Mobile driver's license is replacing the SSN as the US identity primitive

The Social Security Number became the US identity primitive by accident. Designed in 1936 as a tracking number for old-age benefits, the SSN absorbed identity-verification weight over the following sixty years because no other federal credential reached adult-American scale. The 2017 Equifax breach exposed 147.9 million American SSNs and ended the credential’s credibility as a verification primitive: a number known to most large breachers cannot continue to function as the key against which identity is verified (FTC Equifax settlement, July 2019). What has not happened in the eight years since is a federal declaration of a replacement. The institutional question has been answered by adoption rather than legislation, and the answer the market has produced is a credential the federal government does not issue.

The race for the role of identity primitive has run between four candidates with very different issuing authorities. State-issued mobile driver’s licences operate under the standards of the American Association of Motor Vehicle Administrators. The Financial Data Exchange coordinates bank-issued tokens through industry standards. Carrier-bound mobile identity from Prove sits on telecom mobile-network-operator authentication. Federal digital identity (Login.gov, ID.me) operates under General Services Administration mandate. Each had a plausible path to becoming the primitive. By mid-2026, only one has reached the adoption threshold.

State mDL has won the role by adoption. The American Association of Motor Vehicle Administrators lists 21 US states plus Puerto Rico with live mDL programmes as of mid-January 2026, covering Alaska, Arkansas, Arizona, California, Colorado, Delaware, Georgia, Hawaii, Illinois, Iowa, Louisiana, Kentucky, Maryland, Montana, New Mexico, New York, North Dakota, Ohio, Utah, Virginia, and West Virginia (AAMVA mobile driver license page). Only Alabama, Maine, Massachusetts, and Nebraska have no work in progress. Apple Wallet ID is live in 15 of these jurisdictions as of late May 2026 (Arizona, Arkansas, California, Colorado, Georgia, Hawaii, Illinois, Iowa, Maryland, Montana, New Mexico, North Dakota, Ohio, Puerto Rico, West Virginia), with Connecticut, Kentucky, Mississippi, Oklahoma, Utah, and Virginia announced (MacRumors tracker, 29 May 2026). Georgia reports more than 500,000 active users across its state app plus Apple Wallet plus Google Wallet as of July 2025 (Biometric Update on Mastercard and mDL). New York’s Mobile ID enrolled approximately 246,000 users by June 2025 (Biometric Update on US mDL uptake).

State DMV won the role because the DMV was already the de facto identity issuer for the most common forms of adult-American verification. A driver’s licence is the credential most Americans present when asked for ID. The federal government accepts it for boarding aircraft under REAL ID. Banks at branch onboarding, employers at I-9 verification, age-restricted merchants, hotels at check-in, and voters at polling places all request it when SSN alone is insufficient. The mDL is the digital expression of the credential the DMV was already issuing. The institutional incumbent in adult identity verification was at scale, was trusted, and had the existing legal authority to issue a credential. The path was open the moment the federal government declined to legislate a competitor.

Login.gov has supported more than 300 million annual sign-ins across 50-plus federal and state agencies and 500-plus applications since its 2017 launch, and was certified at NIST IAL2 by the Kantara Initiative in October 2024 (GSA Login.gov IAL2 announcement). The platform works. What it does not have is private-sector applicability. Login.gov is constrained to federal use cases by GSA mandate, and without legislative authority that has not been granted in three consecutive Congresses, it cannot become a private-sector identity primitive. Federal digital identity therefore failed not by competition but by the limits of its statutory mandate. State mDL is the only credential with both adult-American scale and private-sector reach.

Apple and Google compressed the adoption curve through their wallet rails in a way no competing identity candidate could match. Apple Wallet ID and Google Wallet ID are not themselves identity primitives; they are distribution rails for state-issued mDL credentials. State DMV issuance plus AAMVA standards plus device-wallet distribution makes a three-party stack no other identity candidate has assembled. Prove’s 1 billion phone-bound tokens have no consumer-facing wallet, FDX’s 114 million bank-connected accounts have no identity-credential product, and Login.gov has no third-party wallet integration. The distribution rail is decisive, and the rail is owned by Apple and Google rather than by any identity-credential player.

