You probably know that your phone can store digital, working versions of your credit and debit cards, bus and subway passes, and even a form of your house keys for an electronic lock. Your driver’s license will soon be added to the list.
Apple recently announced a verified-ID capability for iPhones and Apple Watches. Google is working toward a similar system for Android users. But how will this work, how secure is it, and who will get first access? Let’s take a look.
Who can use a virtual driver’s license?
For the new Apple feature — stored in the iPhone’s built-in Wallet app — residents of Georgia and Arizona can opt in first, followed by Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah.
But, in fact, a handful of states already have their own digital ID apps, independent of Apple’s launch. That includes Arizona, Delaware, Oklahoma, Louisiana, Colorado and Alabama. Florida is testing a pilot program, and California may soon kick off trials, too. So far, state digital IDs haven’t seen wide use.
“Nobody really uses them,” says Jay Stanley, senior policy analyst with the American Civil Liberties Union. So the Apple and Google programs are significant, because they could make digital IDs more universal.
How can I get a digital ID?
In some states, the Department of Motor Vehicles can send a digital license to residents’ devices when they renew their ID. In other states, especially those using the Apple Wallet system, users scan the front and back of their physical ID card with their phone.
Next, they take selfies to verify their identity. For Apple, that information is encrypted to make the information illegible if a hacker intercepts it and sends it to the issuing agency for verification.
Where can I use a digital ID?
Transportation Security Administration security checkpoints will be the first place Apple Wallet users can present digital IDs. For state apps, it varies.
Businesses may accept it as verification of identity and age. But while law enforcement agencies may be encouraged to consider digital licenses the same as cards, there have been reports of individual police departments not yet adopting this policy.
How does it work for travel?
At security checkpoints, users tap their phone or smartwatch on federal TSA identity readers. Their identity is authenticated with face or fingerprint ID and the details show up on the TSA agent’s screen.
Do I have to hand someone my phone?
No, for Apple, your device stays in your possession. Even if the phone is locked, the prompts still appear once the phone is tapped, and information will be beamed directly to the identity reader.
As another example, in Colorado, users have to unlock their phones, open their myColorado ID app and show what’s essentially an image of their ID. In Delaware, verifiers also can scan a QR code. Verifiers should be able to look at the ID or scan a code without touching your phone.
Join today and get instant access to discounts, programs, services, and the information you need to benefit every area of your life.
Do I need to have cell service or be connected to Wi-Fi to use it?
No, all of the verified information is contained on the phone.
Does this mean I don’t have to carry a driver’s license?
“It’s a really bad idea to leave home with only a digital ID for the foreseeable future,” Stanley says. Even in cases where digital IDs are allowed, carrying a physical ID as a backup is a safe choice in the event you misplace your phone or its battery dies.
If someone steals my phone or remotely hacks my device, can they use my digital ID?
“Is it possible? Sure,” says John Sancenito, president of Information Network Associates. “Is it likely? No.”
Users can protect themselves against hacking by keeping their device up to date with the latest operating systems. Making sure they use strong passwords for their device and associated accounts is also a must.
“If the user’s device is stolen, they should log into their iCloud account and mark the device as lost,” Sancenito says. “This process will remotely lock the device with a passcode and disables certain features, like Wallet, on the missing device.” And even if you don’t catch it in time? The required biometric information makes it even harder for thieves to potentially use your digital ID.
In terms of security, how do digital IDs stack up against physical IDs?
Pros: “If it’s built right, it could protect privacy in some circumstances,” Stanley says. For example, when proving eligibility for a senior discount, “you could, in theory, use a digital ID to just say that, yes, this person is over 65, without actually having to share their date of birth, home address, height, weight, organ donor status and eye color.”
Another security protection: Unlike a physical ID card, a digital ID can “disappear” if lost or stolen. Both Apple and Android phones also let users remotely erase all information on lost devices. Also, fake digital IDs will be difficult to create because of the identity verification and encryption processes.
Cons: “We live in an age where it’s much, much easier to attack a computer system than defend it,” Stanley says.
You’re putting your security in the hands of a private company for a new type of technology. Laws and policies are still being developed. And the technology still needs to be proven.
“If we’re going to have a digital ID, which has big risks for privacy and equity, it has to be built in a way that, on a technological level, protects privacy,” Stanley says.
Is the convenience worth it?
“Everybody sort of assumes that everything digital is better and it’ll be more convenient,” Stanley says. “That’s not necessarily true. The convenience is greatly lessened if you have to still bring your purse or your wallet or face possible legal repercussions, and risk possible repercussions if your phone should die.”
Hayley Tsukayama, a legislative activist for the Electronic Frontier Foundation, has some advice.
“If the current kind of ID system is working for you, I wouldn’t necessarily do this right away,” she says. Her one caveat is that it could be useful as a backup should you lose your driver’s license. “But, for most people, I would just let people who really actively want to do this try it out and be the test cases.”
For those who do opt in, Sancenito recommends that “at a bare minimum,” they make sure that issuing states don’t track when or where users present their digital ID.
Lexi Pandell is a contributing writer who covers technology. Her work also appears in other publications, including Wired, The New York Times and The Atlantic.