ISO/IEC 18013-5, 18013-7 and 23220 explained

If you are designing a digital identity program that involves mobile documents, you will quickly encounter three closely related ISO/IEC standards: 18013-5, 18013-7 and 23220. They are often discussed together, sometimes interchangeably, but they each play a distinct role.

This page explains what each standard covers, how they relate to one another, and how to decide which ones apply to your use case.

The short version

• ISO/IEC 18013-5 defines how a mobile driver's license (mDL) is structured and presented in person, using short-range technologies such as Bluetooth Low Energy.
• ISO/IEC 18013-7 extends that model to online (remote) presentation, so the same credential can be verified over the internet or through a browser.
• ISO/IEC 23220 generalizes the foundations of 18013-5 so they apply to any mobile document, not only driver's licenses, and adds capabilities such as holder authentication.

Together, these standards give issuers, holders, and verifiers a consistent framework for high-assurance mobile documents across both in-person and online interactions.

ISO/IEC 18013-5: the foundation

ISO/IEC 18013-5:2021 is the foundational standard for mobile driver's licenses (mDLs). It was created to bring the same level of trust as a physical driver's license into a digital, mobile form, while taking advantage of the capabilities that mobile devices and cryptography offer.

It defines:

• The data model for an mDL, including the claims (such as date of birth, document number, issuing authority) and how they are organized.
• The mDoc credential format, including how the credential is encoded (using CBOR) and how it is signed (using COSE).
• The in-person presentation protocols, including how a wallet and verifier device establish a session over Bluetooth Low Energy, Wi-Fi Aware, or NFC, and how the presentation request and response are exchanged.
• The trust model, including how an issuer's signing certificate is anchored in an Issuing Authority Certificate Authority (IACA) and how verifiers establish trust in a given issuer.
• Privacy features such as selective disclosure through salted hashed claims, which let a holder reveal only the specific claims a verifier requests.

The defining context for 18013-5 is proximity. The verifier and the holder are in physical range of each other, and the credential exchange happens over short-range protocols. Because the cryptographic verification does not require a live lookup against the issuer, 18013-5 also supports offline verification, which is important for roadside checks, border controls, and other field deployments.

ISO/IEC 18013-7: extending to online

ISO/IEC 18013-7:2025 extends the 18013-5 model to remote (online) presentation. The credential format and trust model stay the same. What changes is the interaction context: instead of a face-to-face exchange over Bluetooth, the presentation happens over the internet, often through a browser.

18013-7 defines:

• Transport mechanisms for online presentation of mDLs and mDocs.
• Two protocol annexes built on widely adopted web standards:
  • Annex C describes mDoc device retrieval over the W3C Digital Credentials API, currently supported on iOS and Safari.
  • Annex D describes OpenID for Verifiable Presentations (OID4VP) over the same Digital Credentials API, expected on Android and Chromium-based browsers.
• Session security and binding requirements that adapt the in-person protections of 18013-5 to online contexts.

The defining context for 18013-7 is remote interaction. A user opens a website, the website asks for an mDL, and the wallet on the user's device responds, either on the same device or across two devices (for example, scanning a QR code from a desktop with a phone).

ISO/IEC 23220: beyond the driver's license

The ISO/IEC 23220 series takes the foundations established by 18013-5 and generalizes them. It is built on the assumption that the same trust, security, and presentation model used for mobile driver's licenses is valuable for many other kinds of mobile documents, including:

• National identification cards
• Residence permits
• Vehicle registrations
• Professional licenses and permits
• Sector-specific credentials issued by government or regulated entities

ISO/IEC 23220-4 in particular is compatible with 18013-5 and 18013-7 while introducing additional capabilities, such as holder authentication (helping a verifier check that the person presenting the credential is the rightful holder).

In other words, 18013-5 and 18013-7 give you the mDL. ISO/IEC 23220 gives you the ingredients to build other mobile documents that behave consistently with mDLs but are fit for a wider range of use cases.

How the standards relate

The simplest way to think about the relationship is:

They are layered and complementary, not competing alternatives. 18013-7 builds on 18013-5, and 23220 reuses the same building blocks while broadening the scope.

