Cross-State Credential Recognition: How Standards Enable Interoperability

When a California resident presents their mobile driver's license at a Utah liquor store or a TSA checkpoint in Georgia, something remarkable happens: the verification works instantly. No prior agreement between California and Utah. No contract between the state of Georgia and California's DMV. This isn't magic. It's what happens when identity systems are built on open standards instead of proprietary protocols.

Many states now issue mobile driver's licenses accepted at more than 250 TSA checkpoints, not because TSA negotiated seventeen separate contracts, but because TSA built one technical integration that works with any standards-compliant mDL. By 2026, that number is expected to double, with projections of 143 million mDL holders by 2030. The technical interoperability is already working at scale. The question for states isn't whether standards-based recognition is possible, it's whether they're building systems that participate in it.

How ISO 18013-5 Creates Interoperability

The ISO 18013-5 standard defines how mobile driver's licenses are issued, stored, presented, and verified. More importantly, it defines a trust framework that allows any conformant verifier to validate credentials from any conformant issuer without prior coordination.

Here's how it works in practice:

Root Certificate Authorities establish trust hierarchies: Just as web browsers trust certain certificate authorities to verify website identities, mDL verifiers trust established root CAs to validate state-issued credentials. When California issues an mDL, it cryptographically signs that credential with keys anchored to a recognized root CA. When a verifier in Utah checks that credential, it validates the signature against the same root CA, confirming the credential was genuinely issued by California's DMV without needing to contact California directly.

Cryptographic signatures: Physical driver's licenses rely on visual inspection and sometimes manual database lookups. Standards-based mDLs use public-key cryptography. The issuing authority signs the credential with a private key, and verifiers validate it using the corresponding public key. Breaking this cryptography is computationally impossible—there are more than 10^77 combinations. This means a liquor store clerk in Salt Lake City can verify a California mDL with the same certainty as a clerk in San Francisco.

Standardized data structures enable universal parsing: ISO 18013-5 specifies exactly how data elements (name, date of birth, address, license class, restrictions) are encoded within the credential. A verifier built to the standard can read and validate any conformant mDL, regardless of which state issued it, because the data structure is consistent. This is fundamentally different from proprietary credential formats, where each issuer might encode information differently, requiring custom integration work for every new issuer a verifier wants to support.

This interoperability without lock-in is what allows the TSA's 250+ checkpoint deployment to work seamlessly across states, and what will allow that number to scale by next year without TSA needing to rebuild anything.

The Reciprocity Problem: Why Bilateral Agreements Don’t Scale

Before standards-based credentials, cross-state recognition required bilateral agreements. Driver's license compacts, professional license reciprocity, and concealed carry permits all rely on explicit legal agreements between participating states. Each state negotiates terms, compliance mechanisms, data-sharing protocols, and dispute-resolution processes with every other participating state.

The math gets ugly fast. For ten states to have full reciprocity, you need 45 bilateral agreements (n × (n-1) / 2). For all fifty states: 1,225 agreements. And that's before considering territories, federal jurisdictions, or international partners.

Proprietary digital credential systems replicate this problem in the technical layer. If each state builds on a vendor-specific platform that doesn't conform to open standards, verifiers need custom integrations for each platform. A retailer wanting to accept digital age verification across all 50 states would need 50 separate technical integrations, 50 sets of API keys, 50 compliance reviews, and 50 ongoing maintenance contracts. The operational burden makes universal acceptance economically unfeasible.

This is why interoperability is a policy decision, not just a technical one. States choosing proprietary credential systems aren't just selecting a vendor, they're choosing fragmentation over interoperability, bilateral coordination over automatic recognition, and higher long-term costs over standards-based efficiency.

What If 50 States Build 50 Different Systems?

A question legislative staffers often ask is: "If every state builds its own mDL system, won't we end up with fifty incompatible solutions?"

The answer depends entirely on whether those systems conform to open standards.

