IDs in Apple Wallet

Add a driver’s license or state ID to Apple Wallet

On iPhone, users can tap the Add button (+) at the top of the screen in Apple Wallet to begin adding their license or ID. If users have an Apple Watch paired at the time of setup, they are prompted to also add their driver’s license or ID to their Apple Wallet on Apple Watch.

Users are first asked to use their iPhone to scan the front and back of their physical driver’s license or state ID card. The iPhone evaluates the quality and type of images to help ensure that the images provided are acceptable by the state issuing authority. These identity card images are encrypted to the state issuing authority’s key on the device and then sent to the state issuing authority.

To help ensure that the person adding the identity card to Apple Wallet is the same person to whom the identity card belongs, the user is asked to take a Live Photo or a selfie. In some cases, the user might be prompted to also complete a series of facial or head movements. These movements are evaluated by the user’s device and by Apple to help reduce the risk of someone using a photograph, video, or mask to add someone else’s ID to Apple Wallet. Results from the analysis of these movements are sent to the state issuing authority, but not the video of the movements themselves.

Before submitting the user’s selfie to the state issuing authority, Apple servers and the user’s device compare the selfie with the likeness of the person who performed the series of facial and head movements. After completing the comparison, the device encrypts the selfie and sends it to the state issuing authority, which compares it against their image on file for the ID.

Last, users are asked to perform a Face ID or Touch ID authentication. The user’s device ties this single matched Face ID or Touch ID biometric to the state ID to help ensure that only the person who added the ID to this iPhone can present it; other enrolled biometric information can’t be used to authorize presentation of the ID. This occurs strictly on device and isn’t sent to the state issuing authority.

The state issuing authority will receive information necessary to set up the digital ID. This includes images of the front and back of the user’s ID, data read from the PDF417 barcode as well as the selfie the user took as part of the ID verification process. The issuing state also receives a single-digit value, used to help prevent fraud, that’s based on the user’s device use patterns, settings data, and information about their personal Apple Account. It’s then ultimately the issuing state’s decision to approve or deny the ID being added to Apple Wallet.

After the state issuing authority authorizes adding the state ID or Driver’s License to Apple Wallet, a key pair is generated in the Secure Element by iPhone that anchors the user’s ID to that specific device. If adding to Apple Watch, a key pair is generated in the Secure Element by Apple Watch.

After the ID is on iPhone, the information reflected on the user’s ID in Apple Wallet is stored in an encrypted format protected by the Secure Enclave.

Add a My Number Card to Apple Wallet

On iPhone, users can add their My Number Card to Apple Wallet through the Mynaportal app. My Number Card in Apple Wallet supports both mobile identity document and Japan Public Key Infrastructure (JPKI) functionality within a single ID pass. The setup process includes security measures enforced by Apple and the card issuer to help ensure that only the legitimate cardholder can add and present their ID.

In the Mynaportal app, users need to enter the 4-digit PIN and alphanumeric password associated with their physical My Number Card. These credentials are required to authenticate to the card, allowing the app to read data from the contactless integrated circuit (IC) which the issuer verifies to help ensure that the person adding it has legitimate access. At this time, users are also asked to input a PIN and password for use with the JPKI applet backed functionality of their My Number Card in Apple Wallet. These values never leave the user’s device and are independent from the PIN and password for the user’s physical card.

To help ensure that the person adding the My Number Card to Apple Wallet is the rightful owner, users are asked to take a selfie and perform a liveness check. The selfie and liveness data is evaluated by the issuer along with the physical card information to help reduce the risk of someone fraudulently adding another person’s ID to Apple Wallet.

Users perform a Face ID or Touch ID authentication to tie a single biometric to the My Number Card in Apple Wallet. This helps ensure that only the same person who added a card to an iPhone can present it; other enrolled biometric information can’t be used to either authorize presentation of the ID or perform JPKI user authentication operations.

The issuing authority validates all submitted evidence and makes the decision whether to authorize adding the My Number Card to Apple Wallet. If authorized, they create and digitally sign the mobile identity document to protect against tampering or forgery. A key pair generated by the iPhone in the Secure Element anchors the user’s My Number Card in Apple Wallet to that specific device, ensuring it cannot be copied and used by someone else.

