Drawing Boundaries Around Identity Management
Agencies are looking for solutions to meet evolving identity verification demands. But where do your responsibilities begin and end?
By Frank Dean
Over the last 100 years, the driver license has evolved from a permit to operate a motor vehicle to the de facto standard for identity in the United States. As technology continues to advance, modern customers demand digital versions of their traditional plastic licenses. However, providing this service is not as simple as creating a picture of a driver license on an electronic device. Digital licenses—like their physical counterparts—are targets for fraud, and driver license agencies are once again tasked with solving identity problems.
During the pandemic, agencies were pressured to offer more services online, and most DMVs around across North America stepped up to the challenge and created new channels for customers to access services. Now, agencies are looking for solutions and making judgment calls as they wade into untested waters. Ecosystems, protocols, and standards all dominate the conversation about mDL and identity, and many agencies are unsure where their responsibilities begin and end. We suggest agencies consider the following guardrails to avoid being overwhelmed—while leaving the door open for innovative technologies.
- You are NOT responsible for the ENTIRE ecosystem. Just like with the physical cards you issue today, your control over a customer’s identity only goes so far. The agency is responsible for verifying who a person is and issuing a valid credential—but once that card goes into the wallet of an individual, the DMV has no control over how the holder shares their information. Laws in most states put the responsibility on the receiving party to properly consume and use the information on the card. This should be no different in the digital world.
- You ARE responsible for data released outside of agency systems. As your policies surely state, you are responsible for PII stored in government databases. Any digital identity solutions your agency adopts should fully control and secure how data is shared. Even if used in an authorized way, a solution may potentially violate your state’s data sharing and PII protections.
- You will be held to a higher standard. While guidelines and policies often feel like a burden, they exist to protect data and provide direction. For years, agencies used the AAMVA driver license standards to ensure that license information appeared in a standardized way and on the PDF417 barcode. This enabled other agencies and third parties to access driver license data without placing the responsibility solely on the issuing agency. The ISO 18013-5 and other industry standards create a scenario where the DMV’s only responsibility is to create a card that complies with the standard, and it does not create undue burden on the agency to assume responsibility for every product or system that wants to read an mDL.
- Digital equity matters in government services. It costs nothing to pull your physical driver license from your wallet and present it for identification. Any digital identity solution should also be free to use. Government services inaccessible to those on the technology gap might disenfranchise people who need services the most.
- Accessibility should stay in focus. Not everyone has a webcam, and not everyone can drive to your office. Online and remote services are great ways to make services accessible to everyone—but only if they’re supported on all devices and comply with the Americans with Disabilities Act (ADA) and the Web Content Accessibility Guidelines (WCAG). Keep accessibility in mind when implementing any identity verification protocol.
As your agency continues to explore options for addressing identity management, remember that it is not your agency’s job to carry the entire ecosystem. You do not have to solve every identity problem at the DMV. AAMVA’s mDL Digital Trust Service, the Transportation Security Administration, and major technology companies are all working toward the most effective methods to administer digital IDs. As you consider new solutions and technologies for digital credentials, remember that the goal is unchanged. Agencies are responsible for creating trusted, secure, and openly verifiable credentials that protect the holders’ security and privacy—while continuing to work toward a more modern DMV experience.
Fast Enterprises has helped 95+ agencies worldwide enhance efficiencies and customer service delivery. To continue the conversation, contact me at FDean@FastCore.com or visit FastEnterprises.com.