The Path to Digital Identity in the United States

Digital IDs are a more convenient, secure, and versatile option than physical IDs, but few Americans currently have one. With the right investments and collaboration between federal and state governments, Americans could realize the full potential of digital IDs.

KEY TAKEAWAYS

Key Takeaways

Contents

Key Takeaways 1

Introduction.2

The Case for Digital Identity 3

Digital Identity Trends 4

The Current Patchwork.7

Mobile Driver's Licenses 7

Challenges 10

Efforts at a National Standard.12

NIST Digital Identity Guidelines 12

National Strategy for Trusted Identities in Cyberspace.12

Improving Digital Identity Act 13

The Future of Digital Identity 14

Endnotes 16

Introduction

The overwhelming majority of smartphone-owning Americans live their day-to-day lives with the world virtually at their fingertips. They can stay in touch with friends and family, buy and sell products and services across borders, and access a seemingly endless library of information and entertainment at the touch of a screen. But for most Americans, if they want to prove their identity, they still need to reach into their wallet and pull out a physical form of ID, even though the technology exists to upgrade this process.

As more of Americans' everyday activities move online, the lack of digital identity solutions becomes more of a problem. Countries around the world have forged ahead in offering digital ID, leaving the United States in the dust. Here at home, a handful of states have risen above the rest by offering mobile driver's licenses (mDLs), but these efforts are uncoordinated and unavailable in most of the country. There is a better way, one spearheaded by a national initiative to ensure all Americans have access to convenient, accessible, and trustworthy forms of digital ID.

This report lays out a path toward achieving that goal. To start, it outlines the benefits of digital ID over physical forms of identification. It then analyzes trends in digital identity around the world, looking at various countries' digital ID offerings and how the private sector plays a role in making digital ID widely available. It explores the current patchwork of digital identity in the United States and the early efforts at creating a national standard for digital ID implementation. Finally, it recommends policies federal and state governments should take toward the future of digital identity in America.

The Case for Digital Identity

Simply put, a digital ID is a digital version of an identification document, such as a driver's license or passport. Typically stored on an individual's mobile device and accessible via an app, digital ID holds the potential to increase convenience, security, privacy, and usability as compared with physical IDs. With a well-developed digital ID system, individuals could access all their relevant identity documents in one place and use those documents to complete a wide range of activities that require identity verification.

The convenience factor of digital ID is the first and most obvious benefit. According to Pew Research Center, 90 percent of Americans owned a smartphone as of 2023, including 97 percent of Americans under 50.[1]With the rise of digital payments and digital ID, these individuals would no longer need to carry around a physical wallet.

For an even more convenient experience, digital ID platforms could allow individuals to upload other relevant documents-permits, licenses, vaccination cards, and more-further reducing the need for a physical wallet. Digital ID could also communicate additional attributes tied to identity, such as "veteran" or "enrolled student," eliminating the need for separate ID cards-such as student IDs-that communicate these attributes.

The increased convenience of digital IDs compared with their physical counterparts benefits governments as well as individuals. According to a 2019 report by McKinsey Digital, digital ID could save 110 billion hours globally by streamlining government services. The resulting cost savings and fraud reduction could amount to $1.6 trillion. In the United States specifically, full digital ID coverage could unlock economic value equivalent to 4 percent of gross domestic product (GDP) in 2030.[2]

The transition from physical wallets to mobile wallets also brings with it increased security. Thieves can easily steal a wallet off an individual and access their personal belongings and any information on their physical ID. However, while thieves can just as easily steal a smartphone off an individual, as long as the phone is secured using built-in features such as passwords or biometrics, the information stored on the phone will remain encrypted. Pew Research Center found in 2023 that 83 percent of smartphone owners take advantage of their smartphone's security features to safeguard their data.[3]

If designed correctly, digital ID can also be more privacy-protective than physical ID. Currently, when individuals hand over a physical ID in person or upload a photo of their physical ID online, the recipient can view all of the personal information displayed on the ID, including the individual's full name, date of birth, home address, and photograph. But governments could design digital IDs to display a barcode, QR code, or other scanning method that only reveals relevant information. For example, when purchasing alcohol, a digital ID would only reveal that the purchaser is over 21.