If all 50 states implement ISO 18013-5-compliant mDLs—using different vendors, issuance platforms, and wallet apps—they still interoperate. A Vermont resident can use their mDL in Arizona. A Florida credential works at an Illinois retail counter. The implementation details differ, but the wire protocol, cryptographic trust model, and data structures are consistent.

If states build on proprietary platforms that don't conform to standards, then yes: you get fragmentation, coordination overhead, and limited utility for residents who travel or move between states. The credential might work beautifully within the issuing state, but it becomes useless the moment the holder crosses state lines.

This is why California and other early mDL states chose standards-based implementations. They understood that a digital credential's value is proportional to where it can be used.

Testing Standards Before Widespread Adoption

At SpruceID, we don't just implement standards, we help refine them before they're finalized and widely adopted. Our team participates as delegated experts in ISO/IEC (working on ISO 18013-5 and 18013-7), as co-editors in the W3C Verifiable Credentials Working Group, in the OpenID Foundation, and more.

This early implementation work reveals problems that only surface at scale. Does selective disclosure work correctly when age verification requires proving over-21 status without revealing the exact birthdate? Can the offline verification function reliably function when cellular connectivity is unavailable? How do updates and revocations propagate across decentralized systems? These aren't theoretical questions, they're operational requirements we validate in production systems serving many people.

The benefit to states: by the time a standard reaches widespread adoption, edge cases have been identified, interoperability has been tested, and reference implementations are available. States building mDL systems in 2025 can deploy proven standards with confidence that conformant implementations will interoperate.

Policy Implications: Reducing Legal and Technical Burden

Standards-based interoperability reduces burden in two dimensions:

Technical burden: States don't need to coordinate integrations with every other jurisdiction. Build to the standard once, and gain interoperability with every other conformant system. TSA's deployment proves this works: one technical integration now accepts mDLs from seventeen states, and when additional states launch compliant mDLs, TSA's existing infrastructure automatically supports them. No new contracts, no new development sprints, no new procurement processes.

Legal burden: While states still make independent policy decisions about what credentials they accept and for what purposes, standards-based technical interoperability removes the need for technical coordination agreements. A state can, as a matter of policy, accept standards-compliant mDLs for age verification without negotiating technical protocols with every issuing state. The legal framework can focus on liability, reciprocity, and policy alignment.

This doesn't eliminate all coordination—states still need to align on which root CAs they trust, the assurance levels they require, and how they handle edge cases such as revocations and updates. But it dramatically reduces the coordination surface area compared to systems requiring bilateral technical integration for every issuer-verifier pair.

The TSA Proof Point: One Integration, Many Checkpoints

TSA's mDL acceptance program is the clearest demonstration that standards-based interoperability works at a national scale. More than 250 checkpoints across the country accept mDLs from seventeen states. Not because TSA built 17 different integrations, but because they built one integration that is ISO 18013-5-compliant.

When a new state launches an mDL program that conforms to the standard, TSA checkpoint readers already support the protocol. The cryptographic validation already works. The data parsing already functions. The new state's credentials just work.

This is what sustainable, scalable interoperability looks like. It's why the expected doubling of participating states by 2026 won't require TSA to double its technical complexity. It's why a retailer building age-verification infrastructure today can support current and future mDL-issuing states with a single, conformant implementation.

Standards don't guarantee perfect interoperability. Implementations still need to be tested, edge cases still need to be handled, and policy decisions still require coordination. But standards make interoperability achievable without exponential growth in technical and legal complexity. They enable the 50 states to build systems that work together.

For states evaluating mDL vendors and platforms, the question isn't whether to build verifiable digital credentials, it's whether to build credentials that interoperate beyond state borders or credentials that fragment the national digital identity landscape. Standards compliance makes that choice clear.

About SpruceID: SpruceID builds digital trust infrastructure for government. We help states and cities modernize identity, security, and service delivery — from digital wallets and SSO to fraud prevention and workflow optimization. Our standards-based technology and public-sector expertise ensure every project advances a more secure, interoperable, and citizen-centric digital future.