❤ The iPhone will be the future of proving our identity, online and offline

 

 

We’ve seen some baby steps towards using our iPhone for proving our identity. But a couple of recent developments point to a future in which an iPhone – plus biometrics – could let us use our phone as a single means of verifying our identity, both online and in face-to-face interactions.

In all, Apple provides support for four initiatives which I think provide a clear pointer to a future in which the iPhone will be our one-stop device for ID …

Proving our identity with an iPhone

Apple currently offers support for four separate initiatives:

  • Mobile driving licences
  • Password-less login via Passkeys in the Cloud
  • Student ID
  • Captcha bypass

Each of these form some early stepping stones to what will eventually be a world in which our iPhone will be the primary way in which we prove our identity, both online and offline.

Mobile driving licences (mDL)

Back in June of last year, Apple announced its plans to allow state ID documents like driving licences in the Wallet app.

To be fully free of your physical wallet, there’s one more thing we need to bring to iPhone. And that’s your ID. So we’re bringing identity cards to Apple Wallet. This fall, you’ll just scan your drivers license or state ID in participating US states. It’s that easy. Your ID information is now in Wallet. Encrypted and stored in the Secure Element, the same hardware element technology that makes Apple Pay private and secure.

The company said that the Transportation Security Administration (TSA) would be climbing aboard, allowing iPhone owners to present digital versions of their driving licences as proof of ID for airline travel.

The TSA is working to enable airport security checkpoints as the first place you can use your digital ID.

That didn’t happen in the fall of 2021 as scheduled, and when it did finally happen, it was just dipping a toe in the water. As the mDL (mobile driving licence) tracker shows, the system hasn’t yet been officially implemented anywhere in the US as yet, and there are just a handful of trials at a tiny number of airports.

The wheels of government grind exceedingly slowly, so the point at which we can flash our iPhone at a TSA checkpoint or traffic cop are some way off yet, but some 30 states have announced that they are at least exploring the idea.

Student ID cards

Partnering with Blackboard lets college students store their ID card in the Wallet app, which can then be used for everything from entering campus facilities to paying their laundry bills.

Students who load their IDs into Apple Wallet on iPhone/Apple Watch will be able to have secure access to campus facilities, residence halls, and more in addition to using the digital card for payments at vending machines, dining halls, laundry, and even off-campus retail locations that accept student IDs as payment.

Passkeys in the Cloud/FiDO

Back in 2020, Apple joined the Fido Alliance, a tech working group dedicated to eliminating passwords. We’ve previously explained how FiDO (Fast IDentity Online) works.

Currently, to log in to a website or app, we usually enter a username and a password. What FIDO does is instead allow our device to authenticate us. The logic is this (using an iPhone with Face ID as an example):

  • A website or app asks you to identify yourself, and prove your identity.
  • Your iPhone receives that request, and activates Face ID.
  • If your face matches, your iPhone tells the website who you are,
    and that it has confirmed your identity.

At no point is there a password involved: Authentication is performed on your device, not on the website server. The web server trusts your iPhone to authenticate you in exactly the same way that payment terminals trust your phone for Apple Pay transactions.

Apple branded its implementation of FiDO as Passkeys in the Cloud. After a halfway house in iOS 15, the iPhone maker has fully implemented this in iOS 16 and macOS 13.

Of course, it also requires online services to support the login method, and this will again take time.

Captcha bypass

iOS 16 allows allows us to bypass Captchas in apps and on the web.

A new feature called Private Access Tokens will use a combination of details about your device and your Apple ID to inform a website that you are a legitimate user rather than a robot. In turn, this allows you to completely bypass the CAPTCHA step.

This might seem like an odd thing to mention in this context, as it doesn’t actually verify our identity, but it operates on the same principle – it carries out a form of user validation, and the authentication needed for this happening entirely on our device.

Again, this requires apps and websites to sign-up, so rollout will take some time, but it’s an easy way to improve the user experience while reducing friction (points at which people might give up), so I’d again expect adoption to be reasonably brisk.

Proving our identity in this way will become standard

Long-term, I’d expect the principles involved here to become the standard way we prove our identity, both online and offline. This is because it’s safer for all involved – individuals, companies, and governments.

Individuals

It’s safer for us both online and offline.

Online data breaches are ridiculously common. Companies keep making ridiculous mistakes like storing customer databases on cloud servers without any protection, or messing up permissions to anyone with access to their network can download customer records. With FiDO, there is no database to hack

Offline, only the necessary personal data is revealed, and that is done in encrypted form. When you show your mobile driving license at a TSA checkpoint, they only receive the actual data they need, not all the data stored on/in your license. It’s very much equivalent to Apple Pay, where the payment terminal doesn’t get all of the information on your credit card, and relies on your iPhone confirming that it has verified your identity with Face ID or Touch ID.

Companies

One of the biggest headaches for businesses is keeping customer data safe from hackers. The financial and reputational cost of a security breach can be extremely costly. With FiDO, no user credentials are stored on the server as the authentication happens entirely on our devices. (Of course, they still have to keep other customer data safe, but removing the need for login credentials is a big win.)

Governments

Paper documents can be convincingly forged, despite watermarks and the like, which is why really important ones like passports also rely on electronic security in the form of an embedded RFID chip. Moving all identity documents to electronic versions, with biometric protection, is a huge step forward in security.

There is massive additional potential in this approach

I mentioned above that companies will still have to store some customer data, like addresses. But what if they didn’t have to? What if you place an online order, and your iPhone or Mac sends an encrypted code which can only be decoded by courier companies?

What if your doctor didn’t phone you with test results, but instead sent you a link to a file which can only be read by a device which uses biometric authentication to prove your identity?

What if you didn’t have to show your credit card or ID when collecting concert tickets, but your iPhone verified your identity without revealing any of your data?

It doesn’t take much imagination to see the massive potential for on-device authentication to be used in any situation in which we need to prove our identity, whether online or offline.

To me, on-device authentication is the future of ID checks, even – eventually – passports and visas. Personally, I can’t wait. What about you? Please take our poll, and share your thoughts in the comments.