Finally, digital ID comes with increased usability compared with physical ID. Designed properly, digital ID would enable individuals to complete any transaction they currently complete with a physical ID: entering age-restricted spaces, purchasing age-restricted products, interacting with law enforcement, passing through airport security checkpoints, voting, and more. They would also simplify online transactions that require identity verification, including accessing age-restricted content, purchasing age-restricted products, securely signing legal documents digitally, and executing contracts.

Because of this increased usability, if widely deployed and adopted, digital IDs could play a key role in age verification for online services, limiting access for individuals below a certain age. Age verification is a controversial approach to ensuring children's safety online by keeping children out of adult-oriented online spaces. There are multiple ways online services can verify users' ages, with ID checks being the most accurate but also the most invasive option. Digital ID could make this process less invasive by only sharing necessary information about individuals-for example, whether they are over the age of 18.[4]

Digital ID could also enable easier access to financial services, which typically require identity verification, and help businesses comply with know-your-customer and anti-money laundering laws. Globally, digital ID could provide access to financial services to 1.7 billion individuals who are currently financially excluded, according to McKinsey Digital.[5]

The current state of digital ID in America-passports equipped with electronic chips that hold identifying information about individuals and a limited patchwork of state-issued mDLs-has only begun to deliver on some of the promises of digital ID. Currently, most Americans do not have a digital ID, and those who do can only use it in a limited number of use cases. But the technological capability exists to offer fully realized digital ID that can perform all the functions previously listed, and with the right investments and collaboration between federal and state governments, Americans could realize the full potential of digital ID.

Digital Identity Trends

Since the advent of the 21st century, countries around the world have begun introducing and implementing forms of identification that can operate in both physical and digital environments. Early forms of such identification were electronic ID cards, physical cards equipped with radio-frequency identification (RFID) chips for online authentication.[6]More recent technology uses smartphone applications for a similar purpose, with a visual representation of an individual's ID and a QR code or barcode for scanning.

Countries have introduced these forms of digital ID for a variety of reasons, including many of the previously listed benefits-such as increasing convenience for users accessing government and other services and simplifying online identity verification-as well as other motivations, such as increasing the availability of identification for underserved populations. Countries also take different approaches to digital ID, with some spearheading a government-led effort to develop and distribute digital forms of identification and others relying on public-private partnerships to accomplish the same goal.

In order to ensure that their residents can travel with their digital ID, some countries have engaged in standards-setting with other countries in order to mutually accept each other's digital IDs. For example, a group of countries including Australia, Canada, Finland, Israel, the Netherlands, New Zealand, Singapore, and the United Kingdom established the Digital Government Exchange Digital Identity Working Group in 2020 to agree on principles and definitions for digital ID and lay the groundwork for international agreements.[7]Additionally, both the European Union and the African Union have initiatives aimed to create interoperable digital ID systems for their member states.[8]

Government actors are not the only parties involved in providing digital ID to the general public. As exemplified by Sweden's BankID, financial institutions can offer digital ID to their customers as an alternative to traditional means of identity verification, such as PINs and passwords. However, even when not issuing a digital ID, governments are still responsible for establishing a person's legal identity. Governments may also work with device manufacturers such as Apple and Google to ensure that individuals can access their digital ID via the Wallet app on their mobile devices, or partner with another company to develop a standalone app that hosts users' digital ID.

Finally, governments can experiment with blockchain technology for digital ID to enhance security, resilience, transparency, and interoperability. Blockchains are digital ledgers that record information that is distributed among a network of computers and consist of a series of digital "blocks" that are securely linked together using cryptography. These blocks record information-in this case, an individual's digital ID. Each computer in the network stores a copy of the blockchain, forming a distributed peer-to-peer network where updates are shared and synchronized.

