Tag Archives: secure documents

In-person mDL Acceptance is Weak. Online Acceptance is Weaker.

Perhaps it’s different in Louisiana where the mDL is long established and supported, but in California the only place where I’ve used my mDL is at a TSA checkpoint. And last Friday I couldn’t even do that because the reader was down.

But at least mDLs are available to a large number of people. deepidv provides this good news…and the bad news.

“As of mid-January 2026, the American Association of Motor Vehicle Administrators tracks 21 US states plus Puerto Rico issuing ISO/IEC 18013-5 compliant mobile driver’s licenses. That includes California, New York, Virginia, Arizona, and most of the largest population states. Industry analysis puts the figure at roughly 41 percent of Americans now living in a state with an active mDL program, and 76 percent in a state where the program is live or in development.”

So at least many of us can get mDLs. But as I noted, it’s a challenge to use them in-person, despite a standard outlining how it can be used.

“ISO/IEC 18013-5 covers proximity presentation. The mDL holder shows the credential to a verifier device that is physically nearby, typically over Bluetooth Low Energy or NFC. That works for airport security, in-person retail age checks, and traffic stops.”

Google Gemini.

But it’s a greater challenge to use mDLs online.

“It does not work for online onboarding because there is no proximity. For online flows, the standard is ISO/IEC TS 18013-7, published in 2025, which defines remote and online presentation. Adoption of Part 7 is, in the words of the people building these systems, “limited and inconsistent.””

Google Gemini.

This is where the benefit of decentralized identity falls apart. In a decentralized identity system, the user controls where the identity is stored. (I have two California mDLs on my phone, because decentralized is very decentralized.)

deepidv has concerns with this:

“Device-side verification means the cryptographic check that establishes whether the credential is authentic happens in an environment the relying party does not control. A rooted phone, a compromised app, a tampered SDK, a man-in-the-middle on the verification flow, all of these break the trust model. The relying party is being asked to trust a yes-no answer it cannot independently verify.”

deepidv describes server-side verification, as well as other issues with mDL adoption, in its LinkedIn article.

Though not referenced by name, deepidv cites Regula’s support of server-side processing:

“Malware, rooted phones, tampered apps: User devices such as smartphones can pose risks to identity verification, as these environments are difficult to control against fraud.

“Regula says it has a solution. The identity verification firm has introduced server-side reprocessing of mobile driver’s license (mDL) data in its document reader software, Regula Document Reader SDK. The capability means that mDL data is processed on the backend in a controlled, trusted environment rather than relying solely on user devices, which also helps preserve the integrity of the identity signal across the verification flow. Data captured on the user’s device is revalidated through a PKI check and signature verification on the server.”

But will the decentralized identity people insist that server-side verification is evil? And how will the decentralized proponents convince others that a decentralized identity is really really secure?

If your company has a decentralized or centralized solution and you need to communicate its benefits to prospects, Bredemarket can work with you.

Stop losing prospects! Use Bredemarket content for tech marketers

Why Does California Support Two Separate Digital Wallets For Its Mobile Driver’s License?

This morning I was attending a NIST webinar on mobile driver’s license use at financial institutions, and began looking at the services I could access in April 2026 with my California mobile driver’s license—financial and otherwise.

Of course I already knew that I could use my California mDL at the Transportation Security Administration checkpoint at Ontario International Airport. In fact, the mDL in my Apple Wallet (obtained in 2024) recorded the fact that I used my mDL at the airport on August 31, 2025.

Google Gemini.

But today I learned that some services are NOT available with the mDL in my Apple Wallet, but ONLY while using the “CA DMV Wallet” app.

So I downloaded the app, which I last used in my initial unsuccessful attempt to obtain an mDL. (I finally used Apple’s facility to get one.) I assumed that since I already had my mDL in my Apple Wallet, it would automatically show up in the app.

You know what happens when you assume. My buddy Google Gemini pointed it out to me.

“It’s a common point of confusion, but the Apple Wallet and the CA DMV Wallet app are actually two separate “containers” for your digital ID. Because California uses a secure, decentralized system, your mDL doesn’t automatically sync between them. Even if it’s already in your Apple Wallet, you have to go through a separate enrollment process to “provision” it into the DMV’s official app.”

