For Sloan, a unified citizen digital ID should radically improve resident experience online. Work is under way in Arizona on a multipurpose portal where residents can conduct all of their business with government in one place. Sloan advised attendees to keep an eye out for a launch this fall.
“We have a citizen portal that we’re putting together,” he said. “In my mind, identity is the foundation for that portal. There’s no point in putting the portal together if you’re telling people ‘bring your 50 logins with you.’”
Sloan unveiled soon-to-be-released NASCIO survey findings on citizen digital identity, revealing that state CIOs are the single biggest driver of their respective states’ approaches to citizen digital identity, followed by state statute, cited by almost 40 percent of respondents. But there are many obstacles to overcome along the way: a competitive funding environment, fragmented solutions already in place at the agency level, data governance and cultural resistance, to name but a few.
Arizona is among the states with a mobile driver’s license, launched in March 2021, later including the ability to add the credential to mobile wallets. Like many, Sloan is looking to build on that foundation and get to a broader identity solution that focuses on an improved overall citizen experience.
ADOPTION OF MOBILE IDs CONTINUES TO GROW
To date, the American Association of Motor Vehicle Administrators (AAMVA), made up of DMVs in the U.S. and Canada, counts 22 states as having some form of mobile driver’s license, or mDL, up from just a handful a few years ago. But many other states are somewhere on the path. Mobile driver’s licenses are widely viewed as the foundation on which larger identity efforts can be built.
“Better than 90 percent of the population in North America, jurisdictions are looking at implementing mDL or have already done it,” said AAMVA’s Mike McCaskill. “The ones who have not done it are either doing pilots, looking at legislation changes that they need, or going through some process to ensure that that’s the direction that they want to go.”
There’s a long way to go when it comes to adoption. McCaskill reports in the 22 states that offer mobile driver’s licenses, about 7 percent of the population uses them. He estimates that in order to get more relying parties (businesses/agencies that would accept mDLs as a legitimate credential) to upgrade to the necessary tech to accept mDLs, that 7 percent number needs to grow to between 16 to 22 percent. That will represent a sufficient critical mass to justify the investment in the technology that would allow vendors to accept them.
IDENTITY AS CORE INFRASTRUCTURE
Sloan and McCaskill were joined on the NASCIO panel by Jeremy Grant of the Better Identity Coalition. Just eight years old, it’s made up of businesses that depend on identity systems — health-care systems, banks, technology companies, etc. He urged people to think about identity as core infrastructure. Vulnerabilities within that infrastructure cost billions each year, and those losses are certainly not limited to the oft-cited “fraud, waste and abuse” that cost government billions of dollars.
“Year after year and study after study, compromises of identity are the No. 1 attack factor that our adversaries are exploiting,” Grant said. “It is the same adversaries exploiting the same three or four deficiencies in digital identity infrastructure,” he continued. “At the end of the day, you’re trying to protect all of your residents from identity theft and fraud and identity-related cyber crime, and it shouldn’t matter if that attack is coming to them through a government services program or banking or something else.”
At the end of 2022, Grant’s organization published a blueprint for state policymakers that advocates for centering digital identity work around departments of motor vehicles, recognizing the central role government now plays in establishing identity. They would hold the cryptographic key that validates identity across digital transactions securely. It’s a method that fends off generative AI-powered deepfake attacks as well, Grant pointed out. The blueprint provides specific policy guidance for states to move them in the direction of a secure, interoperable digital identity that adheres to common standards.
The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has a project under way on mDLs to advance standards and best practices on digital identity. The second phase focuses on government services, and states can sign on to be a part of the conversation. To date, the NCCoE counts six states among its participants: California, Georgia, Kentucky, Maryland, New York and Ohio.
“It’d be great to see a few more state agencies come into the mix,” Grant said.
THE UTAH EXAMPLE
Many states are looking to Utah, which has been engaged in a multiyear digital identity effort. A bill passed unanimously by the Legislature early this year followed months of development work with broad stakeholder engagement. The legislation included a digital identity bill of rights full of significant safeguards for citizen privacy, like ensuring that data sharing is strictly limited to what is needed to complete the transaction at hand. Utah’s efforts to protect privacy while advancing a verifiable digital credential have secured the endorsement of the ACLU.
We caught up with Utah CIO Alan Fuller, who outlined what’s at stake in the national conversation.
Video transcript: I feel like state-endorsed digital identity is core infrastructure for the digital age. So many things depend on having a solid identity layer that we can rely on so that we can have a trust relationship online, a verifiable relationship, where the trust is established by cryptographic codes that allow the verifier or the person on the other side of the transaction to verify both the issuer of the credential and the holder of the credential to know that this really, the person I'm talking to, really is who they say they are. And that's going to have profound impact on both the public sector as well as the private sector. On health care, the ability to exchange health records, on retail, to be able to do age-restricted sales like tobacco and alcohol. On online industry, everything from social media to gaming to adult media sites where age verification is required. And so we desperately need this foundational identity layer. And that's what we're seeking to deliver with the state-endorsed digital identity.