The blockchain eliminates the need for a central authority, such as a bank or government agency, to ensure the integrity of records. Instead, blockchains maintain agreement between all participants using a "consensus protocol"-a set of rules that allows each computer in the network to determine when to add new information to the blockchain.[20]However, even when using blockchain, government agencies still play an important role in verifying and authenticating a person's identity before issuing a digital ID.

The Current Patchwork

In the absence of a national standard for digital identity, a handful of forward-thinking states have begun offering digital ID in the form of mDLs, which are still early in their implementation, with relatively few adopters and limited use cases. Indeed, many states that offer mDLs encourage users to still carry a copy of their physical driver's license for interactions with law enforcement and businesses. Exacerbated by the ad hoc nature of mDL offerings across the country, states grapple with challenges such as interoperability, accessibility, usability, and trust that further limit mDLs' appeal to consumers.

Mobile Driver's Licenses

The term "mobile driver's license" refers to state-issued digital versions of an individual's driver's license. Only 13 states have mDLs as of September 2024: Arizona, California, Colorado, Delaware, Georgia, Hawaii, Iowa, Louisiana, Maryland, Mississippi, New York, Ohio, and Utah. An additional three states-Florida, Missouri, and Oklahoma-used to offer mDLs but no longer do.[21](See figure 3.) Oklahoma shuttered its mDL program over accessibility concerns, Florida's Department of Highway Safety and Motor Vehicles issued a statement that it is switching to a different vendor to issue mDLs, and Missouri seems to have quietly discontinued its program with no explanation.[22]

Figure 3: Thirteen states currently offer mobile driver's licenses; three have in the past

Depending on relevant state laws, residents of states that offer mDLs can use their mDL to access age-restricted venues, such as bars and clubs, and purchase age-restricted products, such as alcohol and tobacco. Some states, such as Louisiana, allow residents to use their mDL for voting, and law enforcement in certain states may accept mDLs as verification, for example, at a traffic stop. Finally, more than 28 airports in 22 states accept digital forms of identification at Transportation Security Administration (TSA) checkpoints as the TSA continues to update the credential authentication technology in airports to the latest version, which can authenticate digital IDs.[23]

Challenges

Interoperability

States have faced multiple challenges in their efforts to make mDLs available to their residents. The first of these is interoperability. There are standards that the leading mDL providers-Apple, Google, and Idemia, as well as Louisiana's LA Wallet-follow that create some degree of interoperability. These standards, developed by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) and known as ISO/IEC 18013-5, establish interface specifications that enable parties other than the issuing authority-in this case, a state government-to read and authenticate mDLs. The standards allow for regional additions, such as Real ID standards in the United States.[28]

While all providers currently offering mDLs in the United States adhere to ISO/IEC 18013-5, there is no requirement that future providers do so. Instead, it is up to each individual provider to decide whether to follow these standards. Without a guarantee of interoperability, there is the possibility that residents of a state that offers mDLs via one provider could run into issues in a state that offers mDLs via another provider, proving especially frustrating for Americans who live in one state but work in another or with a job or lifestyle that require regular travel. Additionally, residents of states that do offer mDLs are unlikely to find many use cases when traveling to a state that does not offer mDLs, which currently represents the vast majority of the country.

Open standards such as ISO/IEC 18013-5-or, similarly, the World Wide Web Consortium's verifiable credentials, a standard for digital credentials-are important to ensure interoperability between not only mDLs but also different types of digital ID.[29]Ideally, in a world where all identity documents and credentials have digital versions available-from driver's licenses and passports to library cards and student IDs-individuals could store all these various documents in the same digital wallet.