TSA acceptance and ISO 18013-7 standards complete the substrate. TSA’s October 2024 final rule enabled continued acceptance of state mDLs at airport security checkpoints and federal buildings; current acceptance covers 11 states at more than 27 participating airports under the REAL ID waiver framework (TSA final-rule press release, 24 October 2024; TSA Participating States and Eligible Digital IDs). The TSA ConfirmID programme launched on 1 February 2026 at $45 per use for travellers without acceptable ID, embedding mDL acceptance into the post-REAL-ID architecture. REAL ID enforcement began on 7 May 2025; phased full enforcement runs to 5 May 2027 (TSA REAL ID enforcement release, 13 January 2025). ISO/IEC 18013-7, the standard for online presentation of mDL, was published on 7 October 2024 and is the technical layer for bank onboarding and age-verification use cases. U.S. Bank and Chime announced mDL-based online account opening in late 2025 using Apple’s Verify with Wallet capability built against 18013-7 (Corbado on ISO 18013-7 in bank KYC).

Card schemes have read the result and are integrating around state mDL rather than building parallel issuance rails. Mastercard’s product positioning frames the digital wallet plus mDL as the path “to make ID like payments” (Biometric Update, August 2025). Mastercard’s 2021 acquisition of Ekata ($850M) was the closest the schemes came to buying an identity-issuance candidate, and the post-acquisition product trajectory has shifted from competing with state mDL to integrating around it. Apple’s late-2025 passport-based Digital ID is accepted at more than 250 TSA checkpoints. None of these moves competes with state mDL at issuance; they all build the layer above. The card-scheme economics now sit at the credentialing layer above the primitive: dispute arbitration, attribute attestation, agent registration. State mDL becomes the substrate; the scheme economics sit one stack-level up.

The strongest objection to the article’s thesis is that adoption is broad but shallow. The 21-state count overstates real-world utility because enrolment is modest. New York’s 246,000 enrolees represent roughly 1.5% of licensed drivers; Georgia’s 500,000 is better at roughly 7% but still niche. TSA acceptance covers 11 states at 27 airports, a fraction of REAL-ID-enforced travel. ISO 18013-7 online presentation went live with two banks in late 2025; broader bank adoption is years away. The Asia-Pacific region accounts for approximately 72% of global mDL transaction volume; the US is not leading globally. The objection is that the article confuses programme existence with primitive status. Concede the shallow-adoption point: state mDL is at the early-curve stage. The thesis is not that mDL has replaced the SSN today; it is that the institutional race for the role of primitive has been decided and the trajectory is set. Apple and Google distribution compresses the curve in a way no comparable category has historically matched, because there is no installation friction and no separate consumer-product to discover. New York’s 1.5% adoption eight months into the programme is comparable to early Apple Pay adoption that reached majority share within five years. The competing primitives have no equivalent curve.

Another reading holds that federal action could still pre-empt state mDL. A federal digital-identity Act would assign issuance authority to NIST, USCIS, or a successor body, relegating state mDL to a credential-issuer in a federal architecture. The thesis treats federal absence as permanent; the objection treats it as transitional. Federal digital-identity legislation has been proposed in three consecutive Congresses without committee markup. The political path is blocked by privacy advocacy on the left (centralised federal digital ID is unpopular among civil-liberties groups), by state-level political interest on the right (states would lose the issuance role they have spent fifteen years building), and by the limited federal-administrative capacity to operate a primary-credential issuance system at scale. The federal track is the explicitly excluded path. State mDL has reached primitive status partly because the federal alternative has repeatedly failed to land.

