iOS 26 Will Let You Add Your U.S. Passport to Wallet for Identity Verification

With Apple I’m always fairly curious about the implementation. If the data is stored securely and if implemented thoughtfully, I am somewhat interested in adding my Passport to the wallet app.

What privacy or security concerns do you have around this feature? Does Apple make any claims around its implementation that alleviate your concerns? What is not addressed?

Claims I have seen so far:

• Data is encrypted end-to-end, and never leaves your device without your consent.
• Your passport data is stored in the Secure Enclave of your iPhone.
• Face ID or Touch ID is required each time you access or present the Digital Passport.
• Apple and issuing authorities cannot track where or when your ID is used

As the old adage goes, do not have over your device for any reason to any government officer willingly.

It would be a tap-to-share-info situation here, it shouldn’t leave your hand.

While I’m against age verification online, I am actually a fan of this specific implementation for age verification terminals at physical stores. I already use my passport card instead of my drivers license for this stuff IRL because it does not have my address on it.

If restaurants and stores adopt this technology I would probably switch to it. I have actually been hoping this exact thing with passports would happen, because I don’t think the great state of Minnesota is going to adopt digital drivers licenses within the next decade at this rate lol

Apple and issuing authorities cannot track where or when your ID is used

This should be true, but I am not sure what information Apple and/or the government receives about you when you add the card to your device. That may change my mind on this, I’d have to do more research.

If we’re being honest the most probable reason the government is backing this is to introduce age verification online though, so that’s not so good news.

Wouldn’t tap to share be a permanent share? Or does it delete itself after a few minutes once authenticated? Will have to see how it would work practically once its out with all its features and functionality for which it is built.

I mean it is built, you can look into how existing digital IDs currently work in Apple Wallet. This is just a new ID provider being added.

Sorry, I misunderstood. I thought there was a difference with it being for passports.

Why would you consent to this?

Why do they need your ID?

But Apple already tracks locations by default.

I guarantee they get your AppleID (and it is inherently “verified”!) so that they can make future warrentless requests via the portal easier: https://lep.apple.com/

Because some products are age restricted and require ID to buy.

Alcoholism I guess /j

For examples like this - is it possible to do this privately? I’m imagining where I visit a retailer to buy an age-restricted item and the retailer records your personal information (drivers license) into their terminal. Could be interesting for the device to attest to your age, but does not provide your name or DOB.

Yes it’s possible using zero-knowledge proofs. This is already a thing with digital IDs it’s just a matter of merchants implementing it.

That is how this works.

Why would you want them recording this?
Please never let them scan or swipe your ID.

I actually agree with you on this. As long as there are safeguards in place, I’m not against this kind of ID verification. I still trust Apple enough to do this and perhaps this may be the way forward to protect our privacy and prevent children from watching porn. I think the whole all-or-nothing debate with age verification hasn’t done any good for society. This may actually be a good workaround. Not everyone has a passport though so hopefully state driver’s license will even be added. A US passport is a good start as there is obviously a process involved to obtain one.

This seems like a good compromise as we move forward.

They already provided the reason. They want to buy an age-restricted item, like… a gun in the US.

Sorry, it’s the first thing that comes to my mind that’s not related to sex.

Apple detailed this in its privacy policy. Here’s the TLDR version.

Soon, Americans and Japanese can add their ID into Wallet. They should know that the privacy implications vary.

For Japanese, the information about you that Apple receives is zero. The only caveat is that you have to download a government’s app. It seems like the government’s app communicates directly with Wallet.

For Americans, things get more complicated:

The information about you that Apple receives:

• Your name, address, and date of birth based on your ID card
• Your Live Photo or Facial and head movements
• Your Apple Account, device use patterns, and settings
• (Optional) Information about the fact that your government issuing authority required additional verification and the type of verification (such as an in-person visit)
• (Optional) Information on the status of the government’s authorization (for example, under review, accepted)

The information about you that your government receives:

• A picture of the front and back of your government ID card
• The still frame from your Live Photo
• Fraud indicators from Apple

In other words, the party that does fraud prevention is Apple, not US states’ governments. This is so dumb but also so on-brand for America. Offloading critical infrastructure to the private sector is always good, right? RIGHT? /j

Your identity card images are encrypted on device and sent to your government issuing authority, which may share them with their third-party identity verification service provider

Cringe lol, the US Government will probably use some garbage like ID.me in addition to Apple.

Overall I’m not too disappointed with how this seems to work. A lot of the privacy downsides are just concerns that would be had with any form of ID, and the upsides are readily apparent. The biggest downside specifically about digital IDs I see is that this functionality will make it more likely that companies will begin asking for this information unnecessarily, so I’m still very mixed on this whole thing.

To present your identity card in person, hold your iPhone or Apple Watch near the identity reader to receive information about who is requesting your identity and the specific information from your identity card being requested. Upon authorization, your device will establish a direct, end-to-end encrypted channel with the identity reader and transmit the authorized information.

Apps requiring proof of age or identity to access their goods or services will present you with a consent sheet showing the specific information being requested, and how long that information will be stored by the requesting app. Upon authorization, your device will transmit an encrypted payload containing the authorized information to the app.

It’s interesting that they only say “apps” present you with the consent sheet. I want to see how the flow presents itself when using it in person. If in-person transactions don’t use the same consent sheet I am familiar with, then that would be a major downside.

If anyone has experience using digital IDs at TSA please share?

The encrypted payload includes a digital signature from your government issuing authority unique to your identity card to allow the app to verify that your identity card is valid.

Uh, is this a static signature or does it rotate per-app? If there is a unique identifier that persists across every usage of your card that is clearly a tracking vector.

In Japan, the Government of Japan may learn information about your presentment as required to provide requested services, such as when presenting your identity card at hospitals.

I am confused about whether the government in Japan is getting this info from your phone or Apple in this circumstance, or if Apple is just pointing out the obvious(?) that the government will get your info when at a government-issued terminal. This is the only time they specifically call out a scenario where the government does know when you use your digital ID card.

When presenting your identity card using Japanese Key Public Infrastructure, Wallet will not display information about the specific information being requested.

Kind of seems like the Japanese implementation is worse than the global version from this privacy policy.