Frequently Asked Questions

The ISO/IEC 18013-5 standard defines an mDL as a driving licence that resides on a mobile device or requires a mobile device as part of the processes' licence. This Global standard is being developed by the members of the International Organization for Standardization (ISO/IEC JTC1/SC17/WG10), ultimately serving billions of mDL holders and the mDL-relying party community. ISO/IEC 18013 consists of the following parts, under the general title Personal identification -ISO-compliant driving licence: Part 1: Physical characteristics and basic data set. Part 1 describes the basic terms for this document, including physical characteristics, basic data element set, visual layout, and physical security features; Part 2: Machine-readable technologies. Part 2 describes the technologies that may be used for this document, including the logical data structure and data mapping for each technology; Part 3: Access control, authentication and integrity validation. Part 3 describes the electronic security features that may be incorporated under this document, including mechanisms for controlling access to data, verifying the origin of an IDL, and confirming data integrity; Part 4: Test methods. Part 4 describes the test methods that can be used to determine if an IDL conforms to the requirements for machine-readable technologies specified in Part 2 and to the electronic security features specified in Part 3; Part 5: Mobile Driving Licence (mDL) application. Part 5 describes interface specifications for the implementation of a driving licence in association with a mobile device.

Yes, the Scytáles mobile driving licence (mDL) and mobile ID (mID) applications for iOS and Android have successfully passed a conformity assessment against ISO 18013-5 carried out by the Identity Management & Security division of UL, the global safety science leader. The conformity assessment is used to evaluate compliance with voluntary consensus standards or technical regulations. With conformity in an open mDL/mID ecosystem, we have the same level of trust as a traditional biometric passport. In addition, with the mobile ID solution, those that rely on conventional DL/ID cards can reach a higher quality of services.

Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as of today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.

ISO 18013–5 standard is in the Draft International Standard phase with a plan to publish in 2021. The current document is available from the ISO Repository. Revisions and the latest versions are available within ISO Committees, regional standards organizations, liaisons to the ISO mDL team (JTC1/SC27/WG10), and from partner trade alliances such as Secure Technology Alliance.

Even if the Scytáles ISO mDL/mID is available in your App Store and due to the sensitivity of this issue, the Issuing Authority needs to confirm and perform the enrolment process. This validation is going to be similar to opening a bank account nowadays, for example. You can choose an in-person or self-guided process to enrol your ID card on your mobile device. The first implies that you physically go to an official front desk, where an agent guides you through all the necessary steps. In the self-guided process, you can enrol your ID remotely. However, the verification still has to be performed by an official agent (through a video call, photo validation and other methods).

It's true that an mDL/mID provisions a copy in the mobile phone of the same data as the physical DL/ID, signed by the respective issuer authority. However, an mDL/mID can not be fully trusted only by showing it to a validator on the Holder's phone since, for instance, it is so easy to take a screenshot of the displayed ID and alter it. This is why adopting an ISO 18013-5 compliant solution is so important: it ensures the interchange of trustworthy identity data between an mDL and a Reader device. The data can be transmitted between the two devices and then cryptographically verified to be authentic and untampered.

Once the ISO 18013-5 is published, your mDL/mID will not only be officially accepted, but you can also use it everywhere and across borders. By using an ISO-compliant solution, like the Scytáles ISO mDL/mID, you and any Validator can be assured that the mobile document presented is official, interoperable and secure. Since presently there is only one ISO standardized mDL/mID in production, the one that UTAH DLD has tapped Scytáles and technology partner GET Group NA to provide the Utahns in a pilot program 2021, you should be extra careful with the solution you choose. Scytáles is a strong driving force in the ISO working group for the mDL, and we are fully compliant with this standard as of today. We are representing Sweden (SIS) as an expert through the Standardization Body and Task Force 14 on mDL within ISO/IEC JTC1/SC17/WG10.

You can use your mDL/mID whenever and however you want, as long as it is ISO 18013-5 compliant. The ISO defines both ways to identify yourself, attended or unattended. This means that you can be safely and comfortably at home and use your mDL/mID to, for instance, open a bank account.

Besides offering the convenient availability of your identity without requiring access to a physical credential, an ISO-compliant mobile Identity / Driving Licence allows you to share only the necessary attributes for the transaction rather than all ID/DL attributes. For example, a bar employee verifying your age does not need to know your name or address. With the Scytáles mID/mDL you can share only your age and photo. Scytáles ISO-compliant solutions supplement controlled access to your identity information and protection against unauthorized use, supported by the smart device platform's capabilities, like using a PIN code and/or biometrics.

For security reasons, ISO 18013-5 states that the end-user data is not transferrable to a new device. The enrolment process uses device-specific keys to authenticate the ID data and to protect the information transmitted. When you switch to a new phone, you must re-enrol your ID through a self-guided or in-person process. This is a quick process and happens fairly seldom.

With all the different use case scenarios, an mDL and an mDL validator will run on different operating systems and be designed and developed by different vendors. This is why interoperability, enforced by ISO 18013-5, is one of the key factors in opting for and achieving a functioning mDL ecosystem so that, for example, a Malaysian citizen with a driving privilege can be validated online by a rental officer in the same way upon renting a car in Sweden, Finland or any other place in the world. Scytáles ISO mDL/mID and validation products ensure full interoperability and are passing the various ISO 18013-5 tests.

