Inferensys

Glossary

ISO 18013-5 (mDL)

An international standard defining the interface and security mechanisms for a mobile Driver's License, enabling contactless device retrieval and selective data release.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
MOBILE DRIVER'S LICENSE STANDARD

What is ISO 18013-5 (mDL)?

ISO 18013-5 is the international standard defining the interface, security mechanisms, and data model for a mobile Driver's License (mDL), enabling contactless device retrieval and selective data release.

ISO 18013-5 specifies the technical framework for issuing, storing, and presenting a mobile Driver's License on a personal device, such as a smartphone. The standard defines a device retrieval mechanism using near-field communication (NFC) or QR codes to initiate a secure, encrypted session between the mDL holder and a reader, eliminating the need to physically hand over a device.

A core architectural component is selective disclosure, allowing the holder to release only specific data elements—such as age verification—without exposing full identity details. The standard mandates issuer-signed data structures and session encryption to prevent tampering and eavesdropping, establishing a cryptographically verifiable trust model for in-person identity verification.

MOBILE DRIVER'S LICENSE STANDARD

Key Features of ISO 18013-5

The ISO 18013-5 standard defines the technical interface and security protocols for a mobile Driver's License (mDL), enabling secure, contactless data retrieval and user-consented selective disclosure.

01

Device Retrieval via BLE, NFC, and QR

The standard specifies a device retrieval mechanism that initiates communication between the mDL holder's device and a reader. It supports multiple transport protocols to ensure broad compatibility:

  • BLE (Bluetooth Low Energy): Enables proximity-based, hands-free engagement.
  • NFC (Near Field Communication): Provides tap-to-connect functionality for quick interactions.
  • QR Code Engagement: Allows optical initiation for devices without radio hardware. This multi-modal approach ensures the standard functions across a wide range of reader hardware, from dedicated kiosks to consumer smartphones.
02

Selective Disclosure of Data Elements

A core privacy-preserving feature, selective disclosure allows the mDL holder to consent to the release of only the specific data elements required for a transaction. Instead of presenting the entire license, the holder can release:

  • A simple age over 18/21 boolean assertion without revealing the birth date.
  • Driving privileges (e.g., class of vehicle) without exposing the home address.
  • A portrait image for visual verification only. This is enforced cryptographically through the Mobile Security Object (MSO) , preventing verifiers from accessing non-consented data.
03

Mobile Security Object (MSO) for Data Integrity

The Mobile Security Object (MSO) is the cryptographic backbone of the mDL. It is a digitally signed structure, created by the issuing authority, that binds the license data to the device. The MSO provides:

  • Data Integrity: Any modification to the license data after issuance invalidates the MSO signature.
  • Origin Authentication: The reader cryptographically verifies the data came directly from the issuing authority's trusted infrastructure.
  • Anti-Cloning Protection: The MSO is bound to the device's hardware keys, preventing the raw data from being copied and presented from a different device.
04

Reader Authentication and Engagement

Before any data is released, the standard mandates a two-way handshake to establish trust. The mDL holder's device must authenticate the reader to prevent data skimming by unauthorized parties. This process involves:

  • Reader Certificate Validation: The reader presents a digital certificate chain that the mDL app validates against a trusted root.
  • Data Elements Request: The reader sends a structured request specifying exactly which data elements it requires.
  • Holder Consent: The user interface must clearly display the requested elements and the verified reader identity, requiring explicit user consent before the MSO is transmitted.
05

Offline Verification Capabilities

ISO 18013-5 is designed for offline-first operation, a critical requirement for field use where network connectivity is unreliable. The entire verification flow occurs locally between the two devices:

  • The reader does not need to call back to a central issuing server to validate the MSO.
  • The issuing authority's public key certificate is pre-distributed to reader devices.
  • The reader performs a local cryptographic check of the MSO signature and certificate revocation status. This ensures sub-second transaction times and functionality in tunnels, rural areas, or during network outages.
06

ISO 18013-7 Companion for Remote Presentation

While ISO 18013-5 focuses on proximity-based transfers, the complementary ISO 18013-7 standard extends the mDL for remote, online verification. It defines how to use the mDL data over the internet using RESTful APIs. Key aspects include:

  • OpenID for Verifiable Credentials (OID4VC) protocol integration for web-based logins.
  • Secure transmission of the MSO over TLS-encrypted channels.
  • Standardized web APIs that allow online services to request and verify mDL data without a physical reader. This pairing provides a complete identity solution for both physical and digital interactions.
ISO 18013-5 (mDL) EXPLAINED

Frequently Asked Questions

Technical answers to the most common questions about the international standard for mobile Driver's Licenses, covering device retrieval, security mechanisms, and selective disclosure protocols.

ISO 18013-5 is an international standard defining the interface, security mechanisms, and data model for a mobile Driver's License (mDL). It specifies how a license is provisioned to a mobile device and how that device communicates with a reader—typically via NFC, Bluetooth Low Energy (BLE), or QR code—to transfer identity data. The standard operates on a holder-initiated engagement model: the mDL holder must explicitly consent before any data is released. The core data structure is a CBOR-encoded Mobile Security Object (MSO) signed by the issuing authority, which cryptographically binds the license data to the device's public key, ensuring authenticity and preventing tampering. The protocol supports both device retrieval (reader requests data from the device) and server retrieval (reader fetches data from a central server after device authentication).

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.