DEV Community

Cover image for WWDC 2025 - Digital Identity Verification with mdocs and Digital Credentials API
ArshTechPro
ArshTechPro

Posted on

WWDC 2025 - Digital Identity Verification with mdocs and Digital Credentials API

#ios #mobile #programming #softwaredevelopment

Identity description

Apple unveiled significant advancements in digital identity verification at WWDC 2025, introducing comprehensive support for mobile documents (mdocs) and the W3C Digital Credentials API. This represents a fundamental shift in how identity verification works across web and mobile platforms.

What Are Mobile Documents (mdocs)?

Mobile documents represent the next evolution of digital identity, built on the ISO 18013-5 standard for interoperability across platforms.

Key Advantages Over Physical IDs:

  • Selective disclosure: Share only required information (name and age verification without revealing full address)
  • Cryptographic security: Information is digitally signed by the issuing authority
  • Cross-platform compatibility: Works across different devices and operating systems
  • Enhanced user experience: No photo uploads or manual data entry required

Current Implementation:

  • Available in Apple Wallet for select airport security checkpoints
  • Supported at Apple Store locations across the US
  • Integrated with select third-party apps via Verify with Wallet API

W3C Digital Credentials API Integration

Apple now supports the W3C Digital Credentials API in Safari and WebKit, enabling seamless web-based identity verification.

Cross-Platform Flow Capabilities:

  • iPhone/iPad: Native integration with stored credentials
  • Mac: Cross-device verification using nearby iPhone
  • Other platforms: QR code-based verification using FIDO CTAP protocol
  • Universal compatibility: Works with any browser supporting the standards

Technical Standards Stack:

  • W3C Digital Credentials API: Primary web interface
  • ISO 18013-7 Annex C: Request profile specification
  • ISO 18013-5: Mobile document format standard
  • FIDO CTAP: Cross-platform authentication protocol

Website Integration Architecture

1. Request Building and Signing

Encryption Information:

  • Nonce generation: Protection against replay attacks
  • Key pair creation: Recipient public/private keys for response encryption
  • Server-side security: Private key retained for decryption

Certificate Management:

  • Apple Business Connect: Required for Apple Wallet integration
  • Document provider certificates: Separate certificates for third-party apps
  • Multiple signatures: Single request can support multiple certificate authorities

2. JavaScript Implementation

API Call Structure:

  • Uses navigator.credentials.get method with digital credentials
  • Protocol specified as "org-iso-mdoc"
  • Request data structure passed as parameter

Requirements:

  • User gesture requirement: Must be triggered by user interaction
  • JSON serialization: Responses are easily transferable to server
  • Exception handling: Rich error types for robust error recovery
  • Fallback support: Graceful degradation to existing verification methods

3. Response Handling and Validation

Security Validation Pipeline:

  1. Response decryption: Using HPKE (RFC-9180) with recipient private key
  2. Certificate validation: Chain verification to trusted issuing authority
  3. Signature verification: Validates issuer authentication structure
  4. Element authenticity: Hash digest comparison for tamper detection
  5. Device authentication: Confirms document origin device

Mobile Security Object Validation:

  • Immutable structure: Signed by issuing authority
  • Element integrity: Hash-based verification for each data element
  • Device binding: Public key validation ensures device authenticity

Document Provider API Implementation

IdentityDocumentServices Framework

New framework enabling iOS apps to participate in online identity verification flows.

Registration Process:

  • Use IdentityDocumentProviderRegistrationStore for document management
  • Create MobileDocumentRegistration objects with document type and trusted authorities
  • Call addRegistration() method to register with iOS system

Key Components:

  • Document registration: Links app documents with system UI
  • Authority validation: Restricts visibility based on trusted certificates
  • Lifecycle management: Add/remove registrations as documents change

UI App Extension Architecture

Extension Template:

  • Identity Document Provider: New Xcode template for rapid setup
  • Secure sandbox: Partial request parsing for security
  • Two-phase validation: Partial request UI building + full request validation

Implementation Requirements:

  • Create RequestAuthorizationView that accepts ISO18013MobileDocumentRequestContext
  • Build UI with request information display and user consent buttons
  • Handle acceptance through sendResponse() method on context object
  • Implement cancellation via context's cancel() method

Security Flow:

  1. Partial request: System-parsed request for UI building
  2. User authorization: Extension displays consent interface
  3. Full request: Complete ISO 18013 request after user approval
  4. Consistency validation: Compare partial vs full requests
  5. Response encryption: Encrypt and return document data

Security Architecture

Multi-Layer Protection:

1. Request Authentication

  • Certificate-based signing: Identifies requesting website
  • Domain validation: Prevents phishing attacks
  • User transparency: Clear indication of requesting party

2. Response Encryption

  • End-to-end encryption: Browser and OS cannot read identity data
  • Key management: Server-generated encryption keys
  • Transport security: Encrypted throughout entire flow

3. Issuer Authentication

  • Digital signatures: Cryptographically signed by issuing authority
  • Certificate chains: Validation against trusted root certificates
  • Tamper detection: Hash-based integrity verification

4. Device Authentication

  • Device binding: Documents tied to specific device
  • Duplication prevention: Cannot be copied across devices
  • Origin verification: Confirms document source authenticity

Implementation Best Practices

For Website Developers:

  • Certificate management: Obtain proper certificates from Apple Business Connect
  • Error handling: Implement comprehensive exception handling
  • Fallback mechanisms: Maintain existing verification methods
  • Security validation: Follow complete ISO 18013-5 validation procedures

For App Developers:

  • Registration hygiene: Keep document registrations synchronized
  • UI consistency: Provide clear authorization interfaces
  • Request validation: Implement thorough signature verification
  • Response security: Proper encryption and data handling

Universal Considerations:

  • Standards compliance: Adhere to ISO and W3C specifications
  • Cross-platform thinking: Design for interoperability
  • User experience: Prioritize seamless, intuitive flows
  • Security first: Implement all recommended validation steps

Business Impact and Adoption

Immediate Benefits:

  • Reduced friction: Eliminates photo uploads and manual entry
  • Enhanced security: Cryptographic verification vs image processing
  • Better user experience: Native platform integration
  • Broader reach: Cross-platform and cross-browser compatibility

Technical Advantages:

  • Standardized approach: Industry-wide compatibility
  • Future-proof architecture: Built on stable international standards
  • Scalable implementation: Works across any supporting platform
  • Reduced complexity: Eliminates custom image processing solutions

Summary

The introduction of mdocs and Digital Credentials API support represents a significant leap forward in digital identity verification, providing a secure, user-friendly, and interoperable foundation for the future of online identity verification.

Top comments (1)

Collapse
 
arshtechpro profile image
ArshTechPro

Mobile documents represent the next evolution of digital identity, built on the ISO 18013-5 standard for interoperability across platforms.