Development and Challenges of a Mobile Driver’s License App by Canadian Bank Note

The presentation details the development of a mobile driver’s license (MDL) app, led by a cybersecurity team at Canadian Bank Note (CBN), which produces secure IDs, passports, and payment systems. The project began in 2017 with a pilot involving 5,000 users in convenience stores, breweries, and law enforcement, evolving by 2025 to meet expanded requirements like Real ID compliance for air travel. Key technical features include context-sensitive disclosure (sharing only necessary data, e.g., age for a bartender), liveness checks for facial recognition, one-time barcodes to prevent fraud, and device attestation to block jailbroken or rooted phones. The team addressed challenges like privacy risks (e.g., tracking roadside stops vs. age verification), custom authentication (using a PIN-encrypted public key via IKE protocol), and data retention (ensuring the DMV remained the system of record). The framework followed four phases—pilot, standardize, certify, leverage—with certifications including ISO, NIST 853, and SOC 2 to build trust and interoperability. A live demo exposed vulnerabilities in PWA-based facial recognition, where attackers could spoof enrollment using tools like Open Broadcaster Software (OBS) and Clam Tracker, highlighting the need for native app controls. The speaker emphasized relationships and communication over technical solutions, noting that 200+ projects at CBN required targeting "early adopters" to drive cultural change. The talk concluded with a cautionary tale about secure logistics failures, where geotracked tablets were lost in transit.