Security Bits Logo no alpha channel

Security Bits by Bart Busschots – 05 September 2021

Bart had Tom Merritt of the Daily Tech News Show on the August episode of Let’s Talk Apple this week to have an extended discussion of Apple’s proposed child protection features. It’s a great discussion with someone who has been described (by a good friend) as being “pathologically unbiased.” You can find this episode of Let’s Talk Apple in your podcatcher of choice, or listen at lets-talk.ie/…

Now to our regularly-scheduled programming…

Feedback & Followups

Deep Dive — Apple’s Digital IDs

Apple have announced the first 8 US states that will support digital IDs in Apple Wallet, and that the TSA (US Transportation Authority) will be the first agency to deploy readers for the IDs. Arizona &
Georgia will lead the way, with Connecticut, Iowa, Kentucky, Maryland,
Oklahoma, and Utah following soon after.

While it’s interesting to know which states will be first, what’s much more interesting is the details Apple released about how this will work, especially from a security and privacy POV.

TL;DR — every concern I’ve seen expressed in half-informed speculation online is wrong. Apple seem to really have their Security, Privacy, and Safety Ducks in a row on this one.

When you imagine a digital drivers license of state ID in Apple Wallet you’re probably imagining something like a boarding pass, conference or concert ticket, store loyalty card, or these days, even a COVID pas,. i.e. an image you show someone, perhaps with a 2D or 3D barcode. Don’t – that couldn’t be more wrong!

Instead, think of Apple Pay — the data is not shown on screen, but sent digitally after you tap and biometrically authenticate. Not tap to pay, but tap to identify.

The process to get your ID into your wallet will be similar to how you get a credit card into your wallet, but with some more rigorous checks, and an approval loop through your state’s issuing institution. Part of the process will be associating a biometric with the ID. It can be TouchID or FaceID, but if you use TouchID you have to pick a single finger that will work for your ID. Don’t worry, this doesn’t affect how phone unlocking works, you can continue to register multiple fingers for unlocking the phone, whether or not they’re all yours. BTW, this last point illustrates why Apple have added the restriction on unlocking the ID — Apple, and the state governments, are well aware that couples often register each others fingers on their phones, and and ID should only be un-lockable by one person, the person being identified!

The process protects your physical device security — you do not unlock your device, and you do not hand it over.

The process for identifying yourself works as follows:

  1. You tap your locked phone on the ID terminal
  2. A popup appears on your phone, like the Apple Pay one, that shows who’s asking for your ID, and what specific data fields they are asking for
  3. You biometrical approve the ID request — this does not unlock your phone
  4. The data is wirelessly sent over an encrypted channel

Notice the permission step shows you what is being asked for — the terminal can ask for as much or as little information as is actually needed. The TSA for example don’t need your blood type, while an EMT does need your blood type, your age, and your next of kin, but not the types of vehicles you’re licensed to drive. Finally, a liquor store doesn’t actually need your address, they just need an assertion that you are over a given age. All of these scenarios are supported by the API.

Speaking of APIs, these IDs use an ISO standard that is publicly available, and that Apple helped develop.

One final point — just like Apple Wallet has not replaced physical credit cards, this does not replace physical ID cards, at least not for a long time yet. This is an additional, more secure and private, option that will slowly roll out over time. It will start in airports, but will slowly spread to more and more places as readers become available to ever more authorities, agencies, and organisations. If all goes to plan, one day, a decade or so from now, we’ll realise that we’ve not used our physical IDs in ages, and that it’s now all digital, but it will be a slow and gradual rollout, a lot like tap to pay was.

Anyway, for me, the bottom line is that every worry or criticism I’ve encountered on podcasts, twitter, and tech sites proved to be wrong — what ever it was, Apple had not just thought about it, but addressed it. As best as I can tell, Apple really have thought of everything on this one, and they’ve engineered a solution that’s a lot more secure and private than physical IDs are or ever could be.

Links

Worthy Warnings

Notable News

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top