Which meant that I had to enroll again and get another decentralized mDL, which I did. (After some difficulty; it took four separate attempts to capture my facial image, which was only successful when I went into a very dark room.)

Now that my mDL is in this second wallet, I could go ahead an enroll in the TruAge program for age verification at a private retailer.

Google Gemini.

As I type this, TruAge hasn’t processed my application.

And now for a word from our sponsor

Mobile driver’s licenses are a digital form of “something you have,” which is a factor of identity verification and authentication.

Would you like to learn about all six of the identity verification and authentication factors? (Not three. Not five.)

Learn more about the six identity factors.

Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”

Four pages from "Proving Humanity: The Six Factors of Identity Verification and Authentication" by John E. Bredehoft, Bredemarket., Click on the image to purchase.

If Your Passwords Failed, Your Other Factors Could Fail Also

There are all sorts of apocalyptic literature: apes taking over the world is but one example. But the scariest thing I’ve read lately was published by Factonic.

“Imagine waking up one morning and realizing that every password you’ve ever created has suddenly stopped working. Your bank account, social media profiles, and even your email are either completely locked or frighteningly exposed. There’s no reset option, no backup plan—just instant confusion and panic.”

Factonic believes that massive hacks, quantum computing power, and other catastrophic events could eliminate password protections.

“In the first 24 hours after passwords stop working, the digital world would slip into chaos.

“Banking systems could either freeze to prevent unauthorized access or come under heavy attack as bad actors try to exploit the sudden vulnerability, leaving people unable to access their money or complete transactions.

“Social media accounts would be rapidly hijacked, spreading misinformation, scams, or malicious content as users lose control of their profiles.

“Meanwhile, businesses would likely shut down access to their platforms entirely in an attempt to contain the damage, halting operations and cutting off services to millions of users.”

But before you say that the passwords are finally dead and we can move on to other factors of identity verification and authentication

…those same hacks and power could also affect all the other factors. Imagine quantum computing power that could generate matching fingerprints, faces, behaviors, and identity documents in seconds. As I said in 2021:

“But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.

So I guess “biometrics are dead” too, using the “passwords are dead” rationale.

“And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.

So I guess “secure documents are dead” too.

So much for protection. Have a good day.

Identity Document Validation is a Toxic Dumpster Fire

I may have misjudged Biometric Update.

Most technology publications, with the notable exception of IPVM, are at least partially funded by the companies they cover. Therefore there’s an unavoidable tension between keeping the advertisers happy and casting a critical eye on the industry.

I accept this tension because it applies to Bredemarket itself. Although my clients are absolutely wonderful, there may emerge a future situation where they may be less than perfect. So naturally I have to watch my tongue.

As does Biometric Update.

Remember when IDloop asserted it offered “the world’s first FBI-certified 3D contactless fingerprint scanner,” and Biometric Update reported the claim with no comment? I said at the time:

“Biometric Update reports news as reported, and I don’t think it’s Biometric Update’s purpose to poke holes in vendor claims.”

But then Biometric Update ran a more recent story.

They said that?

Bear in mind that Biometric Update’s advertisers include vendors who offer identity document validation solutions: either their own, or from a third party.

And Biometric Update’s recent story basically said that these solutions are a toxic dumpster fire.

OK, not in those words. Biometric Update is Canadian owned, and if the publication used the words “toxic dumpster fire” it would never stop apologizing.

Google Gemini.

But the true title is eye-catching in context:

DHS RIVR results suggest most ID document validation disastrously ineffective

Not just ineffective, DISASTROUSLY ineffective. Ouch.

For those not up in their acronyms, the Department of Homeland Security’s (DHS) latest annual round of tests was called the Remote Identity Validation Rally (RIVR).

DHS set performance goals for the submitted entries and publicized the (anonymous) results.

“Four of the seven subsystems tested met the goal for system error rate. Four did not meet the threshold for FRR, and five fell short in FAR. In other words, most systems let too few legitimate IDs through, even more passed too many fraudulent IDs, and six of seven fell short on one or both sides of the assessment.”

