Interfaces and Protocols for Security Devices.

Smart card technologies and solutions are widely deployed around the world, but systems for identity tokens and credentials are quickly changing.  In this context, the APDU protocol outlined in the ISO/IEC 7816 series is becoming, in some cases, a hindrance to their integration in environments like mobile phones, handheld devices, connected devices (e.g. M2M, IoT) or other applications using secure elements.

Many of the participants in digital IDs are not familiar with the APDU protocol used by smart cards.  They often circumvent its constraints by requesting an abstraction layer above the eSIM security specifics.  Although the security mechanisms of security devices are well defined in ISO/IEC 7816 their implementation and application differ from vendor to vendor and the complexity frustrates most of these application developers.

A common methodology in software development to simplify the usage of complex systems is the definition and application of Application Programming Interface (API) functions to access the eSIM within the devices. Specific knowledge of ADPU protocols and details of the eSIM implementation are no longer necessary.

Importantly, this standard also aims to overcome or mitigate those issues by proposing a new approach that would preserve smart card functionality, as represented by the ISO/IEC 7816 Standard series and allow for seamless smart card portability onto new systems. This is critical in promoting implementations for digital eIDs that have both physical card and mobile platform components.

It is difficult to project how quickly we will see these kinds of digital IDs in widespread use. However, it is clear that much work is being put into development and standardization of these credentials. With the pandemic pushing our virtual and physical worlds closer together in our everyday activities, an ID credential that allows us to move seamlessly, and securely between the two is highly desirable.

About the Author: David Tushie, ICMA standards and technical representative, has had a long and continuing career in the card industry, working for international companies such as DataCard, UbiQ and NBS Technologies. He has master’s degrees in engineering and business, holds U.S. and international patents in measurement and card issuance systems and has had several years of involvement with the ANSI, INCITS and ISO Standards process. ICMA is represented at six ISO and ANSI standards meetings through Tushie’s standards role within the association.