Apple today announced that coming later this year, we would see:
Present an ID to businesses using iPhone and Apple Wallet. Starting this fall, businesses will be able to accept IDs in Apple Wallet — no additional hardware needed. This will streamline their ability to securely check a customer’s age in person for things like alcohol purchases, or to verify a customer’s identity at checkout for car rentals, and more. To seamlessly and securely present their ID in Wallet to an enabled business, users simply hold their iPhone or Apple Watch near the business’s iPhone. Users will be shown what information is being requested and whether the receiving party will be storing the information. Users will then be asked to authenticate and consent by using Face ID or Touch ID.
This is a big step forward in the move towards wallet-based credentials, and the first sign of what Apple are planning with their US-deployed mobile driver’s licence and state id wallet entries.
What does this mean for the nascent community of wallet-based credential developers out there? Is it an existential threat? Does it mean that OS-level wallets (or at least, Apple Wallet on iPhone) are going to transform into versatile identity wallets? What’s left for IAM platforms and the ecosystems that have been growing around and engaging with wallet-based credentials to do? Has the rug been pulled out from under institutions like OWF, and developing standards like OID4VC?
Images from Apple Newsroom.
This move vindicates, if validation were needed, that wallet-based interactions for identity are coming, and coming fast.
This announcement puts phones (and specifically, digital wallets) at the forefront of the consumer’s mind when thinking about pulling out credentials to prove data about themselves. No longer payments cards, and tickets, but their actual identities.
Inevitably, this interaction will have an incredibly smooth user experience, typical of Apple, that will encourage similar quality UXs to be developed for any other wallet interactions in the future.
Furthermore, it will familiarise users with the concept of selective disclosure of information from a credential that contains many more pieces of information than are being requested. Okay — selective disclosure may be a strong term here as the user won’t get the chance to select which pieces get disclosed, they will simply get a ‘yes/no’ option — but at least it’s a step in data presentation minimisation.
It doesn’t frighten consumers with unfamiliar terms like “self-sovereign identity” or “decentralised identity” (see this post). It will for the most part seem a natural evolution from showing a physical card from a wallet to showing elements of a software card from a digital wallet. For countries like the UK which are incredibly (and perplexingly/frustratingly) resistant to the concept of ID cards, perhaps this normalisation will go some way to making the concept friendlier and more approachable.
It’s in-person only. Apple isn’t offering an API for services to implement presentation requests on their websites and in-apps… yet. From the small announcement that we’ve seen, at the moment it’s limited to the presentation only being able to be requested and processed by another iPhone. Presumably these come after further additions to mDLs via ISO-18013-7.
At least initially it’s limited to the state IDs and drivers licences that Apple have been working with states in the US to issue using the ISO-18013-5 standard. Whether the iPhone acting as the mdoc reader (the verifier) in Apple’s flows requires validation of the data by the issuer (i.e. requires internet access) I’m unable to tell from the brief description.
It’s clearly not a “decentralised” solution. It’s also, in its announced state, very limited on the set of credentials that can be issued and verified, and therefore limited to the purposes it can fulfil.
However, it shows that Apple is not resting on its laurels when it comes to wallet-based credential interactions.
So should everyone else just pack up and go home, admitting defeat? Hardly.
For a start, we’re still going to need a wide variety of verifiers that aren’t using iPhones, and while Apple may wish for the whole world to be using iPhones as their POS terminals, that’s an unlikely reality. It does push ISO-38013-5 further ahead of W3C Verifiable Credentials in terms of deployment for local presentations (e.g. over NFC).
Obviously, in the long term this technology will need to work via standards, not just in an Apple-bespoke way, as Android – and for the desktop, Windows users – will shortly expect this functionality. Luckily, there’s a whole bunch of standards out there, and big regulatory drivers in eIDAS2 towards W3C Verifiable Credentials as well as ISO-18013-5.
IAM platforms will have a significant role to play in designing, issuing, and verifying these credentials as server components on sites or by connecting out to services that offer these features. Though Apple may look later to issue credentials from inside apps, I don’t see them offering bespoke server-side components or a service. Again, standards will be the route forward here.
Further, the ecosystems that are needed to support trust frameworks between issuers and verifiers will need to be externalised from Apple. The set of issuers in Apple’s announcement is ‘each State that Apple is working with’, and the set of verifiers are their selected, ‘enabled businesses’. That single ecosystem isn’t versatile enough to enable the array of use-cases that wallet-based credentials as a wider technology evolution are able to enable.
It does put a big question mark around the potential longevity of bespoke generic identity wallet applications. While COVID was the perfect opportunity for single-purpose, in-app credentials to be deployed (demonstrating vaccine certificates), right now there’s potential for generic identity wallet applications to fight for user versatility, feature-sets, and user experiences. Apple’s move today lights a touch-paper and highlights that, should they wish, they’re able to subsume these features rapidly into a massively widely deployed market.
It would be foolish therefore to ignore this move as “oh, it’s just a centralised play around a limited set of credentials – we don’t need to worry because folks will want a properly decentralised model soon enough”. Once appetite for that is demonstrated, you can bet that Apple’s wallet will support VCs – so long as they can make the user experience good enough for their quality control.
Overall, it’s a positive move that helps continue the trends towards wallet-based credentials being a ubiquitous interaction medium. While I won’t be able to try it out myself – I live in the UK and we don’t currently have digital ID cards – I’m excited to hear about the experiences of those that do.