What’s the Difference Between a Physical ID Card and a Verifiable Digital Credential?

What’s the Difference Between a Physical ID Card and a Verifiable Digital Credential?

Gen Z are giving up their wallets – gladly. 

According to a recent New York Times report, teenagers and twentysomethings think wallets are “uncool.” Instead, they’re increasingly storing every payment method, document, or credential they need on their smartphones: credit cards, plane tickets, insurance cards, transit passes, driver’s licenses, and gym memberships.

Leaving home without a wallet might sound terrifying, but it’s quickly becoming the new normal. Digital driver’s licenses, now available in states like New York and California, are poised to spread nationwide. Businesses and agencies that don’t get up to speed on the new digital identity can risk being left behind: one 19-year-old told the Times that if a store doesn’t accept Apple Pay, she “won’t give them my business.” 

You might assume these verifiable digital credentials are just photos of conventional documents or plastic ID cards. But behind the curtain, there’s a lot more going on, involving advanced cryptography and hardware. While early adopters may care most about the convenience of carrying one less thing, the real point of digital identity is that it’s more private, works better online, and can’t be faked as easily as physical ID. 

So what are these digital cards, really – and how do they work? How are they different from physical ID or credit cards? 

Most importantly, if they’re just files on a smartphone, why are they trustworthy?

The Basics of Digital ID Technology

At the most basic level, a verifiable digital credential is not an image, but a string of numbers. They rely upon cryptographic signatures that can be protected by a chip in your smartphone called a “secure element.” This digital ‘signature’ is unique to the credential issuer – for example, all mobile driver’s licenses are digitally signed by a state’s Department of Motor Vehicles.

These ‘digital signatures’ aren’t simply copies of an image of a human signature. Instead, they’re unique alphanumeric identifiers that confirm a document’s authentic source. Thanks to nearly strong encryption methods, these signatures can’t be reproduced or impersonated by another entity. 

A verifiable digital credential can be checked in various ways by a verifier, such as a rental agent or traffic cop. In many cases, a verifier will already have a record of an issuer’s public signature (that is, an encrypted string of numbers that is uniquely tied to the issuer alone), and will be able to confirm a credential’s authenticity without pinging back to a centralized server. This is significant because it can reduce the digital ‘trail’ left behind when a credential is checked, and that trail is one notable privacy risk of this new all-digital system.

A physical credential uses quite different techniques to prove its authenticity. Physical anti-fraud measures including micro-printing, holograms, and see-through panels are the first line of defense against fakes. These physical measures work well enough for low-stakes conventional applications, like proving your age to buy alcohol. 

Physical Credential

Verifiable Digital Credential

Secured by holograms, bar codes, and databases

Secured by unique encrypted signatures

No batteries required

Requires at least some device power

Reveals all printed information when presented

Allows Selective Disclosure

Easily spoofed online

Secure for online use

Requires “phoning home” for full verification

Often verifiable without “phoning home”

Reissued every few years

Reissued regularly

Can be faked using AI

Requires physical infiltration to fake

But that example might highlight the problem: there are a lot of high school kids with fake IDs. Holograms and other physical security elements are a barrier, but they can be faked – whether in pursuit of underage drinking, or more nefarious goals. So in more serious face-to-face interactions, such as when you’re pulled over by a police officer, your ID may be checked remotely by sending your ID number to a central database. This incurs privacy risk since it effectively creates a record of your location or activities.

Things like holograms and microtext are particularly easy to fake when an ID is being used online. In fact, a rising wave of online identity fraud, for everything from opening bank accounts to applying for jobs, is a major motivation for the shift to digital identity. Verifiable digital credentials, unlike physical cards, are tailor-made for online use: because their confirming signatures are encrypted, they can be reliably confirmed online without the risk of being stolen or copied. 

Choosing your Data

GenZ may love leaving their wallet at home, but the biggest benefit of digital identity for most users will be having more control of your personal data – far, far more control.

A paper credential has to be handed over all at once to someone checking it, which usually means they’re getting way more information about you than they actually need. That can incur serious privacy risk, for instance if a bartender decides to take an interest in your home address.

Digital identity instead allows what’s known as “selective disclosure.” California’s mobile driver’s license is fairly typical – when the ID is checked, an app will display what information is being requested and only after authorizing the request, will the information be transmitted. 

Digital systems can also do even more surprising things with data, such as proving that you’re over 21 without disclosing your specific date of birth. These features are huge steps forward in user privacy and data control. 

Using Digital ID Offline 

Finally, you might wonder how a digital driver’s license or other credential works when your smartphone (or other device) isn’t connected to the internet. It’s increasingly rare, but there are still plenty of places and moments you just don’t have a wireless connection.

The good news is that a verifiable digital credential works just as well offline as when you’re connected to the internet. The digital signature that authenticates a credential is, again, stored directly on your device, not on a remote server. By the same token, verifiers will often already have a record of relevant issuer signatures, making it possible that they can verify your ID without an internet connection.

Different, and Mostly Better

This has been a high-level overview of some of the differences between physical and digital identity cards or other credentials. There is still much, much more going on under the surface, particularly when it comes to grasping how encryption and digital signatures work.

Hopefully it’s clear even at a glance that there are major differences between digital and physical credentials – including differences that will subtly change how we use and think about identification documents. Many of those differences are clear efficiencies, but a handful may make digital less convenient than paper credentials in particular ways. 

The advantages in user privacy and overall system security will hopefully make those tradeoffs worthwhile, but what’s clear is that the change is just over the horizon. If you need help navigating the new landscape, reach out to SpruceID.


About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.