Accessibility

Another challenge that led one state to discontinue its mDL is accessibility. Over 40 million Americans have a disability according to 2022 data from the U.S. Census Bureau. That includes over 12 million Americans with a hearing difficulty, over 8 million with a vision difficulty, and over 17 million with a cognitive difficulty, all of which can pose challenges when interacting with online services, including mDLs, if those services are not designed with accessibility in mind.[30]

Oklahoma discontinued its mDL app, OK Mobile ID, after the Department of Justice (DOJ) found that the app violated the Americans with Disabilities Act because individuals with vision impairments could not use the app. The app required users to upload photos of their physical ID and follow a series of on-screen instructions to take a selfie, including making a series of head and eye movements based on visual information on the screen, a process that would be difficult, if not impossible, for users with vision impairments to complete on their own.[31]

Despite DOJ's conclusion that there was "no evidence that making the OK Mobile ID App accessible would result in a fundamental alteration or an undue burden to Service Oklahoma," Service Oklahoma, an agency that provides driver and motor vehicle services in the state, announced 17 days after reaching a settlement agreement that it would shutter the app entirely, stating, "As the necessary corrections are extensive, we are also exploring the option of decommissioning the app altogether due to a lack of use cases with the current product."[32]By making accessibility a priority and building it into services from their inception, rather than treating it as an afterthought, states can avoid repeating Oklahoma's mistake.

Usability

As Service Oklahoma alluded to in its announcement that it would discontinue offering mDLs, some states' mDLs also suffer from a lack of usability or use cases that would convince residents to switch from using a physical driver's license. Until individuals can use an mDL in all instances when they would need to display a physical driver's license-including entering age-restricted venues, using age-restricted online services, purchasing age-restricted products online or offline, voting, interacting with law enforcement, or passing through TSA checkpoints at all airports-individuals will still need to carry a physical driver's license along with an mDL, in which case many individuals may decide it is simply easier to only carry a physical driver's license and not apply for an mDL.

The usability challenge is intrinsically tied to the interoperability challenge. Even if individuals can use an mDL for all of those use cases in their home state, they may not be able to do so in a state that does not offer mDLs or that offers mDLs using a different provider that is not interoperable with the individual's home state's provider. Thus, they would still need to carry a physical driver's license with them when traveling out of their home state.

Trust

Finally, a challenge that nearly every new technological development faces at some point in its life cycle is gaining and maintaining the public's trust. In part, this trust is earned through practices that safeguard the privacy and security of individuals' sensitive personal data as they use mDLs. For example, the aforementioned ISO/IEC 18013-5 standard outlines protocols for privacy and data security of mDLs.[33]

Unfortunately, while good privacy and security practices may increase public trust, the public can lose trust in a technology for often irrational reasons as part of the "privacy panic cycle," a recurring pattern of privacy fears that appear following the introduction of a new technology.[34]At first, a new technology has not yet been widely deployed and only a core group of people have knowledge, during which privacy concerns are minimal. As the technology starts to become more well-known outside this relatively small circle, privacy fundamentalists and those who do not trust government begin to raise alarms about the technology, drawing negative attention and causing others-such as the media-to start fanning the flames of fear.

Eventually, the public dismisses the privacy concerns associated with the technology as it becomes increasingly commonplace and interwoven into society. Finally, the vast majority of consumers no longer believe the claims espoused by privacy fundamentalists because they understand the technology, appreciate the benefits, and no longer fear its misuse.

Digital forms of identification such as mDLs are still at the beginning of their technological life cycle, especially in the United States, where their deployment is sporadic. These trusted beginnings may give way to rising panic as mDLs and other forms of digital ID become more mainstream. The best states and the federal government can do to combat this privacy panic is to clearly communicate the benefits of digital ID, ensure digital ID is as secure and privacy-protective as possible while maintaining utility, and not allow overblown fears to impact regulation surrounding digital ID.

A second factor impacting public trust of digital ID, specifically in the United States, is political opposition to the concept of a national ID. However, implementing a digital ID system in the United States would not require creating a new national ID system. Instead, the system could digitize existing forms of identification, including identity documents already issued by states and the federal government such as driver's licenses and passports, respectively, proving individuals' identities with bits as opposed to atoms.

