ID Notes

Is my mDL secure?

May 7, 2024

I am always curious to hear what people outside the cybersecurity industry think about the idea of a digital credential taking the place of the physical card we carry around for everyday interactions. I get lots of positive reactions, many focused on the convenience - “I don’t have to carry my license when going out!” “I already have my plane ticket on my phone, why not my ID?”, but also skepticism, usually about the concerns around security - “Everything gets hacked, it’s just going to get stolen.” “People will just photoshop fake ones.”


This made me think, it would be good to try to provide some answers to how the mDL security components ensure that only the owner of the identity can set up and use the mDL. These answers are targeted for any mDL program is using the International Standards Organization (ISO) mDL Specifications to ensure interoperability and security.

Q&A for Mobile Driver's License Security


“Can someone steal my physical license and impersonate me to create the mDL?”


Protection against Identity Theft

Setting up your mDL requires not just the physical license, but also takes you through a standard remote verification process, including matching your face against the photo on the license, to make sure only you can set it up.




“Can someone steal my phone and impersonate me?”


Protection against Impersonation

In addition to your phone security, the mDL app also requires authentication every time you use it, so only someone that can pass all the device security checks can open the mDL app. If you use a cloud account to automatically wipe all data on the phone, your mDL will be removed. Additionally, many mDL implementations will allow you to revoke the mDL from any device so it cannot be used even if someone can log in to your phone.



“Can a hacker just create their own fake copy of an mDL with whatever data they want?”


Protection against Forgery

mDLs are not just a picture or screen with your data - all mDLs are created using a process that ensures only the issuing state has the ability to create the digital document. The mDL is “cryptographically signed”, which it means that if anyone tried to create their own without the special key known only to the issuing state system, any reader would see that it is fake. This is why it’s important to scan the mDL with an mDL reader, not just look at the screen!



“Can a hacker just steal a copy of my mDL off my phone and use it on another phone?”

“Can someone just take a picture or screenshot of my mDL and use it?”


Protection against Cloning

The mDL is issued to your phone and your phone alone. If someone tries to take a picture or screenshot of your mDL, or could somehow copy the file off of your phone, the reader will see it is fake because it is not coming from the phone that it was generated for when it was created. 



“Can a hacker just listen in when I use my mDL?”


Protection against Eavesdropping and Man-in-the-Middle

All of the interactions between your phone and the reader are encrypted, so no one can use a device to “listen” to the interactions between the mDL and the reader. Any time you use the mDL, it has to be activated, authenticated and shared by you - no one can just scan your phone.