Bank-issued credentials via FDX could yet win the financial-transaction vertical, leaving mDL for in-person government use only. FDX has 114 million consumer accounts on its APIs as of Q1 2025 and §1033 compliance was scheduled for April 2026 at Tier 1 banks (Banking Dive on CFPB picking FDX). If FDX adds an identity-credential product on top of the data-access infrastructure, banks become the identity primitive for financial transactions. The vertical-split outcome is theoretically possible. The current state is that FDX has no identity-credential product as of mid-2026, only data-access standards; the §1033 identity requirement is institutional (Legal Entity Identifier plus information-security attestation), not consumer-credential (Federal Register §1033 final rule); the §1033 rule is itself in legal flux after the CFPB’s 2025 reconsideration. The bank-tokenised-identity path requires either FDX to ship a credential product (no roadmap as of May 2026) or a coordinating bank consortium that does not yet exist. State mDL has shipped at scale; bank credentials have not.

The legacy SSN-as-identity stack faces revenue compression that is the part of the story most undertheorised. Three industries built revenue lines around SSN as identity primary key: credit bureaus (Equifax, Experian, TransUnion), KYC vendors (Plaid, Persona, Socure, LexisNexis Risk Solutions), and document-verification specialists (Jumio, Onfido, IDEMIA). The credit bureaus are most exposed because the SSN is their primary join key across consumer records; mDL-keyed identity makes the SSN-keyed credit file functionally obsolete for verification purposes, though the credit-score product itself survives. KYC vendors that pivot to mDL-first verification (Plaid’s mDL integration, Persona’s 18013-7 support, Socure’s wallet-aware decisioning) survive the transition. Document-verification specialists that double down on SSN-plus-document-image flows face revenue compression. The prediction is not that these industries collapse; it is that revenue shifts from credential-issuance and document-verification fees toward credentialing-layer attestation fees, and the schemes are positioning to capture the resulting layer.

Politically, the US has chosen, by accident, the most federalist version of digital identity available among the candidates. State DMV issuance preserves state-level institutional power. AAMVA standards preserve interstate interoperability. Apple and Google distribution preserves private-sector competition at the wallet layer. The credentialing layer above (where the scheme economics now sit) preserves private-sector competition at the scheme and SaaS layers. The result is a hybrid: state-issued primitive plus private-sector distribution plus private-sector credentialing layer, with no federal agency running it and no single private-sector firm owning it. The shape resembles what Australia is building under CDR and Trust Exchange, with one important difference: the US arrived by emergence rather than by Treasury coordination (Ashurst on Australian Trust Exchange).

For private-equity diligence on identity-adjacent payments and fintech assets, the operational read is direct. Assets whose business models rest on SSN-as-identity (credit bureaus, SSN-plus-document KYC, identity-theft insurance) face revenue compression as mDL adoption deepens. Assets that integrate with state mDL and ISO 18013-7 (KYC vendors with wallet-aware decisioning, banks with online onboarding flows, age-verification specialists with mDL acceptance) have optionality. Assets that compete with state DMV at issuance (Prove’s carrier-bound credentials, FDX-direct identity products that do not yet exist) start at a disadvantage that adoption depth between 2026 and 2030 will only widen. The diligence question for the next decade is whether the asset is short or long the SSN-keyed identity stack.

For Federal Reserve and CFPB supervisors, the question is whether the regulatory frame catches up to the institutional outcome. State mDL has emerged as the identity primitive without a federal coordinating body, and the regulatory frameworks that would normally accompany the role of primitive (fraud-cost reallocation, dispute-defence standards, accreditation for relying parties) do not yet exist. The Australian regime under the Trust Exchange opens to private-sector accreditation on 30 November 2026. The EUDI Wallet under eIDAS 2.0 begins mandatory roll-out on 24 December 2026 (European Commission EUDI Wallet page). The US is operating without either framework. The institutional outcome has settled in favour of state mDL; the regulatory frame to support it has not yet been written, and the next two years of policy work will determine whether the US identity primitive operates with the fraud-cost and dispute-defence standards that Australia and the EU are building, or without them.