We know that support for secure ID is coming to Android, and ahead of the formal release of an ISO standard for the process, Google is detailing some of the particulars behind how it will work — specifically, how it will enhance your privacy compared to the old hand-someone-your-actual-physical-ID-card method. But even with all these details, it still feels like we’re no closer to actually having them.
To start, the obvious: This standard means phone can safely and digitally store all the data that would otherwise be on your license or other ID. However, it’s not quite so easy for the other guy to read it in that format; the receiving party will need a corresponding device to access it. That may be a phone, but it could also be something else, like a retail terminal. Either way, you tap a button and, following a quick cryptographic public/private key tango that establishes a secure connection, the reader can request data from the sender. This can be a blanket request for categorized information attached to the ID, but it can be used in more abstract ways that enhance your security.
Actual footage from the future. Imagine this, but with your phone. And, uh, probably more secure.
For example, if you’re picking up a six-pack of beer, the person at the register doesn’t necessarily need to know your address, what kinds of cars you’re licensed to drive, or even your exact birth date. They only need to know if you’re old enough to buy beer. To that end, the receiver can narrow its focus and ask simpler abstract questions — like “is this person over 21” — and essentially get a yes or no answer, offering the same level of authentication and security while protecting your privacy. Normal ID cards also have that big barcode on the back loaded with all your data. While it’s convenient for a quick scan at the liquor store, some venues store and even sometimes sell that data, which can include your address — yikes. With this, they never get it in the first place. And all data that is transmitted is cryptographically signed by the issuing authority (like the DMV or government), so it can’t be faked — at least, not as easily.
Furthermore, your phone can layer additional biometric security authentication on top of those requests, so the information can’t be taken from an unauthorized party without your consent, as it can be from a dumb printed card. If you’re mugged or lose your wallet, that information’s out there in plain text, but a lost phone is just filled with scrambled bits. Eventually, the standard will include biometric authorization to supplement things like a portrait photo to prove you’re the (digital) cardholder, though it won’t support it at launch.
Android already has the essential features required for this, like support for hardware-based key storage and isolated trusted computing environments. Android 11 also offers Identity Credential APIs that will make it even easier for developers and manufacturers to use, and Google has put together an Android Jetpack that makes implementing it both easier and compatible with almost every device out there. There are a few speedbumps already known, like the potential requirement of hardware certification for that biometric authentication, and a “Direct Access” mode that won’t require power but requires special hardware. But the basic requirements are already set, and most phones meet them.
This standard isn’t finalized just yet, but it’s worth pointing out, it’s not only based on Google’s wants. License issuers (i.e., states and governments), and law enforcement have also had a hand in it its creation, and it’s general enough to work with other types of documents like passports, club cards, and loyalty programs. While it might be a while until you buy a drink end-to-end with nothing but your phone, the technical details are all lined up for it, and Android is ready. Soon we’ll just be waiting on the glacial pace of bureaucracy.