Understanding ISO 18013–5 and ISO 18013–7: The Standards Shaping Mobile Driver’s Licenses (mDLs)

7 min readJan 29, 2025

Introduction

As digital transformation continues to reshape the way identity documents are issued and verified, Mobile Driver’s Licenses (mDLs) are emerging as a key innovation in identity management. The ISO/IEC 18013 series defines international standards for driving license technologies, ensuring interoperability, security, and privacy. Among these, ISO 18013–5 and ISO 18013–7 are particularly important as they establish frameworks for mobile driver’s license verification and device-to-device interactions.

This article explores these two standards, highlighting their roles in mDL implementations, security considerations, and global adoption trends.

What is ISO/IEC 18013?

ISO/IEC 18013 is a series of standards developed by the International Organization for Standardization (ISO) to define the format, security, and interoperability of driver’s licenses, both physical and digital. It provides guidelines to ensure that driver’s licenses, whether stored on plastic cards or digital platforms, are universally accepted and secure.

Two key parts of this standard are:

ISO 18013–5: Mobile Driver’s License (mDL) Application
ISO 18013–7: Mobile Driving License (mDL) — Device Engagement

ISO 18013–5: mDL Application and Verification

ISO 18013–5, published in 2021, is a crucial standard that defines the secure communication protocols and data structure for a Mobile Driver’s License (mDL). This standard allows a digital driver’s license to be issued, stored, and verified using a mobile device while maintaining security and user privacy.

Key Features of ISO 18013–5:

Data Model & Security

Defines a standardized data model for driver’s license information (e.g., name, date of birth, driving privileges).
Implements public key cryptography to sign and protect the integrity of mDL data.

2. Communication Methods

Supports offline verification using QR codes and NFC (Near Field Communication).
Enables online verification via secure servers for remote authentication.

3. Privacy Protection

Uses selective disclosure, allowing users to share only the necessary information (e.g., proving age without revealing full details).
Prevents tracking and unauthorized access through ephemeral cryptographic tokens.

4. Interoperability

Ensures that mDLs issued by one jurisdiction can be securely verified in another, supporting cross-border acceptance.

Now let’s deep dive into implementation part of the ISO 18013–5

Steps in the mDL Device Onboarding Process (ISO 18013–5)

User Identity Verification (Enrollment)

The mDL holder (applicant) must prove their identity before receiving a mobile driver’s license.

The applicant submits identity documents, a selfie, or undergoes facial recognition matching against DMV records.
The applicant submits driver’s license data by scanning physical card or by manually entering details
At the sametime wallet application generate Public / Private Key pair and store Private Key within the secure element of the mobile device. Further CSR (Certificate Signing Request) will be send along with identity information and driver’s license details

Sample Device Enrollment Request

{
    "request": {
        "version": "1.0",
        "issuer": "California DMV",
        "transactionID": "abc123456789",
        "deviceInfo": {
            "deviceID": "Apple-UDID-XYZ12345",
            "manufacturer": "Apple Inc.",
            "model": "iPhone 14",
            "OS": "iOS 17.1",
            "secureHardware": "Secure Enclave",
            "attestation": "Base64EncodedAttestationToken"
        },
        "publicKeyInfo": {
            "devicePublicKey": "MIIBIjANBgkqhkiG9w0B...",
            "keyAlgorithm": "ECDSA-P256",
            "usage": [
                "authentication",
                "encryption"
            ],
            "generatedAt": "2025-04-01T12:00:00Z"
        },
        "signature": {
            "algorithm": "ECDSA-SHA256",
            "signedData": "Base64EncodedSignature"
        },
        "nonce": "random_nonce_for_freshness"
    }
}

2. Secure mDL Data Creation by the Issuing Authority

Once the identity is verified, the Issuing Authority (DMV or equivalent) generates a digitally signed mDL data package (License holder’s name, date of birth, license number, expiration date, driving class).
A public key certificate signed by the issuing authority (DMV)

3. Secure Transfer of mDL to the User’s Device

The mDL data is securely transferred to the applicant’s mobile device via one of the approved provisioning methods:

The app retrieves the mDL data package from a secure server and binds it to the user’s device.

Sample Response mDL data package

{
    "mDL": {
        "version": "1.0",
        "issuer": "California DMV",
        "issueDate": "2025-04-01",
        "expiryDate": "2030-06-15",
        "documentType": "mDL",
        "holder": {
            "name": "John Doe",
            "dateOfBirth": "1990-05-20",
            "licenseNumber": "A1234567",
            "drivingPrivileges": [
                "Category B"
            ],
            "photoHash": "SHA256:3a1f0b2c..."
        },
        "deviceBinding": {
            "devicePublicKey": "MIIBIjANBgkqhkiG9w0B...",
            "signature": "ECDSA-SignedHash",
            "certificate": "X.509-Signed-by-CA"
        },
        "security": {
            "digitalSignature": "IssuerSignedData",
            "signatureAlgorithm": "ECDSA-SHA256",
            "publicKeyCertificate": "X.509-Signed-by-CA",
            "nonce": "random_nonce_for_freshness"
        },
        "privacy": {
            "selectiveDisclosure": {
                "enabled": true,
                "fields": [
                    "dateOfBirth",
                    "drivingPrivileges"
                ]
            },
            "revocationStatus": "Valid",
            "lastVerified": "2025-06-01T12:30:00Z"
        }
    }
}

Use Cases for in-person identity verification with ISO 18013–5

Law Enforcement: Police officers can securely verify a driver’s identity and license status via a mobile reader.
Retail & Age Verification: Alcohol or tobacco retailers can verify a customer’s age without accessing unnecessary personal details.’
Airport Security: Travelers can use their mDLs for identity verification at security checkpoints.

