The basics: What’s an mDL?
Mobile driver’s licenses (mDLs), a type of verifiable digital credential, are digital versions of a driver’s license or state ID stored in a digital wallet on a person’s mobile device. A true mDL is not a photo of a license, a PDF scan, or a screenshot stored in a wallet app. Instead, an mDL is structured identity data issued by an authorized authority (typically a government agency) and cryptographically protected, so that a verifier can confirm it’s authentic.
In simple terms: an mDL is designed to be machine-verifiable, not just visually inspected.
Why mDLs are more trustworthy than images of IDs
mDLs are built on a different trust model than document scans. While implementations vary, mDL ecosystems commonly include these security properties:
- Hardware-backed protection: The credential is stored in a device’s secure hardware (often called a secure enclave/secure element), making it much harder to copy or export than a normal image file.
- Cryptographic signatures: The issuer digitally signs the credential data. A verifier can check that signature to confirm the data hasn’t been altered.
- Challenge–response proof: During presentation, the wallet can prove it holds the credential by responding to a cryptographic challenge — helping prevent replay and “injection” style attacks.
- User presence controls: Presenting an mDL typically requires a device unlock step (biometric or PIN), reducing risk if a phone is lost or stolen.
The result is a stronger trust signal: a credential that can be verified mathematically, rather than “scored” based on how real a photo appears. In July 2025, NIST updated their IAL requirements to include mDLs, strengthening the argument that mDLs are more trustworthy than images of IDs. The revision redefines the minimum bar for common scenarios like IAL2 while tightening the definition of IAL3.
Privacy: Selective disclosure and data minimization
One of the biggest benefits of identity verification with mDLs is that the user presents less data, minimizing the risk of unnecessary data exposure.
With physical IDs (and many scan-based flows), organizations often collect far more information than they need — full name, address, document number, date of birth — because it’s all printed on the card and captured in an image. Alternatively, many mDL presentations can support selective disclosure, such as:
- Proving “over 21” without sharing an exact birthdate
- Proving residency without sharing a physical home address
- Proving status without sharing ID numbers
This “minimum necessary data” model meets GDPR/CCPA data minimization and compliance goals and reduces the impact of data breaches because less sensitive data gets stored in the first place.
Identity proofing vs. credential verification (and where mDLs fit)
It helps to separate two related concepts:
- Identity proofing: The process of establishing that a person is who they claim to be (often during enrollment/onboarding).
- Credential verification: Confirming that a presented credential is authentic, valid, and belongs to the presenter.
Traditional online ID proofing
Common online flows typically involve:
- Capturing images of a physical ID
- OCR and document authenticity checks
- Selfie + liveness detection
- Database and watchlist checks
These approaches are widespread, but they can be:
- friction-heavy (especially on mobile)
- privacy-invasive (collecting full ID images)
- probabilistic (based on confidence scores)
- more vulnerable to synthetic media as AI improves
mDL verification
mDL-based verification is designed to be cryptographic and deterministic: the verifier checks whether the credential is valid and unaltered, rather than judging whether an image “looks genuine.”
This can reduce reliance on selfie comparisons and manual review, while improving both security and user experience, especially when an mDL can be reused across multiple interactions.
mDL verification, and verifiable digital credentials more broadly, are a fundamental shift in how identity is verified and where trust is placed:
- Old Way: Verifier Trust → The company trusts a third-party ID proofing company, like Persona or LexisNexis, to verify a physical ID and a selfie during the time of transaction.
- New Way: Issuer Trust → The company relies on the government's high-assurance process during the time of issuance.
Where mDLs are used: common digital identity scenarios
mDLs are especially useful in moments where organizations need higher assurance with less friction.
Consumer and online services
- Age-restricted experiences: Prove age eligibility without exposing unnecessary fields (like home address).
- Financial services / KYC: Support account opening and regulated onboarding with higher-confidence identity attributes.
- Car rental and mobility services: Verify licensed status and identity remotely to streamline onboarding.
- High-risk account actions: Add a “step-up” identity check for password resets, profile changes, or large transactions.
Workforce and enterprise scenarios
- Account recovery/help desk verification: Employees can prove identity without relying on knowledge-based questions or ad hoc document emails.
- Remote hiring and onboarding: Verify new hires before issuing credentials or granting access.
- Privileged access step-up: Require higher-assurance verification before granting access to sensitive systems.
Government and civic services
- Proof of identity or residency: For benefits, enrollment, or eligibility workflows.
- Fraud reduction in service delivery: More reliable identity assertions can reduce duplicate or synthetic identities.
- Healthcare and in-home services: Support verification for scenarios like visit attestation and caregiver workflows (where appropriate).
Standards that shape mDL interoperability
A major reason mDLs are gaining traction is that they’re increasingly standards-based, which improves interoperability across wallets, issuers, and verifiers.
- ISO/IEC 18013-5: Core standard focused on mDL data structure and in-person presentation.
- ISO/IEC 18013-7: Extends mDL standards toward remote/online presentation (important for digital-first verification).
- AAMVA guidance (U.S.): Implementation profiles and guidance that help issuing authorities align mDL deployments across jurisdictions.
Standards matter because digital ID only scales when verifiers can trust that a credential from one issuer will be presented and validated consistently across many environments.
mDL adoption
While mDLs offer superior security and privacy, adoption is still maturing, and there are practical limitations worth noting:
mDLs are not yet universally adopted across all U.S. states or countries. In 2026, mDLs are active in 20 US states and Puerto Rico. They are currently widely adopted in the US and Australia, but not every individual has an mDL, limiting initial reach. (US states where mDLs are already supported)
While adoption varies by region, momentum is accelerated by several key drivers, including eIDAS 2.0 mandates, State-level mDL rollouts in the US, growing wallet support (Apple/Google), industry-specific compliance mandates like required age-verification, and increasing fraud pressure.
The big picture: from “best guess” to cryptographic trust
Traditional online identity checks often come down to probabilities: confidence scores, image quality, and judgments about whether a person and document appear legitimate. As AI makes convincing fakes easier, that “best guess” model becomes harder to defend.
mDLs point toward a different approach: verifiable, cryptographically protected digital credentials that enable stronger security and better privacy at the same time. They’re not a silver bullet — ecosystem adoption, user availability, and policy decisions still matter — but they represent a meaningful step toward more reliable digital identity verification.
Okta is building the digital trust infrastructure for the AI era, and mDLs and verifiable digital credentials are at the heart of it. Learn more about Okta’s verifiable digital credentials platform.