Google Gemini.

Biometric Update didn’t reveal the…um…identity of the one vendor that performed acceptably. But that vendor may self-reveal soon enough.

On anonymity

Why do testing entities sometimes allow participants to remain anonymous?

Because they want participants.

Some biometric tests are NOT designed to identify the best algorithms, but are instead designed to view the state of the industry. And that’s what this test performed with document validation.

Presumably a future test—POND, or Performance Of Notable Documents—will measure the future state-of-the-art of identity document validation.

Hopefully the results won’t be disastrous.

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

  • Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
  • Something you have, such as a driver’s license, passport, or hardware or software token.
  • Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

  • Something you do, such as super-secret swiping patterns to unlock a device.
  • Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

  • Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

  • The person may deserve access if they are an employee and arrive at the location during working hours.
  • That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
  • That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.

Verify the Supporting Documents Aren’t Forged

From the CBC in Canada:

“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”

Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.

More on this type of fraud: https://www-cbc-ca.cdn.ampproject.org/c/s/www.cbc.ca/amp/1.7516048

(Forged document from Imagen 3. Lincoln never held a law license in the then-United Kingdom.)

Replacing Underage Age Estimation With Underage Age Verification

Why do we have both age verification and age estimation? And how do we overcome the restrictions that force us to choose one over the other?

Why age verification?

As I’ve mentioned before, there are certain products and services that are ONLY provided to people who have attained a certain age. These include alcohol, tobacco, firearms, cannabis, driver’s licenses, gambling, “mature” adult content, and car rentals.

There’s also social media access, which I’ll get to in a minute.

So how do you know that someone purchasing one of these controlled products or services has attained the required age?

One way is to ask the purchaser to provide their government identification (driver’s license, passport, whatever) with their birthdate to prove their age.

This is known as age verification. Provided that the ID was issued by a legitimate government authority, and provided that the ID is not fraudulent, this ID provides ironclad assurance that you are 18 years old or 21 years old or whatever the requirement is.

But let’s return to social media.

Why age estimation?

If you’re Australian, sit down for a moment before I share the following fact.

There are jurisdictions in the world that allow kids as young as 13 years old to access social media.

However, these wild uncontrolled jurisdictions face a problem when trying to determine the ages of their social media users. As I noted almost two years ago:

How many 13 year olds do you know that have driver’s licenses? Probably none.

How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.

How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.

So how can you figure out whether Bobby or Julie is old enough to open that social media account?

One way to do so is by using a technique called age estimation, which looks at facial features and classifies people by their estimated ages.

The only problem is that while age verification is accurate (assuming the ID is legitimate), age estimation is not:

So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:

An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.

A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.

So what do you do?

How to perform underage age verification

Biometric Update points out that there is an free alternative for underage people ages 13-15 in the United Kingdom—the CitizenCard. These cards are issued in four categories:

  • ’18+’ for adults
  • ’16-17′ for those aged 16 to 17
  • ’13-15′ for children aged 13 to 15
  • ‘Under 13’ for younger children
From https://www.citizencard.com/.

“OK,” you may say, “but so what? Anybody can print a card that says anything they want, like Alabama’s John Wahl did. Why should anyone accept the CitizenCard?”

Well…people, um, trust it.

CitizenCard is the only non-profit, UK-wide issuer of police-approved proof of age & ID cards….

CitizenCard was founded in 1999 and is governed by representatives from the National Lottery operator Allwyn, the Co-op, Ladbrokes & Coral owner Entain and the TMA.

CitizenCard…is the longest-established and the largest issuer of Home Office-endorsed PASS-hologram ID cards in the UK with more than 2.5 million issued.

[CitizenCard] is audited by members of the Age Check Certification Scheme on behalf of PASS to ensure that the highest standards of UK data protection, privacy and security are upheld and rigorous identity verification is carried out.

So one could argue that you don’t need age estimation in the UK, because there is a well-established way to VERIFY ages in the UK.

However, there are other benefits to age estimation, including the fact that estimation is frictionless and doesn’t require you to pull out a card (or a smartphone) at all.