Not only is it possible, but Scytáles is also a true pioneer in the implementation of this solution within ISO 18013-5. Our ISO Mobile Driving License (mDL) and Mobile ID (mID) fully comply with the standard and supports online, offline, NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. As forerunners, we also support all the above combinations, i.e. iPhone to Android and vice versa and on all different interfaces.

Our ISO Mobile Driving Licence (mDL) and Mobile ID (mID) are fully compliant with the standard and support both online and offline scenarios, and NFC, QR, Bluetooth, Wifi Aware and Barcode readers on both iPhone and Android. Scytáles is a frontrunner in the ISO international standardization work under development— ISO/IEC 18013-5, “Personal Identification – ISO-Compliant Driving Licence – Part 5: Mobile Driving Licence Application”.

All communications to central systems are performed securely over TLS. User data stored in the mobile device is encrypted, protected by a PIN code or biometric unlock, and stored in secure encrypted database mechanisms using device keys. Local communications during verification are also strongly encrypted, based on the key agreement mechanisms of ISO 18013-5 that use session-generated keys. The mDL solution uses strong digital signatures based on the Trust List models of ISO 18013-5 to further protect the data integrity. Validators also select trustworthy public key certificates to validate the integrity and genuine origin of mDL data, which deters and prevents tampering with mDL data.

To be able to access the Scytáles mDL/mID app, the user can either enter a PIN code or use biometric features to unlock, like fingerprints or facial recognition. A secure login helps protect data and the mDL itself from unauthorized usage. Even with a borrowed PIN, the ISO 18013-5 determines identity verification by the Validator at the time of usage through validation of the portrait image and comparison to the Holder. Additionally, when a user first downloads the Scytáles mDL/mID app, they are asked to provide additional personally identifiable information and biometric matching to confirm their identity before populating the app with the user data. Operator-supervised provisioning is also supported for in-office registration. By ensuring the mDL is provisioned to the correct person and that only that same person can unlock the mDL for further usage, privacy and security can be preserved.

Mobile phones today are incredible technology, and users are getting keener on security features such as using fingerprint to authenticate or even facial recognition. Scytáles ISO-compliant mDL/mID products take advantage of these state-of-the-art technologies. Our products allow validators to additionally cross-check a person's identity by using facial recognition mechanisms, thus ensuring the identification displayed is actually from the person presenting it.

With the Scytáles ISO mDL/mID you can connect to other trusted data sources and provide additional attributes or licences. One of the main advantages of being digital is that you can have different IDs on your mobile wallet and keep control of the information you want to share at all times. If you want to start with one ID and afterwards scale up adding other IDs/Licences to your Mobile Identity Ecosystem, you must choose an ISO 18013-5 compliant solution. This is the case of Covid-19 testing and vaccination data, which is already mapped out in the “ISO/IEC 18013-5 mdoc for eHealth” document, which defines an international standard protocol for vaccination certificates or “Green Pass”. This ISO is the standard that models how to build these solutions and ensures that different vendors can communicate seamlessly between them.

With an ISO-compliant solution, it is possible to share and validate the information of a Mobile Driving Licence (mDL) stored on a secure smart device, even when there is no connection. In this scenario, the Validator (e.g. a police officer) requests the mDL Holder to transmit identity attributes over communication channels supported by both devices. Data is transmitted from the Holder’s device over a secure encrypted channel to the Validator’s reader, along with a cryptographic signature from the Issuer proving that the data have not been altered. The reader can also check that the mDL data was transmitted by the device to which it was originally issued. This technology is already developed into all Scytáles ISO-compliant products.

ISO 18013-5 determines two ways to validate the data - an online and an offline method - none of which requires users to hand over their devices. On the one hand, an online mode provides the quickest data retrieval and ensures the freshest data. This is recommended whenever an Internet connection is available. In this scheme, the Validator obtains a token through QR Code, NFC, BLE or via the Internet from the mDL/mDL Holder phone. The Validator device then uses that token to request and receive the ID data directly from the Issuing Authority, using Signer Certificates to secure and authenticate the connection. On the other hand, when there is no connectivity to the central system (no data or Internet connection), the Validator retrieves the ID info directly from the mDL/mID device via NFC, BLE or WifiAware. The offline scenario applies enforced mechanisms to protect the connection between the devices, and the Validator uses Signer Certificates to validate the integrity and authenticity of the data.

The ISO 18013-5 is device agnostic provided the Validator device has either an Internet connection (online retrieval) or available hardware to communicate with the mDL device (a camera for scanning QR codes, Bluetooth, NFC to tap, or WiFi Aware for offline transmission. Scytáles has an ISO-compliant Validator Toolkit for building validators on iOS, Windows, and Android platforms. Since some of these are in Java, additional platforms or custom-purpose devices are easily supported.

An mDL/mID Holder does not have to hand over their device at any point of the verification process and has complete control over the data shared with a Validator. ISO 18013-5 defines data privacy and security principles by design. By enabling tap, nearby and distance data communications, the Holder always handles their mobile device and controls which of their data is shared. The closest your phone gets to a Validator device is when it is tapped for an NFC connection, similar to payment implementations today.