The JPKI applet, which protects the user’s digital signing and user identification certificates, associated private keys, and PIN and password, is provisioned within the Secure Element. This ensures that cryptographic operations for digital signing in addition to PIN or password comparison operations are performed within the hardware-protected environment’s boundary, and private keys are never available outside the Secure Element.

After the My Number Card is on iPhone, both the identity information reflected on the user’s ID in Apple Wallet and the JPKI applet data are stored in an encrypted format protected by the Secure Enclave or Secure Element, respectively. The issuer ensures that users can only add one My Number Card to a device and that each unique identity can only be added to one device, providing additional protection against fraud.

Add a Digital ID to Apple Wallet

On iPhone, users can tap the Add button (+) at the top of the screen in Apple Wallet to begin creating their Digital ID. If users have an Apple Watch paired at the time of setup, they are prompted to also add their Digital ID to their Apple Wallet on Apple Watch.

Users are first asked to use their iPhone to scan the machine-readable portion of their physical passport photo page. If the data indicates that the passport is from a supported region, not expired, and eligible, the iPhone then guides the user to read the passport chip using NFC. The relevant machine-readable fields are used to establish a session with the chip, in accordance with ICAO 9303 specified protocols. Data read from the chip includes data elements like the document holder’s name and portrait, along with the Document Security Object. To verify the data’s authenticity, Apple servers validate the Document Security Object, including data group hashes, the issuing government’s signature, and Document Signer Certificate using Passive Authentication. The Document Signer Certificate is validated against the corresponding Country Signing Certificate Authority Certificate to ensure authenticity and confirm it hasn’t been revoked.

To help ensure that the person creating the Digital ID in Apple Wallet is the same person the passport belongs to, the user is asked to take a selfie and complete a liveness check. The device coaches the user to successfully complete the required steps, which may include a series of facial and head movements. The resulting selfie photo and liveness video are encrypted on device and uploaded for evaluation by Apple servers. The selfie photo is compared with the likeness of the person who performed the liveness check and against the validated portrait retrieved from the passport chip.

Users also need to perform a Face ID or Touch ID authentication to tie the biometric to the ID pass. This mechanism, supported by all IDs in Apple Wallet, and helps ensure that only the person who added the ID can present it.

Apple evaluates the submitted evidence including data read from the passport chip, the selfie and liveness video collected during the ID verification process, and a confidence assessment score, to make the decision to approve or deny adding the Digital ID to Apple Wallet. The confidence assessment score, used to help prevent fraud, is based on the user’s device use patterns, settings data, and information about their personal Apple Account.

If approved, Apple creates and signs a Digital ID derived from the verified passport data. A key pair is generated in the Secure Element in the iPhone that anchors the user’s ID to that specific device. If the user adds the ID to Apple Watch, a key pair is generated in the Secure Element in the Apple Watch. Although the expiry date and other identity data are common, the Digital ID in Apple Wallet is independent from the passport used to create it. This means that the user needs to delete the Digital ID from their devices and go through the steps to add a new one in any situation where their physical passport is revoked or reissued.

After creating the Digital ID, it’s encrypted and sent to the device. After the device receives it, the information reflected on the user’s Digital ID in Apple Wallet is reencrypted with a device specific key and stored and protected by the Secure Enclave.

Using an ID in Apple Wallet with an identity reader

To use their ID in Apple Wallet, users need to authenticate with the Face ID or Touch ID device associated with the ID in Apple Wallet before iPhone presents the information to the identity reader.

To use their ID in Apple Wallet on Apple Watch, users need to unlock their iPhone using the associated Face ID appearance or Touch ID fingerprint each time they put on their Apple Watch. Then, they can use their ID in Apple Wallet without authenticating until they take their Apple Watch off again. This capability leverages foundational Auto Unlock capabilities detailed in System security for watchOS.

When users hold their iPhone or Apple Watch near the identity reader, users see a prompt on device displaying which specific information is being requested, by whom, and if they intend on storing it. After authorizing with the associated Face ID or Touch ID on iPhone or double-clicking the side button on Apple Watch, the requested identity information is released from the device.

