Is a mobile driver’s license the answer to deepfake attacks?

Fraudsters want to be you so bad.

Cybersecurity pros have been sounding the alarm about cyberattackers’ ability to use AI tools, including deepfakes, to create fake documents, photographs, and video. In many cases, attackers use these assets to sidestep financial institutions’ security and steal funds.

To fight the deepfakes, Jeremy Grant, coordinator of the Better Identity Coalition, sees value in a modern take on a familiar document—one that NIST recently called “emerging” and that GenAI can’t easily duplicate: a mobile driver’s license, or mDL, digitally signed.

“One thing that GenAI can’t spoof is possession of a private cryptographic key,” Grant told us.

The idea behind a mobile driver’s license:

• An agency issuer like a state DMV digitally signs the credential with a private key.
• A phone’s user-controlled digital wallet is trusted to securely store the credential, protect private keys, authenticate the user, and present the credential to the verifier, like a bank or other party wanting to do business—which has access to a corresponding public key to confirm identity.
• In practice, Grant wrote in a follow-up email, states are housing their public keys in a single repo called the Digital Trust Service. The repository, created by the American Association of Motor Vehicle Administrators (AAMVA), helpfully provides banks with a single source and not state-by-state key holder.

While its adoption is far from mainstream—and only a few states have the necessary digital infrastructure to support the license—Grant sees the protected keys as a stronger mechanism than traditional methods for remote verification like knowledge questions (which can get figured out with a little research) or selfies-plus-IDs, which fraudsters can recreate with GenAI.

NIST recently created a practice guide to help financial institutions implement mDL standards and best practices using commercially available technology.

We spoke with Grant about how mobile drivers licenses can pass the test and go mainstream.

Responses have been edited for length and clarity.

What’s an example of an AI-powered attack that this is meant to guard against?

A classic AI-powered attack in identity proofing would be: I steal your driver’s license, I scan it in to a GenAI tool, and I do a face swap of my face on it for yours…I apply for a credit card as “Billy Hurley,” and they say, “Well, can we get a picture of your driver’s license to prove who you are?” I use what’s called an injection attack, which would basically bypass the camera sensor on my phone to inject that image directly into the feed. And then they say, “All right, Mr. Hurley, can you take a selfie now, and my face will match up nicely with the face that I put onto that now GeAI-altered fake ID.

So, how does an mDL help in this scenario?

Any video, any photo, any voice, can be pretty convincingly spoofed these days by GenAI…Because mDLs are rooted in public key cryptography, [the test becomes] not so much, Does it look like me or sound like me? But, Can I actually prove that this is a digitally signed set of my identity information, stored in a secure wallet on my phone? And so that’s something that allows us to get ahead of the attackers. To be clear, there are a lot of awesome tools that are out there around the concept of liveness detection, trying to figure out if this is me versus somebody who’s using the tool to try and spoof me. There’s fascinating science there. It’s advancing really quickly. That’s one great tool to use to try and detect it, but mDLs and other digital credentials that are rooted in public key cryptography allow us to leapfrog the attackers on the defense side, because GenAI is not able to spoof private keys.

What needs to happen for this to be a mainstream technology? What are the challenges for states?

There are about 18 or 20 states that have started to roll out mDLs, but a lot of other states aren’t sure they have the resources to do so, which is one reason we’ve been advocating for grant dollars to the states that would be tied to adherence to this NIST playbook; we think three or four years of grant dollars could really jumpstart adoption…There’s legislation that’s bipartisan in Congress right now called the Stop Identity Fraud and Identity Theft Act that would create a grant program.

Why is a mobile drivers license an answer to the fraud we’re seeing today?

[It’s] the easiest way to get to a solution for most people that won’t require them to come in and reenroll. Nobody wants a national ID card. It’d be an absolute privacy civil liberties disaster. It would cost billions of dollars, and it probably wouldn’t solve the problem, but leveraging the tools that we have today, the nationally recognized, authoritative identity systems we have, and allowing people to get digital counterparts, that’s the easiest way to reach most Americans and do it with the construct of a credential that they already use.