For most of the internet’s history, verifying someone’s age online meant asking them to type in a date of birth — a field everyone lies about — or uploading a photo of a government ID, which creates a privacy liability for the user and a data-handling burden for the platform. Neither approach scales well, and neither actually solves the problem regulators are now demanding platforms address.
Mobile driver’s licenses are changing this equation. Built on the ISO 18013-5 standard, mDLs are cryptographically signed digital credentials stored on a user’s smartphone — in Apple Wallet, Google Wallet, or a state-issued app. The critical feature for age verification isn’t the digital license itself; it’s selective disclosure: the ability for a user to prove they meet an age threshold without revealing their name, address, date of birth, or license number.
As of early 2026, 21 US states plus Puerto Rico have launched mDL programs, with over a dozen more in active development. The EU Digital Identity Wallet regulation is pushing similar infrastructure across all 27 member states by end of year. Apple has confirmed Safari 26 will support the W3C Digital Credentials API with native mDL presentation. Google Wallet already supports zero-knowledge proofs on top of ISO 18013-7 mdocs. The infrastructure is no longer theoretical — it’s shipping.
This post breaks down how mDL-based age verification works, why it matters for platforms subject to age-gating regulations, and what the integration path looks like for developers.
How mDL Selective Disclosure Works
Traditional ID verification requires the user to hand over their full identity document. An mDL flips this model. The ISO 18013-5 standard defines a protocol where the verifier (your application) sends a request specifying exactly which data elements it needs, and the holder (the user) approves releasing only those elements.
For age verification, the request is minimal. A platform selling alcohol doesn’t need the user’s name, photo, or address. It needs a single boolean: is this person 21 or older? With mDL selective disclosure, that’s exactly what gets transmitted — a cryptographically signed attestation that the holder meets the age threshold, with nothing else attached.
Here’s what happens under the hood:
1. The verifier sends a request. Your application constructs an mdoc request specifying the data elements needed. For age verification, this is typically age_over_21: true (or the appropriate threshold). The request is signed with your verifier certificate.
2. The user’s wallet prompts for consent. The smartphone’s wallet app displays exactly what data the verifier is requesting. The user sees “App X wants to confirm you are over 21” — not “App X wants your full driver’s license.” The user explicitly approves or denies.
3. The wallet constructs a selective response. The mDL credential on the device generates a response containing only the requested elements, signed with the credential’s device key. The response includes a session transcript binding it to this specific request, preventing replay attacks.
4. The verifier validates the response. Your backend (or the Xident API) validates the cryptographic chain: the issuer’s signature on the credential, the device key binding, the session transcript, and the age threshold result. If everything checks out, you get a verified boolean — the user is over 21 — with no PII stored or transmitted.
The entire flow takes under three seconds and requires zero document uploads, zero selfies, and zero storage of personal data on your servers.
Why This Matters for Regulatory Compliance
The regulatory landscape for age verification is tightening fast. The UK’s Online Safety Act, the EU’s Digital Services Act, state-level laws in the US (from Louisiana to California), and Australia’s eSafety framework all require platforms to verify user age with methods that are “highly effective” — a standard that self-declared date of birth clearly fails to meet.
At the same time, regulators are increasingly scrutinizing the privacy cost of verification. Collecting and storing ID documents to verify age creates a tension: you’re solving an age-gating requirement by creating a surveillance liability. GDPR’s data minimization principle, CCPA’s purpose limitation, and Ofcom’s guidance all push toward the same conclusion — verify the minimum data necessary, store as little as possible.
mDL selective disclosure resolves this tension structurally. When your platform receives only a cryptographically signed age_over_21: true with no name, no photo, no document number, and no date of birth, you’ve achieved the highest possible assurance level while collecting the minimum possible data. There’s nothing to breach because there’s nothing stored.
This is also why regulators are starting to explicitly reference digital wallets and mDLs in compliance guidance. The EU Digital Identity Wallet regulation (eIDAS 2.0) mandates wallet availability across all member states by late 2026 and requires relying parties to accept wallet-based attestations. In the US, AAMVA’s mDL implementation guidelines specifically call out age verification as a primary use case.
The Apple and Google Wallet Factor
The adoption curve for mDLs isn’t driven by state DMV apps alone. Apple and Google are building mDL presentation directly into their wallet platforms, which means the verification experience will be as frictionless as tapping to pay.
Apple Wallet supports mDLs in states that have launched programs. At WWDC25, Apple announced that Safari 26 (shipping with iOS 26) will natively support the W3C Digital Credentials API, specifically for org.iso.mdoc protocol. This means web applications — not just native apps — can request mDL-based age verification through a browser-native flow. The user taps a button on your website, Face ID confirms their identity, and a selective disclosure response is sent to your server. No app install required.
Google Wallet takes a similar approach with an additional privacy layer. Google has implemented zero-knowledge proof support on top of ISO 18013-7 mdocs, enabling age verification where the user proves “I am over 18” without revealing any underlying data — not even a signed boolean derived from their date of birth, but a cryptographic proof that the statement is true. This is the strongest privacy guarantee currently available in a shipping consumer product.
For developers, the convergence on Apple and Google Wallet means your mDL integration reaches the vast majority of smartphone users without requiring them to download a separate verification app. The wallet is already on their phone. The credential is already provisioned. The consent flow is already familiar.
What mDL Coverage Looks Like in 2026
The United States is the most active mDL market globally, though adoption remains state-by-state. As of early 2026, AAMVA lists 21 states plus Puerto Rico with active mDL programs:
Alaska, Arizona, Arkansas, California, Colorado, Delaware, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maryland, Montana, New Mexico, New York, North Dakota, Ohio, Utah, Virginia, and West Virginia.