There would still likely be some opposition to any federally mandated change, as there was when the Real ID Act of 2005 passed, requiring states to standardize driver's licenses and enter them into a national database, which opponents saw as a sneaky way to implement a national ID system, even though it only improved state government standards.[35]Despite opposition, the law has remained in effect, and as of May 7, 2025, the federal government, including the TSA, will no longer accept driver's licenses that do not meet Real ID requirements.[36]

Efforts at a National Standard

As more states explore and offer mDLs, progress toward a national standard for digital ID has mostly stalled. However, between standards for digital identity verification by government agencies, an Obama-era digital ID initiative, and bills in Congress, the building blocks are there for the federal government to pick back up again and turn the existing ad hoc patchwork of mDLs into a cohesive digital identity option for all Americans.

NIST Digital Identity Guidelines

Originally published in 2004, the National Institute of Standards and Technology's (NIST's) Digital Identity Guidelines outline technical requirements for federal agencies to implement digital identity services.[37]NIST has updated these guidelines three times since then, with a draft of its fourth revision released as recently as December 2023.[38]

The guidelines cover proving and authenticating the identity of users-such as government employees and contractors, as well as private individuals-interacting with government systems. The latest draft aims to respond to the ways in which the digital landscape has evolved since NIST's most recent update in 2017, such as improved reliability of biometrics, and address challenges related to equality, consumer choice, and fraud prevention.[39]

Because NIST's guidelines establish protocols for online identity verification-in other words, establishing that individuals are who they say they are-they could serve as a basis for the development of digital forms of identification, particularly in ensuring that these forms of ID are usable, equitable, and secure.

National Strategy for Trusted Identities in Cyberspace

In 2011, the same year that NIST published its first revision of its Digital Identity Guidelines, the Obama administration took the next step toward establishing a national digital ID with its National Strategy for Trusted Identities in Cyberspace (NSTIC). The strategy charted a course for public-private sector collaboration to establish trustworthy methods to reliably identify and authenticate individuals, organizations, networks, services, and devices online.[40]

NSTIC outlined an ambitious strategy that would create voluntary, privacy-enhancing, secure, resilient, interoperable, cost-effective, and easy-to-use identity solutions, eliminating the need for individuals to maintain a different username and password for each website with which they interact. It included roles for every level of government, the private sector, and international partners.

According to the strategy document, within three to five years-between 2014 and 2016-NSTIC would result in an identity ecosystem wherein individuals have the ability to choose trusted digital identities for personal and business use that they can use across multiple sectors, with a growing number of individuals and identity providers signing on to be part of the ecosystem. Within 10 years-by 2021-the identity ecosystem was supposed to be fully realized and available to anyone who chose to adopt it.

NSTIC ultimately did not realize most of its goals. Instead, the strategy led to the creation of Login.gov, launched in 2017 as a shared authentication service for government agencies.[41]In other words, members of the public can use one account and password to securely sign in to participating government websites, rather than creating separate accounts for each website. Login.gov includes an identity verification process, which requires an individual's driver's license or other state-issued ID, Social Security number, and phone number or address.[42]

In September 2023, the General Services Administration (GSA) announced that all cabinet agencies were using Login.gov, making up 15 of the over 40 federal and state agencies that participate in the service. Other participating agencies include the Small Business Administration, the U.S. Postal Service, and the Office of Personnel Management, the last of which allows individuals to use Login.gov to access USAJOBS, the federal government's official job board.[43]Notably, the Internal Revenue Service (IRS) does not use Login.gov for identity verification, arguing that it is not secure enough and lacks sufficient anti-fraud controls.[44]Instead, the IRS, as well as the Social Security Administration, uses ID.me, an American online identity company, for identity verification.[45]