Which standard do I need?

A useful way to frame the question is to start from the use case, not the standard:

• In-person verification of a driver's license on a phone. ISO/IEC 18013-5 is sufficient. This is the canonical mDL use case.
• Online verification of a driver's license, for example, opening an account or proving age on a website. You need ISO/IEC 18013-7 in addition to 18013-5.
• Both in-person and online verification of a driver's license. You need both 18013-5 and 18013-7. Most production mDL programs will fall here.
• Verification of mobile documents beyond driver's licenses, such as national ID cards or permits. ISO/IEC 23220 provides the generalized foundation. In practice, deployments often combine 23220 with 18013-5/7 building blocks.

If you are not sure which combination fits your program, contacting MATTR is a good way to talk through your specific situation.

Why this layered approach matters

These standards exist because high-assurance identity is moving from a single channel (physical card, in-person check) into many channels at once (mobile, online, cross-device, cross-border). A layered set of standards makes this manageable:

• The credential format and trust model stay constant across in-person and online contexts. An issuer signs an mDoc once, and that same credential can be presented in proximity (18013-5) or online (18013-7).
• Interoperability is preserved across vendors and jurisdictions. A wallet and a verifier built in different countries by different vendors can interoperate because they follow the same standards.
• New use cases can be added without reinventing the trust model. When a program decides to extend from driver's licenses to, for example, age verification credentials or professional permits, ISO/IEC 23220 provides a path that reuses the same foundations.

Frequently asked questions

What is ISO/IEC 18013-5?

ISO/IEC 18013-5 is an international standard that defines how a mobile driver's license (mDL) is structured and how it is presented and verified in person, using short-range protocols such as Bluetooth Low Energy, Wi-Fi Aware, or NFC. It is the foundational standard for the mDoc credential format and underpins offline, proximity-based verification.

What is ISO/IEC 18013-7?

ISO/IEC 18013-7 is a technical specification that extends ISO/IEC 18013-5 to remote, online verification. It defines how an mDL or mDoc can be presented over the internet, including how the request and response messages flow between a verifier on the web and a wallet on a holder's device. Annex C of 18013-7 describes mDoc device retrieval over the W3C Digital Credentials API, and Annex D describes OpenID4VP over the same API.

What is ISO/IEC 23220?

ISO/IEC 23220 is a series of standards that generalizes the foundations established by ISO/IEC 18013-5 so they can apply to a broader set of mobile documents, not only driver's licenses. It introduces additional capabilities such as holder authentication, and is compatible with the data structures and security mechanisms defined in 18013-5 and 18013-7.

What is the difference between ISO/IEC 18013-5 and ISO/IEC 18013-7?

ISO/IEC 18013-5 covers in-person, proximity-based presentation of mobile driving licenses. ISO/IEC 18013-7 covers remote, online presentation over the internet. The two are complementary. They share the same credential format and signature model, but address different interaction contexts. Most real-world deployments need both.

Which standard do I need - 18013-5, 18013-7, or 23220?

If you only need in-person verification of a driver's license on a mobile device, ISO/IEC 18013-5 is sufficient. If you also need to verify the credential online or in a browser-based flow, you need ISO/IEC 18013-7 as well. If you are working with broader mobile documents beyond driver's licenses, such as national identification cards or sector-specific permits, ISO/IEC 23220 provides the generalized foundation. Most production deployments draw on more than one of these standards.

Are these ISO standards finalized?

ISO/IEC 18013-5 was published in 2021. ISO/IEC 18013-7 was published as a technical specification in 2024 and as an international standard in 2025. Parts of ISO/IEC 23220 are published, with others still in development.

Summary

ISO/IEC 18013-5, 18013-7 and 23220 are not alternatives. They are layers of the same model for high-assurance mobile documents. 18013-5 establishes the mDL credential format and in-person presentation. 18013-7 extends it to online and browser-based verification. 23220 generalizes the foundation so the same model can carry other mobile documents beyond driver's licenses. Most real-world deployments rely on more than one of these standards at the same time.