Mobile Multi-Factor Authentication for Digital Driver Licenses
Several Issuing Associations (a.k.a. DMV Agencies) have inquired about the applicability of biometrics, such as facial recognition, with a mobile driver’s license (mDL) solution based on IBM Mobile Identity. These inquires can be associated with two mDL scenarios:
- Validating a selfie against the photo in a DMV system of record to authenticate an individual during acquisition of a mDL.
- Contributing a selfie for an updated portrait to an individual’s DMV system of record.
Since IBM Mobile Identity is based on a flexible and extensible cryptographic architecture, integration with authentication technologies such as facial recognition services is simple and versatile.
Multi-Factor Authentication Solutions
As described in this CNET News Video, some government agencies are embracing the use of biometrics for the acquisition process of an mDL. To address this demand, a growing number of vendors are offering Multi-Factor Authentication Solutions. These offerings can be deployed on-premise or accessed as a cloud service. Typically, such solutions provide:
- Examination of face, voice and touch screen gestures to gain a high level of confidence concerning identity
- Improved accuracy and confidence with biometric fusion scoring * Improved usability and flexibility, especially in cases of situational impairment (e.g., noisy place, while driving, wearing gloves, unfavorable lighting)
- Video based authentication that combines voice and face modalities; liveness testing to prevent replay attacks
- Presence detection to check if authenticated user is in possession of his/her device
- Network / server side authentication for enterprise resource protection
- Client side authentication / authorization using available mobile device based biometric (e.g., Touch ID) and non-biometric techniques
For example, IBM is developing such services based on this research paper as described by this video from a Department of Homeland Security – Cyber Security Division workshop on Usable Multi-Factor Authentication and Risk-Based Authorization.
mDL Acquisition Workflow
With IBM Mobile Identity an Issuing Association will create and host one or more Identity Document Services that handle the generation of a mobile driver’s license that contains a scored and verified photo by facial recognition software. These services are part of the backend processes of an Issuing Association and are used for the procuring or updating of digital identity documents. A mDL is an instance of a specific type of digital identity document. The mDL is a collection of identity traits defined by an Issuing Association that can be used by a Verifier to determine if the holder of the document is authorized to receive services provided by the Issuing Association. These identity traits, when taken together, uniquely identify the user. By way of example, an assortment of personal traits such as height, weight, eye color and license number are defined by a state’s Department of Motor Vehicles and exist on a driver’s license to uniquely identify a driver to a highway patrolman. A digital identity document is procured from an Issuing Association by an identity owner. This document, once acquired, can be stored on the identity owner’s device.
Initially an individual will use his/her mobile application to access the Issuing Association’s Identity Document Service for procuring a mDL. This service will authenticate the individual and collect any necessary content needed for generating a mDL.
Conversely, a similar form could be used to allow the individual to update identity traits, like the portrait, within the DMV system of record.
The Identity Document Service will then gather the individuals personal information from the DMV system of record along with the content supplied in the form. Depending on the multi-factor authentication requirements of the Issuing Association, the individual may be required to provide a selfie as a means of verifying the individual’s identity using facial recognition services.
The Identity Document Service can call a local or cloud based facial recognition service to compare the portrait image designated by the individual for use in the mDL against the photo in the DMV’s system of record.
Using a Document Generator, which is supplied by IBM, the Identity Document Service will create a cryptographically secure mDL using the gathered data for the individual. The mDL, which contains many tokenized identity traits such as the portrait image, will be sent to a Central Server for device management.
The Central Server will immediately notify each registered device for the individual that a mDL update is available. The individual will then use his/her mobile application to securely obtain the updated mDL from the Central Server after the successfully authenticating the device with the Central Server. The Central Server then encrypts the mDL is such a way that the mDL is now uniquely keyed to the device for that users account.
Important Design Fact: IBM Mobile Identity offers a secure ecosystem of identity relationships comprised of stakeholders that can issue, manage, present or verify personal identity information. An mDl destined for a device in the ecosystem can only be downloaded to that requesting device using these multi-factor security requirements:
- Device Certificate (which contains a unique Device ID or [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier) which is generated upon installation of the mobile application. This UUID is securely stored in the device’s keychain.)
- Device Certificate Public Key
- Account Number
- Account Username
- Account Password
Facial Recognition Integration
In IBM Mobile Identity digital identification documents are represented as Standard ITU-T V3x509 Certificates using the OID 126.96.36.199.2.18.6 extension. IBM Mobile Identity is an AAMVA compliant solution that goes beyond just putting an image of your driver’s license on your smartphone; it allows institutions to easily issue digital identity documents and create an easy-to-use system for securely storing and managing those documents on any mobile device. Since IBM Mobile Identity is based on a flexible and extensible cryptographic architecture, integration with authentication technologies such as facial recognition services can easily be achieved to address the requirements outlined in the AAMVA Specification. In fact, integration with such facial recognition services is isolated within the backend processes of the Issuing Association.