Digital Driver's Licenses, Part Two - Security by Design
09 Dec, 2025
Cybersecurity is an incredibly broad field that spans everything from the development of complex technical solutions to the design of human processes. Consequently, cybersecurity experts can be involved in hardware construction, encryption design, software development, the shaping of customer service protocols, and user interface (UI) design. UI might not be the first thing that springs to mind when discussing cybersecurity, but the subject of this blog post is a prime example of how cybersecurity touches every branch of software development, including the interface.
Security by Design
Before we proceed, it is worth mentioning a specific philosophy within cybersecurity known as security by design. In short, this philosophy dictates that when a system (software, processes, etc.) is designed, the primary goal should be that the simplest and most obvious way to use the system is also the most secure. We have many examples of security by design from the physical world. For instance, washing machine doors lock when water is pumped in, and electrical panels have built-in safety mechanisms—circuit breakers—that minimize the risk of damage in case of misuse or failure. Obviously, we are referring to a different nuance of "security" here, specifically "safety", but these concepts share much in common, especially regarding built-in protections.
An example of a lack of security by design in digital processes can be seen in our last blog post about the old island.is authentication service. There, the problem didn't lie in the authentication service itself, but rather in the instructions for its use. The solution was aimed at a large group of developers with varying backgrounds and expertise, yet the instructions were incomplete and contained security vulnerabilities.
Digital Cards
If we compare digital driver's licenses to other cards that digital wallets were meant to replace, we notice a certain discrepancy. Take a boarding pass, for example. It displays various information such as departure and destination, time, and some sort of code. However, when you arrive at the airport, no one inspects the boarding pass on your phone visually. Instead, the code is simply scanned and verified. When all is said and done, the easily readable information on the boarding pass is for the holder, so they know which flight it is, the time, and other useful details, but the actual boarding pass in the eyes of airport security is the code.
Why is it implemented this way? Why do we need the code? Referencing the first part of this blog, the answer is simple: you can never trust what appears on a computer screen.
The Design of the Licenses
As detailed in Part One, a scanner was added to the island.is app two years after the licenses were introduced, enabling everyone with access to the app to verify the validity of digital driver's licenses. But then it is appropriate to ask: for whom is the information on the digital license itself intended? Why are the name, ID number (kennitala), and passport photo displayed on it? Compared to the boarding pass, which contained information the holder might need, a driver's license holder should be aware of their own name, ID number, and appearance. The only thing justifiable to display on the license would be the driving privileges, should one need to refresh their memory.
It is therefore clear that the design of the licenses directly encourages their misuse, i.e. "inspecting" them like traditional licenses rather than scanning them as the guidelines, which were issued later, dictate.
If we compare this to the Norwegian design, it is actually similar to the Icelandic one. The license displays a name, ID number, photo, and a code for scanning. But the biggest difference between these implementations is that in Norway, clear messaging accompanied the issuance of the licenses stating that they were only issued as a supplement to traditional driver's licenses and are valid as ID only during traffic stops. For instance, one cannot take it for granted that they can be used at the Norwegian state liquor store (Vinmonopolet).
There is a massive difference here regarding security. In the Norwegian case, it suffices to train all police officers to ensure they always scan the license and never trust what is on the screen. In Iceland, the message was that the digital license was equivalent to the traditional one, leaving us with a much broader user base with diverse backgrounds, such as pharmacy staff, bouncers, medical receptionists, clerks at the state liquor store (Vínbúðin), and polling station workers, to name a few. There is no venue to convey information to such a broad group, making it impossible to expect everyone who "inspects" the IDs to realize these flaws.
Here we have a clear example of how user interface design can have a massive impact on system security. Choosing to mimic traditional licenses in a digital wallet sends the message to users that they are equivalent, that this is some sort of digital plastic card, even though the reality is quite different.
Secure Implementation
How can one implement genuinely secure digital driver's licenses (and IDs)? It just so happens that most Icelanders possess digital IDs that meet the most stringent international security standards: passports and the new ID cards from the National Registry (Þjóðskrá).
Signed Data
The implementation used by such international digital IDs involves a microchip embedded in the document, onto which the ID's data is written, i.e. name, age, ID number, as well as biometrics and a photo. This data is then digitally signed. If the validity of the ID needs to be confirmed, the data on the chip can be read via NFC . When this is done, we must ensure that the digital signature matches the content, thereby verifying that the content hasn't been altered, and we must also check if the key that signed the ID is part of a chain of trust. If these tests pass, we can be certain that the content of the ID is correct and that it is indeed issued by the appropriate authority. In all practical senses, such IDs (i.e., the digital part) are nearly impossible to forge.
