ISO 18013-5 specifies the technical framework for issuing, storing, and presenting a mobile Driver's License on a personal device, such as a smartphone. The standard defines a device retrieval mechanism using near-field communication (NFC) or QR codes to initiate a secure, encrypted session between the mDL holder and a reader, eliminating the need to physically hand over a device.
Glossary
ISO 18013-5 (mDL)

What is ISO 18013-5 (mDL)?
ISO 18013-5 is the international standard defining the interface, security mechanisms, and data model for a mobile Driver's License (mDL), enabling contactless device retrieval and selective data release.
A core architectural component is selective disclosure, allowing the holder to release only specific data elements—such as age verification—without exposing full identity details. The standard mandates issuer-signed data structures and session encryption to prevent tampering and eavesdropping, establishing a cryptographically verifiable trust model for in-person identity verification.
Key Features of ISO 18013-5
The ISO 18013-5 standard defines the technical interface and security protocols for a mobile Driver's License (mDL), enabling secure, contactless data retrieval and user-consented selective disclosure.
Device Retrieval via BLE, NFC, and QR
The standard specifies a device retrieval mechanism that initiates communication between the mDL holder's device and a reader. It supports multiple transport protocols to ensure broad compatibility:
- BLE (Bluetooth Low Energy): Enables proximity-based, hands-free engagement.
- NFC (Near Field Communication): Provides tap-to-connect functionality for quick interactions.
- QR Code Engagement: Allows optical initiation for devices without radio hardware. This multi-modal approach ensures the standard functions across a wide range of reader hardware, from dedicated kiosks to consumer smartphones.
Selective Disclosure of Data Elements
A core privacy-preserving feature, selective disclosure allows the mDL holder to consent to the release of only the specific data elements required for a transaction. Instead of presenting the entire license, the holder can release:
- A simple age over 18/21 boolean assertion without revealing the birth date.
- Driving privileges (e.g., class of vehicle) without exposing the home address.
- A portrait image for visual verification only. This is enforced cryptographically through the Mobile Security Object (MSO) , preventing verifiers from accessing non-consented data.
Mobile Security Object (MSO) for Data Integrity
The Mobile Security Object (MSO) is the cryptographic backbone of the mDL. It is a digitally signed structure, created by the issuing authority, that binds the license data to the device. The MSO provides:
- Data Integrity: Any modification to the license data after issuance invalidates the MSO signature.
- Origin Authentication: The reader cryptographically verifies the data came directly from the issuing authority's trusted infrastructure.
- Anti-Cloning Protection: The MSO is bound to the device's hardware keys, preventing the raw data from being copied and presented from a different device.
Reader Authentication and Engagement
Before any data is released, the standard mandates a two-way handshake to establish trust. The mDL holder's device must authenticate the reader to prevent data skimming by unauthorized parties. This process involves:
- Reader Certificate Validation: The reader presents a digital certificate chain that the mDL app validates against a trusted root.
- Data Elements Request: The reader sends a structured request specifying exactly which data elements it requires.
- Holder Consent: The user interface must clearly display the requested elements and the verified reader identity, requiring explicit user consent before the MSO is transmitted.
Offline Verification Capabilities
ISO 18013-5 is designed for offline-first operation, a critical requirement for field use where network connectivity is unreliable. The entire verification flow occurs locally between the two devices:
- The reader does not need to call back to a central issuing server to validate the MSO.
- The issuing authority's public key certificate is pre-distributed to reader devices.
- The reader performs a local cryptographic check of the MSO signature and certificate revocation status. This ensures sub-second transaction times and functionality in tunnels, rural areas, or during network outages.
ISO 18013-7 Companion for Remote Presentation
While ISO 18013-5 focuses on proximity-based transfers, the complementary ISO 18013-7 standard extends the mDL for remote, online verification. It defines how to use the mDL data over the internet using RESTful APIs. Key aspects include:
- OpenID for Verifiable Credentials (OID4VC) protocol integration for web-based logins.
- Secure transmission of the MSO over TLS-encrypted channels.
- Standardized web APIs that allow online services to request and verify mDL data without a physical reader. This pairing provides a complete identity solution for both physical and digital interactions.
Frequently Asked Questions
Technical answers to the most common questions about the international standard for mobile Driver's Licenses, covering device retrieval, security mechanisms, and selective disclosure protocols.
ISO 18013-5 is an international standard defining the interface, security mechanisms, and data model for a mobile Driver's License (mDL). It specifies how a license is provisioned to a mobile device and how that device communicates with a reader—typically via NFC, Bluetooth Low Energy (BLE), or QR code—to transfer identity data. The standard operates on a holder-initiated engagement model: the mDL holder must explicitly consent before any data is released. The core data structure is a CBOR-encoded Mobile Security Object (MSO) signed by the issuing authority, which cryptographically binds the license data to the device's public key, ensuring authenticity and preventing tampering. The protocol supports both device retrieval (reader requests data from the device) and server retrieval (reader fetches data from a central server after device authentication).
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding ISO 18013-5 requires familiarity with the broader decentralized identity ecosystem and the cryptographic primitives that enable secure, privacy-preserving data exchange.
Selective Disclosure
The core privacy mechanism enabled by ISO 18013-5. It allows the holder of an mDL to release only the specific data elements required for a transaction—such as proving age over 21—without exposing their full name, address, or license number.
- Data Minimization: The verifier receives only the boolean answer or specific attribute requested.
- User Consent: The standard mandates that the holder must explicitly authorize every data release on a per-request basis.
- Technical Implementation: Achieved through the mobile document requesting only the signed data groups that correspond to the verifier's certified request.
Device Retrieval (BLE & NFC)
ISO 18013-5 specifies two distinct engagement methods for retrieving mDL data from a holder's device to a verifier's reader, both designed for offline, proximity-based interactions.
- QR Code Engagement: The holder displays a dynamic QR code containing the device engagement structure; the reader scans it to initiate a BLE or NFC handover.
- NFC Tap: Uses NDEF records for a tap-to-share experience, automatically negotiating a secure BLE connection for the data transfer.
- Offline Operation: All retrieval methods function without requiring an internet connection, ensuring operability in underground transit or remote areas.
Issuer Signed Data Structure
The mobile security object (MSO) is the cryptographic core of the mDL. It is a CBOR-encoded structure containing a hash tree of all data elements, signed by the issuing authority.
- Hash Tree Integrity: Each data element is individually hashed and aggregated into a Merkle tree, allowing the holder to selectively disclose specific leaves without invalidating the issuer's signature.
- CBOR Encoding: Uses the Concise Binary Object Representation for minimal payload size and efficient parsing on constrained devices.
- Validity Period: The MSO contains strict
validFromandvalidUntiltimestamps, enforcing the credential's lifecycle.
Holder Binding
The cryptographic mechanism that proves the person presenting the mDL is its legitimate holder, preventing presentation attacks where a stolen data blob is replayed.
- Device Key Proof: The holder's device generates an ephemeral key pair and signs the session transcript, proving possession of the private key linked to the mDL.
- Biometric Unlock: The standard recommends that the device key be protected by a local biometric check before signing occurs.
- Passive Authentication: The verifier validates the signature chain from the device key back to the issuing authority's trusted certificate.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us