If users have an accessibility feature like Voice Control, Switch Control, or Assistive Touch instead of having Face ID or Touch ID enabled, they can use their passcode to access and present their information.

Transmission of identity data to the identity reader follows the ISO/IEC 18013-5 standard, which provides for multiple security mechanisms available that are able to detect, deter and mitigate security risks. These consist of identity data integrity and antiforgery, device binding, informed consent, and user data confidentiality over radio links.

Presentation history is stored on device and available for users to view and delete in Apple Wallet, and—for IDs on Apple Watch—in the Watch app on the paired iPhone. Each presentation record includes the fields requested, the geolocation of the presentation, and whether the business intends to store the data or not. For authenticated readers, the business’s name and icon are also included.

Using an ID in Apple Wallet with iOS apps

Users can also share their ID information in Apple Wallet with iOS apps. When a user shares their ID with an app, Apple Wallet fetches and validates an encryption certificate that’s registered with the app developer. This certificate is used to encrypt the information that the user has agreed to share.

A presentation sheet displays which specific information is being requested, by which app, if the app intends on storing it and for how long, and the reason for requesting it. After authorizing with the associated Face ID or Touch ID, the requested information is encrypted by Apple Wallet using HPKE and is never made available to Apple. Apple Wallet periodically queries Apple servers to verify that the ID authentication key hasn’t been revoked and that the ID is still valid. If no check has been performed recently, one may occur when the user shares their ID with an app.

Presentation history is stored on device and available for users to view and delete in Apple Wallet. Each presentation record includes the app, reason, fields requested, and whether it intended to store the data and for how long.

Using an ID in Apple Wallet on websites

Users can share their ID information from Apple Wallet with websites. Participating websites use the W3C Digital Credentials API to request identity information from mobile document providers. To support acceptance of IDs in Apple Wallet, in addition to the document type and data elements, the request must contain an anti-replay value, encryption information for response encryption, and a signature for the device to authenticate the request. The website’s server generates an encryption key pair for the request and is responsible for securely retaining the private key for response decryption. Apple Wallet utilizes the reader authentication mechanism to authenticate the request (as defined by ISO/IEC 18013-5 and ISO/IEC 18013-7 Annex C), leveraging a signing certificate the website owner obtains from Apple. It also performs domain validation on the requesting website to help ensure the request is coming from a valid source.

A presentation sheet displays which specific information is being requested, by which website, if the website intends on storing it, and the reason for requesting it. After the user authorizes presentation of the requested identity information, it is encrypted by Apple Wallet directly to the website’s server using HPKE and is never made available to Apple nor the browser. Apple Wallet periodically queries Apple servers to verify that the ID authentication key hasn’t been revoked and the ID is still valid. If no check has been performed recently, one may occur when the user shares their ID with a website.

Upon receiving the encrypted response, the website’s server must verify the authenticity of the identity data. This includes performing issuer authentication by validating the document signer certificate, verifying the cryptographic signature from the issuer, and checking hashes over the requested data elements. Additionally, mobile document authentication needs to be performed to ensure the document originated from the specific device it was issued to, preventing unauthorized duplication.

To allow users to present their ID in Apple Wallet on iPhone to other devices where they may want to verify their identity on the web, both handoff between Apple devices and cross-platform presentment are supported.

Handoff between Apple devices allows identity presentation to a website on an iPad or Mac using an ID in Apple Wallet on iPhone. In this case the system:

• Verifies that the iPhone is associated with the same personal Apple Account.

• Supports the functionality.

• Is compatible with the request.

A secure connection is then established between the devices, and a notification appears on the iPhone, allowing the user to view and authorize the request from the iPhone. Cross-platform support also allows users to present their ID in Apple Wallet to other standards compliant devices and browsers. This leverages the FIDO CTAP protocol to protect the integrity and confidentiality of the communication channel for request and response data transfer between devices.

With both handoff between Apple devices and cross-platform support, the same security capabilities as described above exist for request validation, response data encryption, identity data authentication, and device authentication.

Presentation history is stored on device and available for users to view and delete in Apple Wallet. Each presentation record includes the website, reason, fields requested, and whether the website intended to store the data.