Below diagram show you the action involved in each steps

Step 01: NFC Reader actively initiate the communication

Step 02: Wallet application pop-up for authentication and user provide required authentication credentials such as face id, fingerprint or PIN.

Step 03: User need to provide the consent for which data (name, DOB, Address) to be shared with the other party

Step 04: Secure communicate of data from Wallet application to NFC reader

Holder’s Identity Information (e.g., name, DOB, driving privileges).
Issuer’s Digital Signature (ensures authenticity).
Public Key Certificate (validates the issuer and prevents forgery).
Nonce for Freshness (prevents replay attacks).

Step 05: NFC reader validate the Wallet Public Key Certificate against Certificate Authority in order to verify the issuer (wallet)

Step 06: Extract the signature from the data set

Step 07: Validate the signature of the data packet by using ECDSA (Elliptic Curve Digital Signature Algorithm)

Step 08: End the session

mDL Authentication for Online Services

(Remote Digital Identity Verification Using ISO 18013–5)

Mobile Driver’s Licenses (mDLs) can be used for online authentication to access digital services securely, even when the mDL holder is not physically present. This is critical for e-government, banking, eKYC, and remote identity proofing, where a service provider must ensure that the mDL holder is legitimate without requiring in-person verification.

Let’s walk through the flow to understand the each step

Step 01: User access online service (e-government, banking, eKYC) and there is an option to login with mDL. User clicks login mDL. Online service invoke verification API in government authority

Step 02: Verification API response with a challenge saying ABC cooperation request date X, Y, Z

Step 03: Online service displays QR code where mobile device can scan it.

Step 04 / Step 05: Mobile device display the challenge like “ABC cooperation request data X, Y, Z and demand for user authentication upon approving or denying the request

Step 06: Device will send required identity data package to government authority or issuing party

Step 07: Finally online service will get identity data package from government authority or issuing party

ISO 18013–7: Device-to-Device Interaction for mDLs

ISO 18013–7, published in 2023, builds upon the security and functionality provided by ISO 18013–5 by specifying device engagement protocols that enable secure communication between the mDL holder’s device and the verifying party’s device.

Key Features of ISO 18013–7:

Device-to-Device (D2D) Authentication

Defines secure Bluetooth Low Energy (BLE) and Wi-Fi Aware communication channels for direct interactions.
Ensures end-to-end encryption to protect user data.

2. Authentication & Trust Management

Verifier devices authenticate the mDL through digital certificates.
Supports mutual authentication, preventing unauthorized access.

3. Session Management

Establishes secure communication sessions that minimize exposure to tracking and data interception.

4. Offline Verification

Enables verification without requiring an internet connection, making it useful in areas with poor connectivity.

Use Cases for ISO 18013–7

Traffic Stops: Officers can use a secure wireless connection to verify an mDL without requiring internet access.
Venue Access Control: Stadiums, concerts, and other events can verify identities using short-range wireless communication.
Border Control: Customs officers can quickly authenticate digital IDs when crossing borders.

Security and Privacy Considerations

Security is a top priority in both ISO 18013–5 and ISO 18013–7 to prevent fraud, identity theft, and unauthorized access. Key security measures include:

Public Key Infrastructure (PKI): Ensures that only trusted issuing authorities can create and sign mDLs.
End-to-End Encryption: Prevents data interception during transmission.
Selective Disclosure: Users can choose which data fields to share, enhancing privacy control.
Non-Trackability: Prevents issuers or verifiers from tracking user movements through the mDL system.

Global Adoption and Future Outlook

Several countries, including the United States, Canada, Australia, and the European Union, are actively piloting or deploying mDL solutions based on ISO 18013–5 and ISO 18013–7.

United States: States like Florida, Arizona, and Louisiana have introduced mDL programs compliant with ISO standards.
European Union: The EU Digital Identity Wallet initiative aligns with ISO 18013 for interoperability.
Australia: Several states are testing mDLs as part of their digital identity frameworks.

As mDL technology evolves, future developments may include:

Biometric Authentication Integration: Enhancing security with facial recognition or fingerprint verification.
Integration with Digital Wallets: Allowing mDLs to be stored in Apple Wallet, Google Wallet, or other ID platforms.
Cross-Border Acceptance: Establishing international trust frameworks to make digital IDs usable across multiple countries.

Conclusion

ISO 18013–5 and ISO 18013–7 are foundational standards driving the adoption of secure, privacy-preserving, and interoperable Mobile Driver’s Licenses (mDLs). By defining secure data models, verification methods, and device-to-device engagement protocols, these standards are paving the way for the future of digital identity. As global adoption increases, these standards will play a crucial role in ensuring that mDLs are trusted, secure, and widely accepted across industries and borders.