What NIST's mDL guidance means for the future of digital identity

The latest National Institute of Standards and Technology (NIST) draft guidance on mobile driver’s licenses (mDLs) is about more than one use case or credential type. While the draft primarily focuses on the financial sector due to its high-assurance requirements, the bigger takeaway is that government-issued identity can be cryptographically verified and shared more selectively. This provides strong, cryptographically verifiable evidence of identity and shows what a more interoperable digital identity ecosystem could look like

1Password has contributed to the work behind this draft. We believe that identity systems need to be developed through global standards and collaboration across multiple verticals. Open ecosystems scale; closed ones often fail.

mDLs replace document uploads with cryptographic verification

An mDL is a government-issued verifiable digital credential. It serves as the digital version of your physical driver’s license, defined as a highly specified mobile document (mDoc) under international standards. 

To identify a person with cryptographic trust, the ecosystem relies on three parties: 

• An issuer that signs the credential 

• A wallet that securely stores and presents it 

• A verifier that checks its authenticity 

A simple real-world example is airport security, where the DMV is the issuer, your Apple Wallet is the wallet, and the TSA is the verifier when you present your mDL. 

While this might sound more complex than simply flashing a physical ID, the experience can be seamless when implemented well. Historically, users had to upload an image of their driver’s license, which exposed their sex, address, weight, and other unnecessary personal data. With an mDL, you securely transmit only the attributes needed for that interaction. 

For example, you would only expose the state you live in to qualify for services, nothing else in a well defined flow. mDLs turn automated online verification from an image processing problem into a cryptographic verification problem. 

How an mDL standardizes high-assurance identity needs 

At a high level, the mDL flow operates in a few simple steps:

• A state issuer, like the DMV, verifies your identity and issues a digitally signed credential to your wallet.

• Later, a verifier, like a bank, asks for specific identity attributes.

• You authenticate locally on your device (e.g., using Face ID or a fingerprint) and consent to share the data.

• The relying party receives a cryptographically verified result, rather than a raw image upload.

While the NIST architecture is focused on high-risk transactions in banking, account application and digital enrollment, this pattern can be applied to many other business verticals.

One area of the draft we focused heavily on was NIST’s decision to prioritize the W3C Digital Credentials API and avoid custom URI-based wallet invocation. This approach ensures that users clearly see which site is making the request and what attributes are requested, while also enabling CTAP-based proximity protections for cross-device flows. From our perspective, the ecosystem should converge on interoperable standards rather than ad hoc wallet-invocation workflows or the creation of proprietary protocols. Fragmented standards lead to more complicated implementations and a poorer user experience.  

Our view is that this architecture works best when mDLs are used at key trust moments, such as identity proofing and high-risk transactions. Once that trust is established, the user can provision a purpose-built authentication method, such as a passkey, for everyday access

Standards make trust functional

We align with the NIST draft's goal: the industry must converge on interoperable standards, not custom integrations or fragmented protocols. 

The digital identity ecosystem is a mix of published standards and still-evolving specifications like ISO 18013-5/7, W3C Verifiable Credentials, the Digital Credentials API, OpenID for Verifiable Presentations, and OpenID for Verifiable Credential Issuance. This work spans multiple standards bodies and communities, and 1Password has been contributing heavily to the organizations driving these protocols, including FIDO, W3C, and OIDF.

Because we build both consumer and enterprise security products, we are in a unique position to complete the feedback loop between standards formulation and actual product development. For this ecosystem to succeed, the rough edges for users, browsers, and wallets need to be worked through in the standards process in real time.

This work also requires alignment across different global jurisdictions. We are keeping an eye on the EU Digital Identify (EUDI) wallet work and other related regulatory work to inform future product decisions. 

What mDLs suggest for the future of digital wallets

Over time, we expect the line between a traditional "password manager" and a digital "wallet" to keep getting thinner. 

A modern wallet should do more than store passwords, credentials, or personal information. It should be able to protect a broader set of high-value credentials in a way that is secure, privacy-preserving, and easy to use across all your devices. That includes the kinds of government-issued credentials emerging in the mDL ecosystem.

This is one reason this space is so interesting to us. The long-term opportunity is far bigger than one single credential type or one specific industry. It’s about helping people seamlessly prove the right thing, to the right party, at the right time, without oversharing or adding unnecessary friction.

Putting identity in the driver’s seat 

NIST started with the financial sector because it is a high-assurance environment facing fraud pressure and strict compliance requirements like the identity-proofing components of Know Your Customer (KYC). Finance is just a starting point. We highly recommend reading the draft and applying these learnings to your own industry's problem space.

mDLs are not a silver bullet, but they are a meaningful shift in how digital identity can work online.  Cryptographically signed credentials are much harder to fake than document images, and standards-based workflows improve both usability and security.  

That’s why 1Password is participating in this work. We believe in global standards. We believe digital identity should be controlled by the individual. And we believe the best systems will be those that give people greater control over their data while improving security and privacy.