How JSON Web Tokens Power Mobile Driver's Licenses

blackgirlbytes

Rizèl Scarlett

Posted on March 21, 2024

How JSON Web Tokens Power Mobile Driver's Licenses

Table of Contents

  1. Introduction
  2. The History of Wallets
  3. You Probably Own a Digital Wallet
  4. Beyond Money
  5. The Pandemic's Impact
  6. Adding Verifiable Credentials to Digital Wallets
  7. More about VCs
  8. Potential Problems
  9. Closing Questions
  10. Resources

Introduction

"What's this?" asks your great-grandchild, pointing at the leather wallet you used in 2024. The idea of our physical wallets turning into relics for future generations—like floppy disks for Gen-Z or 8-tracks for earlier generations—seems far-fetched, but not impossible. This scenario comes solely from my imagination. I enjoy considering the possible effects of emerging technology.

However, I fully recognize that we cannot predict with any certainty the exact impact technology will have on society. I also want to make a disclaimer that I don't know that physical wallets will fully disappear.Currently, there is a need for both physical and digital wallets. In this blog post, I don't aim to make predictions. Instead, I aim to examine the history of wallets and how companies are using present technologies, particularly Verifiable Credentials, to reshape our digital wallet experience.

The history of wallets

On the surface, wallets seem boring. Nothing is particularly exciting about a rectangular piece of leather with pockets. However, we take wallets' reliability and history for granted. We've relied on wallets for as long as humans have traded currency for goods and services. Wallets evolve alongside our primary payment methods and currencies.

Initially, wallets were drawstring pouches used to hold coins and other valuables. In the 1690s, paper money emerged in Massachusetts, and the leather wallet was born. Beyond carrying paper money, people also used wallets to hold calling cards, similar to modern business cards, and even dried meats. As fashion trends changed, wallets became sleeker and more compact.

Today, as we progress through the digital age, we're witnessing the emerging popularity of digital wallets.

Medieval drawstring coin pouch with coins
Medeival coin pouch from PixelSquid_

You probably own a digital wallet

I'll admit something embarrassing. For a long time, I mistakenly associated digital wallets with cryptocurrency wallets, and I'm not a crypto bro, so I didn't consider myself an owner of a digital wallet. After joining TBD, I realized I own several digital wallets. Here's a list of a few commonly-used digital wallets in the United States of America:

  • Apple Pay
  • Google Wallet
  • The Bank of America Mobile app (or your bank's mobile app)
  • Zelle
  • CashApp
  • Venmo
  • PayPal

In fact, a Juniper Research study predicts that by 2026 over 5.3 billion people, more than half the world's population, will own and use digital wallets.

ux flow of cashapp

CashApp views from Lifewire

Beyond money

Functionally, many digital wallets can store more than money. For example, I use my digital wallets to store tickets to:

  • concerts
  • flights
  • conferences
  • basketball games

The pandemic's impact

Today, digital wallets are trending because they're convenient. Rather than juggling multiple physical items and risking their loss, you can carry one item, your smartphone, to manage transactions.

The global COVID-19 pandemic accelerated digital wallet usage. At the beginning of the pandemic, reports suggested that touching surfaces could lead to COVID-19 transmission. These reports heightened public concern about physical contact and hygiene. As a result, contactless payments through Near Field Communication (NFC), Quick Response (QR) codes, and Biometric Authentication gained popularity. This shift encouraged traditionally conservative entities like churches to accept tithes and offerings via digital wallets like CashApp.

Adding verifiable credentials to digital wallets

The current trend suggests an interest in incorporating identification documents into our digital wallets using technologies like Verifiable Credentials. This reflects a growing exploration within the tech community and is supported by ongoing projects and standards development, such as the World Wide Web Consortium (W3C) standard for Verifiable Credentials.

Verifiable Credentials (VCs) are digital proofs that validate specific facts about individuals, organizations, or entities. Another way to think of VCs is that they are digital versions of traditional documents. They often look like digital badges stored securely in your smartphone's wallet app. You can store things like your state ID or passport in your phone as Verifiable Credentials.

Is storing your ID in a digital wallet safe?

It might sound unsafe to store your personal information on a phone, but I will challenge that notion. If you lose a physical wallet containing your documents, anyone can pick up the wallet and misuse the documents. In contrast, if you use a digital wallet with adequate authentication methods, such as biometric authentication, where you have to scan your face to get into the wallet, it's harder for someone to steal your documents.

Additionally, if what you've stored in your digital wallet is a Verifiable Credential, then you're storing a cryptographically signed document, which adds extra layers of security.

