Maryland takes digital driver's licenses for a spin

Officials at the Maryland Department of Transportation learned two things since opting into a pilot test of digital driver’s licenses: The licenses are more secure  than plastic cards, and people really like the idea.

“On your physical license, you’re giving pretty much all of your major data to the individual who receives that license when you hand it over at a bar, a liquor store -- anyplace you go,” said Chrissy Nizer, administrator of MDOT’s Motor Vehicle Administration. With a digital driver’s license, only age verification will display if that's what the license is being used for. "They’ll see that you’re over 18 for tobacco purchases, that you’re over 21 for alcohol purchases, but they don’t see your exact date of birth, they don’t see your driver’s license number," Nizer said. "They don’t see all that personal information -- your address -- that people are, frankly, probably a little reluctant to have a stranger see.”

MDOT opened the test of Gemalto’s digital driver’s license to employees and their families, and more than 400 people enrolled, enabling the state and the company -- which is working under a $2 million, two-year grant from the National Institute of Standards and Technology on the licenses -- to study how the application would work on multiple smartphone makes, models and operating systems. Eight-six percent of the participants told the department they were very interested in moving forward with a digital driver’s license, and at public events that showcased the technology, people inquired about getting one right away, Nizer said.

“The interesting thing for us is the amount of interest from the general public,” she said. “We were really impressed by how much the general public is really hungry for this new technology.”

The test licenses used enrollees’ actual information on their actual smartphones, said Tiffany Conway, Gemalto’s field marketing manager for government programs in North America. There was a pre-enrollment process in which the voluntary testers provided their phone numbers and email addresses and registered from their smart phone. They received an authorization code enabling them to download the app from the Google Play Store or Apple App Store, and they set up a login code that they had to enter every time they opened the app.

An interesting security feature is that the traditional keypad where users enter in numbers rearranges the numbers every time a user logs in, Nizer said. "If somebody happened to be watching you logging into your phone, they wouldn’t know what number you’re entering in because there’s a randomization of the keypad.”

A dynamic QR code is generated on the device that displays to an establishment's QR reader only the information, such as age, needed to complete a particular transaction.

In addition to security, the digital licenses let the state keep its information updated. For instance, if someone’s driving privileges get revoked, that change gets pushed out over the air and pops up when the license is scanned.

“You can’t get more accurate than a digital driver’s license that’s reflective of what’s on the Motor Vehicle Administration’s system,” Nizer said. “That definitely is an enhancement from the state perspective -- the accuracy of that data and making sure if somebody is not entitled to have a valid status at that point that, that is reflected.”

Digital licenses are nearly impossible to replicate, or fake, Conway added. Each of the digital driver’s licenses issued by the state DMV has a PKI certificate, and "if that PKI is ever tampered with or not recognized or not there because a hacker has tried to do something funny …  it would recognize it as invalid immediately,” Conway said.

The information also is safe if people lose their phone, she added. DMVs would be able to remotely wipe the credential and reissue a replacement to a new device almost instantaneously.

The process for getting the digital license is similar to the one for getting a physical license, but DMV employees must take one extra step: pairing the phone with the information.

“In the long run, it really helps them with managing these credentials in the field,” Conway said. “When you think about issuing a piece of plastic, once it’s issued, it’s fixed. It’s static. There’s no updating that, and you’re pretty much relying on the good memory of your residents to come back in if they need to make an update either to their address or if the license is expiring or if something has changed with their restrictions. That doesn’t always happen.”

NIST awarded a grant to Gemalto in October 2016 to explore an interoperable federated identity credential,  and the company brought on four jurisdictions to test the technology: Colorado, Idaho, Maryland and Washington, D.C. Wyoming recently joined the group, too.

Other states are trying out digital licenses. Iowa started testing a mobile ID in 2015, Louisiana passed legislation last year that could lead to a digital ID and Virginia’s General Assembly passed a bill this year enabling the DMV to “digitally verify the authenticity and validity of driver’s licenses.”