Coming cyber executive order includes a push to mobile drivers licenses

A cybersecurity executive order expected in the final days of the Biden administration includes instructions for government agencies to ramp up their use of digital identity documents like mobile drivers licenses to verify the identities of people applying for public benefit programs, according to a draft obtained by Nextgov/FCW. 

Deputy National Security Director for Cybersecurity and Emerging Technology Anne Neuberger told reporters yesterday that that administration has been working on “executive action” for seven months with the goal of “putting the next administration on the best possible foundation” in terms of cybersecurity.

“Until the president signs off,” however, it's not finalized, she noted. That sign-off is expected this week, per POLITICO reporting.

The inclusion of digital identity items may be welcome news to cybersecurity and identity experts who’ve been wanting more action on digital identity and mDLs as well as a governmentwide, coordinated approach on digital identity from the White House. 

But how the coming executive order will fare under the Trump administration and whether it will even stay on the books is unclear.

The forthcoming order comes years after President Joe Biden promised to use an executive order to help stem the flow of government money stolen by fraudsters leveraging identity theft to siphon off benefits. 

The use of identity theft to target government benefits especially strained relief programs during the pandemic. In 2020, the Federal Trade Commission saw a 3,000% increase in identity theft complaints tied to government benefits, according to the government’s pandemic oversight website. 

Although the coming cyber-focused executive order includes some items focused on digital identity, such as the mDL push, the promised order focused entirely on identity and fraud has yet to materialize as the administration nears its close. 

Gene Sperling led that order’s development before leaving the administration this year to work on Vice President Kamala Harris’ presidential campaign. 

Its development was shaped by challenges navigating potential political optics — identity proofing solutions like facial recognition come with a host of privacy and bias concerns — and complications surrounding a potential push for agencies to use the government's single sign-on and identity proofing service, Login.gov, which was the subject of a bombshell inspector general report in 2023. That service doesn’t feature in the coming cybersecurity executive order.

The cyber order would, however, require the National Institute of Standards and Technology to issue guidance on using digital identity documents like mDLs and electronic passports for online identity verification. Agencies with grantmaking authority would also be called on to consider issuing funding to help states roll out mDLs. 

Only about 15 states currently issue mDLs, according to the American Association of Motor Vehicle Administrators. 

The use of mDLs is also largely more confined to the physical world — when boarding a plane, for example — as opposed to online — like proving your identity to apply for public benefits. That online use could take the form of presenting an mDL alongside a biometric identifier, like facial recognition, or a PIN number.

Verifying that a person is who they claim to be online remains a challenge fraught with implications around the potential bias of solutions, privacy and more.

The challenge stretches beyond government benefits alone. Verifying that a person is who they say they are online is also a lynchpin in efforts to require age verification to access certain parts of the internet, for example.

The draft order emphasizes that digital documents used for identity verification should be interoperable, support data minimization and not enable those that issue them to track their use. Data minimization includes offering only the information needed, like a yes/no answer to whether a person is older than a certain age, the order noted.

The draft order also calls on the Social Security Administration and other agencies to weigh offering attribute validation services — where the agency gives a yes or no answer to whether the information offered by an applicant matches government records — for government identity verification systems and benefits programs. 

If implemented, that provision could potentially disrupt the current reliance on data brokers and credit bureaus to verify these types of facts to identify people online. 

The use of mDLs and digital identity documents is also a potential alternative to current identity proofing solutions that require users to take photos of their physical IDs and submit a selfie to match against the ID. 

That includes offerings both from industry — like private company ID.me — and the government-backed Login.gov, which has been moving to require facial recognition plus a photo of a physical ID.

“The efficacy of these methods is being eroded by new technology,” NIST noted in a May 2024 blog post. The creation of “images of driver’s licenses generated by artificial intelligence that are so accurate that document scanning tools believe they are real.” 

The landscape of technology to evade liveness detection technology — often combined with requirements for photos of physical ID’s — is also rapidly evolving.

Finally, the order would require the Treasury Department and General Services Administration to pilot a notification service when a person’s identity information is used for a public benefit application, enabling that person to stop the payment before it happens.

The White House did not immediately respond to a request for comment.