Improving Digital Identity Act

There has been little progress in Congress toward establishing a national standard for digital identity, though there is a path forward. The Improving Digital Identity Act, first introduced in 2021 by Reps. Bill Foster (D-IL), John Katko (R-NY), James Langevin (D-RI), and Barry Loudermilk (R-GA) and most recently reintroduced in 2023 by Sens. Kyrsten Sinema (I-AZ) and Cynthia Lummis (R-WY), would establish a task force to coordinate a government-wide effort to promote digital identity use in the public and private sectors.[46]

The current text of the bill, which has made little headway since its reintroduction, would establish the Improving Digital Identity Task Force within the Executive Office of the President, comprising a director appointed by the president; at least 11 federal government representatives; 6 state, local, tribal, or territorial government officials; and 5 nongovernmental experts. In its work, the task force would emphasize priorities such as privacy, security, reliability, interoperability, trust, equitable access, and reducing identity theft and fraud.

The bill explicitly prohibits the task force from recommending a single national identity credential provided by the federal government. Instead, the task force would promote the development of digital versions of existing physical forms of identification, such as driver's licenses, passports, social security credentials, and birth certificates, including by identifying funding and other resources necessary to support the agencies that issue these forms of ID.

The task force would publish an initial report with its recommendations on implementing a digital identity strategy, followed by the director of the Office of Management and Budget (OMB) issuing guidance to federal agencies on implementing the task force's recommendations. OMB would also issue annual progress reports. After a year, the Government Accountability Office would submit a report on potential savings from switching to digital forms of identification. The task force would sunset three years after the bill's enactment, publishing an interim report halfway through its mandate and a final report toward the end of its three years.

The Future of Digital Identity

A well-developed digital ID system should provide all the benefits of digital IDs for Americans: increased convenience, security, privacy, and usability. It could also address the challenges currently facing states' mDL implementations of interoperability, accessibility, usability, and trust. Americans from anywhere in the country could board an airplane, interact with law enforcement, purchase alcohol, enter a club, file their taxes, and much more, all with their phones.

In other words, a well-developed digital ID system could-and should-fully replace physical IDs, which requires a legal framework that accepts digital IDs as a valid form of identification in all use cases. Individuals could use their digital IDs to travel across state lines and even internationally, requiring national coordination of state efforts and international cooperation to have other countries recognize Americans' digital IDs. Users with disabilities should not face barriers to accessing a digital ID, which requires building in accessibility from the beginning and prioritizing it throughout the development process. Finally, to ensure trust, a well-developed digital ID system should be secure and privacy-protective, adhering to best practices to safeguard users' data.

Current state-level efforts to offer digital ID are innovative but sporadic. States should continue offering mDLs and passing laws that ensure mDLs are at least as usable as their physical counterparts. Additionally, in order to ensure that all Americans have access to well-developed digital IDs, the federal government should coordinate a nationwide effort to promote digital ID development, implementation, and use.

Specific steps federal and state governments should take include the following:

▪States with mDLs should pass laws requiring law enforcement to accept digital ID as a valid form of identification, for example, at traffic stops so individuals with a digital ID do not have to also carry a physical ID.

▪Congress should establish a grant program for states to create mDLs that comply with ISO/IEC 18013-5 to incentivize states to create interoperable mDLs.

▪Congress should pass the Improving Digital Identity Act, establishing a task force to coordinate a government-wide effort to promote digital ID use in the public and private sectors.

▪GSA should improve the security and fraud prevention of Login.gov and then require all government online services to use the site and start accepting digital ID for any transaction that requires identity verification.

▪NIST should create accessibility and interoperability standards for digital ID that federal and state governments and private entities can follow.

▪All federal agencies should start accepting government-issued digital ID, including existing state-issued mDLs, as a valid form of identification for federal purposes, such as for security in all American airports and federal buildings.

▪The State Department should work to form international agreements with other countries for mutually accepting each other's digital IDs as a valid form of identification, provided they adhere to ISO/IEC 18013-5 or another agreed-upon standard.

Endnotes