An additional 15+ states have programs in development or pilot phases. Projections suggest over 650 million people globally will have access to mobile driver’s licenses by end of 2026, driven by both US state rollouts and EU Digital Identity Wallet mandates.
In the EU, the revised eIDAS regulation requires all member states to offer a digital identity wallet by late 2026. While implementation timelines vary, countries like Germany, France, and the Netherlands are already running advanced pilots. The EU wallet specification supports selective disclosure natively, and cross-border acceptance is a core design goal — a German citizen’s wallet attestation should be accepted by a French platform.
For platforms with international user bases, this means mDL-based age verification isn’t just a US-centric solution. The same ISO 18013-5 standard underpins both US state mDLs and EU digital identity wallets, with interoperability baked into the protocol.
Integration Architecture for Developers
If you’re building age-gated experiences — whether for alcohol e-commerce, gaming, social media, cannabis delivery, or adult content — here’s how mDL-based verification fits into your stack.
Online Verification (ISO 18013-7)
For web and mobile applications, ISO 18013-7 defines the online presentation protocol. The flow uses the W3C Digital Credentials API (supported in Safari 26 and Chrome) or platform-specific APIs (IdentityCredential on Android, ASAuthorizationController on iOS).
Your integration has three components:
Frontend: A verification trigger (button or modal) that invokes the Digital Credentials API with your request parameters. The browser handles wallet selection and user consent natively.
Backend: A verification endpoint that receives the mdoc response, validates the cryptographic chain (issuer certificate, device binding, session transcript), and extracts the age threshold result.
Certificate Management: You need a verifier certificate registered with the relevant trust framework. For US mDLs, this means AAMVA’s trust list. For EU wallets, the eIDAS trust framework.
With Xident, the backend complexity is abstracted. Our API handles mdoc validation, certificate chain verification, and trust list management. You send us the raw mdoc response from the wallet; we return a verified age result with a confidence score and audit trail.
In-Person Verification (ISO 18013-5)
For physical venues — bars, dispensaries, event entrances — ISO 18013-5 defines NFC and QR-based proximity presentation. The verifier device (a tablet or phone running your POS app) establishes a secure session with the user’s wallet over BLE or NFC, requests the age threshold, and receives a selective disclosure response.
This replaces the current model of a bouncer visually inspecting an ID card (and seeing the user’s full name, address, and document number) with a cryptographic verification that confirms only “over 21” — faster, more accurate, and privacy-preserving.
Fallback Strategy
mDL coverage isn’t universal yet. Your verification flow needs a graceful fallback for users who don’t have an mDL provisioned. The practical approach is a tiered verification stack:
- mDL / Digital Wallet — Highest assurance, minimum data, fastest UX. Try this first.
- NFC chip verification — For users with a physical passport or NFC-enabled ID card. High assurance, requires document possession.
- Document + biometric verification — Photo upload with liveness detection. Lower privacy guarantees but broad coverage.
- AI age estimation — Facial age estimation as a screening layer for lower-risk thresholds (e.g., over 25 for content that requires 18+).
Xident’s API supports all four tiers with a single integration. The SDK automatically detects wallet availability and presents the optimal verification path to the user.
The Privacy Advantage Is the Business Advantage
Beyond compliance, mDL-based age verification has a concrete business benefit: conversion rates. Every friction point in a verification flow — uploading a document, taking a selfie, waiting for manual review — costs you users. The mDL flow is a single tap. The user doesn’t leave your app. There’s no upload, no camera permission, no waiting.
Early adopters of wallet-based verification are reporting 40-60% higher completion rates compared to traditional document verification flows. When the user’s wallet already has the credential and the consent prompt is a familiar Face ID / fingerprint confirmation, the drop-off rate approaches zero.
There’s also the data liability angle. If you never collect ID documents, you never have to worry about securing them, reporting breaches involving them, or responding to deletion requests for them. Your compliance surface area shrinks dramatically. Your GDPR Article 30 records of processing get simpler. Your insurance costs go down.
What’s Coming Next
The mDL ecosystem is moving fast. Several developments to watch in the second half of 2026:
Browser-native verification: Safari 26 and Chrome are both shipping Digital Credentials API support, making web-based mDL verification as simple as WebAuthn. This eliminates the need for native SDKs in many use cases.
Cross-border interoperability: The EU-US digital identity interoperability framework is in draft stage. If finalized, a US mDL could be accepted by European platforms and vice versa — a significant simplification for global services.
Derived credentials for minors: Several states are exploring mDL-style credentials for users under 16, issued with parental consent. This could enable age-appropriate access tiers (13+, 16+, 18+) with the same selective disclosure model.
Merchant category mandates: Payment networks are increasingly requiring age verification for specific merchant categories. mDL integration at the payment layer — verifying age at checkout without a separate verification step — is in active development by several wallet providers.
Getting Started with Xident
Xident supports mDL-based age verification today. Our SDK handles wallet detection, mdoc request construction, response validation, and trust list management across US state mDLs and EU Digital Identity Wallets.
The integration takes minutes, not months:
import { Xident } from '@xident/sdk';
const result = await Xident.verify({
method: 'wallet-first', // Try mDL, fallback to other methods
ageThreshold: 21,
purpose: 'alcohol-purchase',
});
if (result.verified) {
// User confirmed over 21 via mDL selective disclosure
// No PII stored — only the verification result and audit trail
}If the user’s device supports wallet-based verification, they see a native consent prompt. If not, the SDK gracefully falls back through the verification tier stack. Either way, you get a consistent verified boolean with full audit compliance.
To learn more, check out our documentation or get in touch to discuss your age verification requirements.
