← All field notes
VERIFIABLE IDENTITYJAN 2026 · 3 MIN READ

I built my first mDL demo, and the seamlessness is what hooked me

Malik Warren
Malik Warren
Identity and access engineer · login.gov / NIST 800-63
GitHubLinkedIn

I wanted to see it for myself, so I built a demo.

The setup was simple. A simulated online store selling something age-restricted, alcohol, with a checkout that asked for a mobile driver's license instead of the usual "type your birthday and hope." I walked the whole thing end to end, playing both sides: the shopper presenting a credential, and the store verifying it.

I expected it to feel clunky. It did not.

What I shared was one fact: am I over 21. That was it. Not my name, not my address, not my license number, not even my actual birthday. The store got a signed yes. In a real deployment that yes would be cryptographically tied back to the state that issued the credential, so the vendor could trust it was real without me handing over a single extra detail. Share the minimum, prove it is genuine, move on.

A demo I built, running end to end. The store gets a signed yes. Name, address, birth date, and license number never leave the phone. (Simulation.)

After that I was hooked.

I started chasing where else this was happening. Online vendors running age checks. Airports. Law enforcement and traffic stops. Commercial building access. Car rentals. The same primitive kept showing up in completely different industries: prove one attribute, keep the rest.

The rabbit hole got deeper when I found MATTR, a company out of New Zealand doing this at the national level. New Zealand's Department of Internal Affairs picked them to build the country's digital credential platform, and their NZ Verify app can already check mDLs from other countries and US states. One of the states it verifies? Maryland. My license, checkable on the other side of the world.

So I spent a few weeks just reading. The ISO 18013-5 standard that defines the mDoc format. The NIST NCCoE project writing the playbook for how organizations should actually accept these things. OpenID4VP, the protocol for presenting a credential online.

And the more I read, the more one question started bothering me. It still does.

Why is every state building this differently?

Different wallets, different architectures, different readings of the same standards. If I run a business that wants to accept an mDL, I should be able to integrate once and verify a credential from Maryland or California or Georgia the exact same way. Instead the landscape is fragmented, and the thing standing between "cool demo" and "real infrastructure" is not the cryptography. The cryptography works. It is the absence of a boring, shared, industry-ready standard that everyone actually implements the same way.

That gap is the part I cannot stop thinking about. It is most of why I do what I do now.

~ Malik

0 HEARTS
Tap it if this one landed. It grows.

Comments

Loading comments...

Field notes on digital identity.
mDL, login.gov, and access control. 1-2 emails a month. Real engineering detail, no fluff.

Shipping AI or digital credentials and want help designing this layer? I run a 30-day Identity & Access Blueprint. Details on the homepage →

MORE IN VERIFIABLE IDENTITY