Another implementation of the same philosophy is that instead of a chip, the signed content of the IDs can be displayed via a code (some sort of QR code). The same principles apply subsequently, except the scanning is done via a camera rather than NFC. Such codes can be seen, for instance, on the back of the new Icelandic ID cards as well as Austrian ID cards .
This implementation has the advantage of being completely independent of an internet connection. Since all the ID information is present on the ID itself, it can be scanned offline. The scanner also stores a list of the Certificate Authorities (CAs) it trusts, and thus requires no internet connection either.
Connection to a Trusted Service
Another possible implementation is in the spirit of boarding passes. In this case, we treat the code appearing on the ID as a sort of password. When the scanner reads the code, its content is sent to a web service the scanner trusts, possibly hosted by the same entity that issues the ID, to retrieve information about it. These codes can also be time-limited. If the code is scanned after it expires, it is no longer considered valid. This ensures, among other things, that the ID being scanned is not an old screenshot.
This method requires, at the very least, that the person scanning the license is connected to the Internet, as the scanner needs to contact a web service. If time-limited codes are used, this method also requires the license holder to be online so that a new code can be fetched before scanning.
This was the route chosen for the implementation of the electronic driver's licenses after the scanner was introduced, and it is still used today with the licenses in the island.is app. The lifespan of the codes is one minute, which ensures the scanner only gives the green light to freshly updated licenses.
What Now?
As previously mentioned, Digital Iceland decided to phase out digital driver's licenses in digital wallets on October 1st , and from a security perspective, referencing everything mentioned above, this is a decision that should be commended. But then it is right to ask: what lessons have we learned from the old implementation? How are the new licenses better and more secure?
The New Implementation
If we look at the implementation of the new licenses in the island.is app, we see that they contain a time-limited code intended for scanning, making verification of the license possible. The scanner is in the same place as for the old licenses, so anyone with access to the island.is app can confirm the validity of the licenses.
The new implementation of the IDs. ID with the holder (left) and scanned ID (right)
What about the interface? If we continue to examine the license, we see that it includes, among other things, a photo, name, ID number, and driving privileges. It is therefore appropriate to ask: what has actually changed? The danger still exists that recipients of the license will simply read what is written on it and accept it as valid. Recent news suggests that even information about the licenses displayed on the island.is website is being accepted in place of actual licenses in some cases , and automated changes to that interface led to the arrest of teenagers . It is therefore almost certain that the scanner is not being used in all places that accept digital driver's licenses.
We are thus back to the point where screenshots can be used to forge IDs. If someone fully commits and designs a replica of the island.is app (at least the part that displays the licenses), which might take an experienced individual perhaps a weekend, it is again possible to create forged licenses for all Icelanders in mere minutes that will work in all places that do not use the scanner. One could say that, in a sense, we are in the same place after the change.
What is the Solution?
It is worth taking a step back and asking first: is using digital driver's licenses as fully valid personal IDs a good idea? We now have good ID cards that meet the strictest security standards, as well as the good old driver's licenses. People who accept IDs in plastic form have a better understanding of forging such documents. If a young individual showed up at the state liquor store with an old laminated paper driver's license claiming they were twenty, some doubts would likely arise during the transaction.
But let's say we want to continue using digital driver's licenses as personal IDs, what is the best way forward? The answer is simple and relates precisely to the connection between interface design and security: remove all information from the licenses that should not be trusted. This also applies to the overview page on the island.is website as well as other interfaces that could be interpreted as an ID. As mentioned before, the presence of this information on the license encourages its misuse. The holder does not need it, and users should not trust it, so it does not belong there.
Concept for an improved ID design. ID with the holder (left) and scanned ID (right)
Is this a perfect solution? Not at all. Two versions of digital driver's licenses have now been released in the last five years, and adding yet another change could cause certain confusion. We are, to emphasize, dealing with a massivee user base with all sorts of backgrounds and knowledge. A large portion of this group is likely not yet informed that the use of old licenses in digital wallets has ceased. It is likely still possible to use a forged driver's license in a digital wallet in various places. The same will apply if the design of the licenses in the app is changed; it will likely still be possible to use a forged version of the previous design. Furthermore, regulations on driver's licenses make a clear requirement that this information be displayed on digital driver's licenses. But despite the drawbacks, this would be a step in the right direction.
Built-in Security
As it stands today, security is often thought of when development is well underway or even finished. In the minds of many, this is some sort of unimporant box that needs to be ticked.
This example shows, on the other hand, the importance of security by design in the development of software, processes, other systems, and even regulatory and legal amendments. Ambaga considers it vital that security experts are involved at all stages of development processes, all the way from concept work to delivery. A security expert could have, for example, pointed out the solution suggested above during the design of the prototype for digital driver's licenses. It wouldn't have changed the fundamental development of the licenses, but we would have ended up with a more secure solution as a result, right from the start.