Digital Driving Licences With Two Cs

(Imagen 3)

In my country, the issuance of driver’s licenses is performed at the state level, not the national level. This has two ramifications.

REAL ID

The U.S. government wanted to tighten down on identification cards to stop terrorists from hijacking planes and crashing them into buildings. 

But it couldn’t. 

When it told the states to issue “REAL ID” cards by 2008, the states said they wouldn’t be told what to do. 

Today all of them support REAL ID cards as an option, but use of REAL IDs for federal functions such as plane travel won’t be enforced until 2027…if then.

mDLs

For years there has been a move to replace physical driver’s licenses with mobile driver’s licenses, or mDLs.

Again, in my country this has been pursued in a piecemeal basis on the state level. Louisiana has its own mDL, with a separate one in Oklahoma, one in California, others in other states, and none in other states. And one state (Florida) that had one, then didn’t have one.

Some mDLs are in custom wallets, while others are or are not in wallets from Apple, Google, and Samsung.

Oh, and don’t try using your Louisiana mDL to buy a beer in Arkansas.

Meanwhile, in the UK

Things are different in other countries. Amit Alagh shared a BBC article with me.

“Digital driving licences are to be introduced in the UK as the government looks to use technology to ‘transform public services’…. The new digital licences will be introduced later this year….”

Throughout the entire United Kingdom, including Scotland and Northern Ireland, apparently.

In one fell swoop. Entire country done.

Use One ID, Lose Another: China vs. China

(Chiang and Mao in 1945, Public Domain)

When you obtain a government ID from one national government, you normally don’t get a second government ID from a different national government, unless you hold dual citizenship.

But for some pairs of countries, dual citizenship is untenable.

“President Lai Ching-te (賴清德) has cautioned Taiwanese citizens against China’s reported efforts to lure them into applying for Chinese ID cards and residency permits.”

Because Taiwan is a contested territory, acceptance of People’s Republic of China IDs could resulted in PRC claims to Taiwan…to protect its citizens there. Therefore Taiwan really discourages this.

“According to local regulations, citizens who receive a Chinese ID will have their Taiwanese household registration revoked.”

And we thought that moving Meta’s trust and safety teams from California to Texas was a big deal. At least the states of California and Texas are not launching military strikes against each other.

At least not yet.

KYV: Know Your (Healthcare) Visitor

Who is accessing healthcare assets and data?

Healthcare identity verification and authentication is often substandard, as I noted in a prior Bredemarket blog post entitled “Medical Fraudsters: Birthday Party People.” In too many cases, all you need to know is a patient’s name and birthdate to obtain fraudulent access to the patient’s protected health information (PHI).

But healthcare providers need to identify more than just patients. Providers need to identify their own workers, as well as other healthcare workers.

Know Your Visitor

Healthcare providers also need to identify visitors. When a patient is in a hospital, a rehabilitation facility, or a similar place, loved ones often desire to visit them. (So do hated ones, but we won’t go there now.)

I was recently visiting a loved one in a facility that required identification of visitors. The usual identification method was to present a driver’s license at the desk. The staffer would then print out a paper badge showing the visitor’s name and the validity date.

Like this…

John Bederhoft?

So John “Bederhoft” (sic) enjoyed access that day. Whoops.

Oh, and I could have handed my badge to someone else after a shift change, and no one would have been the wiser.

Let’s apply “somewhat you why”

There’s a more critical question: WHY was John “Berdehoft” visiting (REDACTED PHI)? Was I a relative? A friend? A bill collector? 

My proposed sixth factor of identity verification/authentication, “somewhat you why,” would genuinely help here. 

Somewhat you why “applies a test of intent or reasonableness to any identification request.” 

Maybe I should have said “and” instead of “or.”

  • Visiting a relative shows intent AND reasonableness.
  • Visiting a debtor shows intent but (IMHO) does NOT show reasonableness.

Do you need to analyze healthcare identity issues for your healthcare product or service? Or create go-to-market content for the same? Or proposals?

Contact me at Bredemarket’s “CPA” page.