"Cryptographically signed" means a digital item has been marked with a unique digital fingerprint. This is similar to when a king would seal a decree with a ring.

An algorithm generates the signature, ensuring it's unique to the document and the person who signed it. The digital fingerprint is composed of a private key and a public key. While your private key is kept a secret, your public key is shared with others to verify that the signature was made with your private key and the document hasn't been tampered with.

Together, these keys perform a dual function: they confirm the authenticity of the document and its signer AND maintain the document's integrity by detecting any alterations post-signature.

When you display your state ID stored as a Verifiable Credential in your digital wallet for identity verification, the entity checking it will programmatically inspect the cryptographic signature. This inspection ensures you signed the digital document; it's real and hasn't been tampered with.

scroll with king's seal
King's seal from Christianity.com

The Mobile Driver's License

Verifiable Credentials are more than just an idea. They're the technology behind some Mobile Driver's License. I say some because, at the moment, mobile driver's licenses (mDLs) are in an experimental phase in North America.

The process of choosing a technology for mDLs often involves collaboration between state governments and technology providers. State agencies decide on requirements needed for the mobile driver's licenses based on laws and regulations. In August 2021, a standards body approved the technical standard for mobile driver's license apps. The technical standard is called the ISO/IEC 18013-5 or the fifth part of the International Standard for mobile driver's licenses. Some of the requirements include:

  • Secure storage - The mDL app must use encryption to securely protect data.
  • Authentication and integrity - strong authentication and integrity protection mechanisms to ensure that the mDL presented is genuine and has not been tampered with.
  • Selective disclosure - mechanisms for the mDL holder to control which pieces of information are shared during a transaction.
  • Offline and online verification- The mDL must support offline and online verification processes.
  • Interoperability - To ensure that an mDL can be verified across different jurisdictions and by various parties (e.g., law enforcement, car rental agencies)
  • Revocation and updating - Mechanisms to revoke and update a mobile driver's license.

Based on these requirements, state agencies reach out to potential technology partners that can provide them with mobile driver's licenses. The state agencies don't necessarily care about the specific technology behind the scenes. They may agree to use a mobile driver's license that uses biometric technology or blockchain. They only care that it meets their state's standards. However, some states are exploring the use of Verifiable Credentials for mobile driver's licenses, evaluating how these technologies could meet their standards for security, privacy, and user control. These discussions and pilot programs reflect a broader interest in digital solutions but do not indicate a universal or immediate shift.

Check out how SpruceID is experimenting with the California DMV to issue VC-based mobile driver's license.

States that use Mobile Driver’s License

Louisiana led the charge with the nation’s first mobile driver’s license platform that allows users to carry a legal digital version of their driver’s license or state ID.

Louisiana Wallet mock up with three phones showing different cards
Louisiana Digital Wallet shown on three phones from LA Wallet

Other states, such as Georgia, Missouri, Arizona, Iowa, Florida, Delaware, and Maryland, also issue mobile driver's licenses. While some states have their own state-issued wallet application, similar to Louisiana, other states require people to store their mDLs in Apple Pay. In some areas, you can show your mobile driver's license to prove your age, get past TSA at the airport, get into voting booths, and show it to law enforcement.

You can check out this map for the most current status of mDLs in each state.

The European Union Digital Identity (EUDI) Wallet

Beyond mobile driver's licenses, The European Union is taking digital wallets a step further by providing all residents, citizens, and businesses with the option to obtain a Digital Identity Wallet. It's designed to support the use of any Verifiable Credential. The European government is conscientious about data privacy, so they want citizens to manage the disclosure of their data. In the EUDI wallet, users can store official identity documents like driver's licenses, medical prescriptions, educational qualifications, and more. They can use it to do things like rent a car, get a loan, or book a hotel.

From my perspective, the Selective Disclosure feature serves as one of the biggest advantages of using Verifiable Credentials in a privacy-centric region. Selective Disclosure empowers users to choose only to share necessary information about themselves in order to receive a service. For example, traditional ID checks, such as hotel check-ins, often require revealing excessive personal details, including one's home address. However, with the EUDI wallet, users only need to provide proof of identity, which could be as basic as their name and date of birth.

More about VCs

Use cases

Verifiable Credentials can be used to prove facts about yourself including:

  • Educational achievements
  • Employment history
  • Membership in clubs or organizations
  • Authenticity and accuracy of content
  • Online identity verification
  • Age verification
  • Trustworthiness as a seller or business partner
  • Financial standing, including creditworthiness or proof of income, useful for loan applications.

