Digital ID vs Physical ID

I remember growing up in the '80s and 90's seeing lots of movies where teenagers would try to make or buy fake id's. Particularly in the US where the legal drinking age is 21. ID cards such as a driver’s licence, which was originally introduced back in 1910, have long been a physical card that we would carry around with us.  This was to prove who we were and our age for the younger members who wanted to go to pubs and clubs. They started as little more than a piece of paper; I remember my fathers while growing up had a laminated licence with a photo and some details. 

When I finally got my learners in the tail end of the 90’s we had moved on to one of the first versions of the hard plastic licence that we nearly all have today. Change is afoot however with digital ID's starting to become a reality, Queensland department of transport and main roads launching the first pilot of the digital licence app late this year. You can find the full details here. They are calling it a digital wallet and it is essentially a digital identity app on your mobile phone that will be able to be used as a replacement of the old-style physical card. 

They have added a security feature that is designed to be able to keep your information secure with utilising the security features of your phone with a pin, fingerprint and possibly facial recognition functionality. On the TMR site, they indicate that the new digital licence will be more secure than the traditional form of ID and you know what I think they are probably right. There is no real way of securing the traditional licence or physical ID card.

It can be used as your driver’s licence and as a proof of ID. During the piolet stage, they are not making it compulsory for cardholders to move over to the new form of ID, if you choose, the traditional ID cards will still be made available. QLD is not the only state rolling out with these test digital ID’s with I believe most states in a similar phase.

It’s not just your licence going digital either with DFAT (Department of Foreign Affairs and Trade) working towards a digital passport however they are not quite at the stage of trialling these just yet. Australia Post has also jumped on the digital ID bandwagon with the release of the Digital ID service that will allow you to pick up packages and also use this service at participating other organisations instead of needing the old school licence anymore.

Look, all of these services have some good features and the idea of a digital ID is a great idea but is the technology at a standard that can provide a safe and secure service. What happens when a malicious actor finds a vulnerability in these platforms (oh and let's be very clear here they will), what information will they be able to gain and what would they be able to do with it? 

As I started to write that last line my mind exploded with possibilities (that's my hacker side coming out there), I do not doubt that they will be able to steal all of the licence holder details, manipulate the apps to create the modern version of a fake ID. The fake ID scenario will be an interesting one and it will be interesting how they ensure the validity of the ID's as I am sure with the technical skills of some of the younger generations at least a few of them will have the skills and know-how to be able to throw together a decent cloned version of the app.

If there is no way to validate this on the fly at night clubs or similar locations and to the people checking the ID’s the app looks the same and displays/does all the right things it will won't be long before the backroom trade of fake ID's will start to form. Its an interesting thought but I would assume that these services will have some good validation processes and will have easily available methods to validate the ID being provided. It does come back to the likely vulnerability though, will malicious actors (or one of those resourceful teenagers) be able to change details on the displayed ID and will that then still allow them to validate against the verification methods. I think there will be a way to do it and in my opinion, it will only be a matter to time before this will take place.

I think this discussion is important for us to have early as these services will inevitably flow over into the business world and we will all be the ones who will be tasked with securing them for our organisations. So how about we get ahead of the game and start a conversation on this and let’s ensure that as an industry we are prepared for what is to come with Digital ID’s and whatever is to follow that.

As usual, tell me what you all think, I want to know what risks you think are involved with this change? How do you think we as an industry should proceed or approach it? I want to know so please comment and start a worthy discussion.