Benefits

In addition to enhanced security, privacy, convenience, and control over personal data, Verifiable Credentials provide a durable form of proof unaffected by the continuity of the issuing organization. For example, if you earned a degree from an institution that later closes, you still possess a digital verification of your academic achievement.

Key Roles in the Verifiable Credential Process

There are typically three to four key players through the Verifiable Credential exchange process:

  • Issuer: is a trusted organization, entity, or individual who created the verifiable credential and signed the credential stating the information is true.
  • Subject: This is the organization, entity, or individual who the Verifiable Credential is about. They will store the verifiable credential in their phone's wallet and present it to the verifier.
  • Verifier: This is the entity requesting proof. This entity evaluates the VC's validity and the issuer's credibility before granting access or services.
  • Holder: Sometimes, a designated entity holds and presents the VC on the subject's behalf. Although, many times, the subject and the holder are the same.

The flow

  • The issuer creates a VC with claims about the subject.
  • The issuer cryptographically signs the credential stating that the claims about the subject are true.
  • In the Web5 ecosystem, the cryptographic signature converts the VC into a JSON Web Token. (Note: While JWTs are a common format for VCs, VCs can be expressed in various formats such as JSON-LD, Concise Binary Object Representation, Biometric Templates).
  • The subject stores the VC (in JWT format) in their phone’s wallet.
  • The subject (or holder) presents their Verifiable Credential to a verifier.
  • The verifier runs a series of checks to determine if the VC is real and valid. They also determine if the issuer is real and trustworthy.

VC flow
Three party model diagram, from Affinidi Pet. Ltd

Creating a VC with Web5

You can use many different platforms to create Verifiable Credentials, but we’re going to use Web5 JS SDK.

Install the packages

npm install @web5/credentials @web5/dids
Enter fullscreen mode Exit fullscreen mode

Add the following to an index.js file to create and sign a VC

import { VerifiableCredential } from '@web5/credentials';
import { DidDht } from '@web5/dids';

// fakeDmv unique id issuer
const fakeDmv = await DidDht.create();
// subject unique id 
const you = await DidDht.create();

const vc = await VerifiableCredential.create({
    type: 'AgeVerificationCredential',
    issuer: fakeDmv.uri,
    subject: you.uri,
    expirationDate: '2025-12-31T23:59:59Z',
    data: {
        "legalAgeStatus": "OverLegalDrinkingAge",
        "country": "USA",
        "ageThreshold": 21
    }
});


const signedJwt = await vc.sign({ did: fakeDmv })

// This should log a JSON Web Token
console.log(signedJwt)
Enter fullscreen mode Exit fullscreen mode

If you're interested in building more with Verifiable Credentials, our developer documentation has comprehensive guides to get you started.

Potential Problems

Technological Disparities

During a discussion about Verifiable Credentials on a Twitter/X Space, a new acquaintance, Marc Boorshtein, posed a thought-provoking question: "How will Verifiable Credentials impact the digital divide?"

Age, location, and socioeconomic status contribute to our current digital divide. As Verifiable Credentials and Wallets continue to advance technology wise and increase in popularity, it’s important for technologists and policymakers to consider technological disparities, so we can create inclusive and accessible solutions. At TBD, we started addressing this issue by prioritizing the release of a Kotlin SDK over a Swift SDK. This choice enables developers to create technologies for Android devices, which are generally more affordable and accessible globally than their Apple counterparts, helping to democratize access to new technologies.

The Three Wallet Problem

Dan Robertson, a previous Product Lead in the payments industry and Identity enthusiast, wrote a newsletter series called The Three Wallet Problem. The series highlights an budding issue within the IDTech sector: the prospect of users needing to manage three or more wallets due to certain issuers or verifiers only recognizing Verifiable Credentials from specific wallets. There’s not really a standard wallet because multiple companies are competing to establish a wallet in the market. This is something our industry should stay cognizant of.

Closing questions

So, what do y'all think?

  • With the ongoing digitization of payments and identity verification, how do you see current technologies evolving to enhance the way we use digital wallets today?
  • Are digital wallets just a fad that we try out and then it goes away?
  • How can we address issues such as accessibility and interoperability when it comes to digital wallets?

Resources

  • Check out TBD's progress as we continue to build the Web5 ecosystem.
  • Join our weekly livestreams every Friday to learn more about the IDTech and Global Payments industry on https://twitch.tv/tbdevs
  • Chat with us in our Discord
💖 💪 🙅 🚩
blackgirlbytes
Rizèl Scarlett

Posted on March 21, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related