Q & A

Q & A

Why does digital identity matter?

There is a significant increase of online services being accessed via mobile devices, from government services to social networking. Unfortunately, this is accompanied by an increase in online identity thefts. Mobile operators, with their differentiated identity and authentication assets, have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.

In addition, for services which are accessible via the mobile device, standard log-in processes can be cumbersome, while leveraging existing mobile assets would significantly enhance the consumer experience through seamless login. In short, there is a growing need in the market for digital identity management with operators being in a unique position to address this opportunity with existing assets.

Why is the time for mobile enabled digital identity solutions now?

Digital identity solutions delivered via the GSMA Personal Data Programme are a response to market fragmentation and lack of a seamless authentication and identification systems that guarantee privacy and security to the end user. If not fixed, this will create barriers to market digitalisation and social inclusion. What mobile-enabled digital identity aims to deliver are new services to business and service providers that leverage on existing mobile operator assets and new credential management capabilities.

What does authentication mean?

Authentication describes the process of establishing or confirming that someone is who they claim to be. In the digital spaces it refers to a person verifying or confirming their association with an electronic credential.

What is digital identity?

Digital identity services provide customers with the ability to authenticate and identify themselves remotely and securely via their mobile phone when using digital services. This opens up a range of opportunities for both mobile operators and consumer-focused service providers to build a rich suite of offerings for their customers, while ensuring the user’s private and confidential information is kept safe.

It also provides new options for consumers, who can chose to remain anonymous for the service provider – in the same way as providing a self-selected username and password. The identifier used by the mobile operator to manage the log-in credentials of the consumer may not have to be shared with the service provider.

What is the overall objective of the Programme?

The Programme is aimed at both driving the introduction of new services and the expansion of existing services around the world. The programme’s objective is to put mobile at the heart of managing digital identity. We think that now is the time for mobile operators to act, and the GSMA is focused on developing a consistent and standardised set of services for managing digital identity across the mobile industry. The GSMA is working with all leading mobile operators around the globe and also working in-county with a broader set of ecosystem players, such as governments, banks and retailers, to help roll-out mobile enabled digital identity solutions.

Do mobile enabled digital identity solutions use the phone number as a username?

It depends on the use case, as there are advantages and disadvantages of using the mobile number as the username. For lighter authentication scenarios, such as a website login requiring a relatively low level of security, successful models have shown that prompting the customer to use the mobile number is helpful as it’s easier to remember than an additional username and passcode combination. For stronger authentication and identity verification use cases, additional requirements may be added.

What is the GSMA Personal Data Programme?

The Personal Data Programme 2014/15 has been built on the successes and strategic insights delivered by the work of the GSMA Mobile Identity Programme in 2013. Development of digital identity services has been prioritised by the GSMA Board, and the Programme with its operator partners will work together to deliver digital identity solutions to market with scale, seamless consumer experience, consistency of technology and low barriers to entry across the digital identity ecosystem.

Why are mobile operators well positioned to provide digital identity solutions?

With their differentiated assets such as the SIM card, strong registration process, authentication, fraud detection and mitigation processes, mobile operators have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.

What is second factor authentication or multiple factor authentication?

Multiple factor authentication provides additional security layers compared to standard methods of authentication. In most cases it combines something I know (like a passcode or username) with something I have (like my mobile phone or SIM) or Something I am (for example biometrics). Mobile is potentially strong in delivering additional factors of authentication, as the mobile phone/SIM card is something I have but it can also be something I am, for example my location, my behavioural profile or simple biometrics (fingerprint scan, face recognition). In case of my mobile, I could be asked to confirm ownership of the mobile device with a one-time passcode delivered via SMS or via an applet installed on the SIM card.

What is mobile signature?

Mobile signature is a way of using the mobile as a replacement for legally binding ‘wet’ signatures utilising the highly secure environment of the SIM or a server to house certificates for message encryption. Users can sign and send documents, securely transmit and authenticate messages and m-payments, and provide verified ID for e-services. Enterprises and other service providers like governments or banks can verify the authenticity of messages, payments, and “permissions” for access based on the legal validity and non-repudiating feature of the mobile signature.

Why has the GSMA chosen to be part of the Open ID Connect Forum?

The GSMA’s role is one of helping the mobile operators deliver valuable propositions and services globally to their customers in a consistent way. We have found that one such area that is growing in importance for the industry is the use of the mobile phone by consumers for authenticating or identifying themselves to services they use.

At the GSMA we have been working with many of our mobile operator members for the last two years to launch varying identity solutions across the globe, using the mobile phone for user authentication and identification. These solutions covered legally binding authentication for government services (mobile signature) to single-sign on solutions which provide users with access to operator and 3rd party content. These solutions were customised and optimised for the local market and whilst most of them utilised operator assets to deliver a level of security and assurance which could hardly be matched by other market players, they were also using older identity and authorisation protocols such as Open ID 2.0 and OAuth 2.0 and this approach didn’t help to make operator solutions competitive on a global level.

In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers they work with, it is important to have a consistent approach for the Service Provider to integrate with the Mobile Operators and this is what Open ID Connect provides. With OpenID Connect, the Mobile Operator community will be able to swing behind a single technology, and one which best meets the needs for providing authentication and identity services for the next generation of mobile and online services.

An important consideration for the GSMA was the ability for its members to work alongside other companies within the OpenID Foundation to create the Open ID Connect standard; by doing so, the resulting standard accommodates the requirements and needs across a whole range of devices and access channels (mobile, Internet etc.) hence driving economies of scale as well as ensuring a consistent and coherent experience for consumers.

How secure is mobile enabled digital identity technology?

Security has been critical to the success of GSM technologies, which used cryptographic solutions and smart card technology to provide security levels for mobile users that had not previously been seen. The evolution of third and fourth generation mobile technologies has facilitated the development and use of even more robust security features because the increased data speeds enable the deployment of more complex security protocols without negatively impacting the end user performance.

The security of services and customer data is vital to the success of mobile identity services as customer confidence is critical. Industry defined technical standards enable a range of security features that provide authenticity, confidentiality and integrity to verify the identity of communicating parties and to protect traffic and data against interception and modification. Whether data is being communicated across mobile networks or stored within dedicated security domains on the SIM card, (which has proven itself to be tamper resistant and resilient to attack), robust measures need to be implemented to provide adequate security levels that meet the requirements of users and regulators.

When will mobile enabled digital identity technology be ready for delivery?

Mobile enabled digital identity services are already available in many countries today. The GSMA is working on standardising the approach the operators are taking in order to achieve consistency and predictability in the market.

Is the password dead?

This might be an overstatement, but it is increasingly clear that the technological means by which identity is created, managed and asserted in the digital world appears increasingly inadequate as consumers are looking for a mechanism that gives them confidence but more importantly ease of use.

The PSD2 Opportunity: Mobile Operators and Fintech This paper discusses the opportunities relating to the partnership between mobile network operators and fintech companies, and how both parties can benefit from each others&#...

Read more | See all Personal Data Resources

SK Telecom: Integrating Existing Identity Solutions into Mobile Connec In December 2016, SKT adapted both T-Auth and T-ID to comply with the Mobile Connect specifications. The goal was to make it easier for international customers to use SKT’s app...

Read more | See all Personal Data Resources

Seminar Presentations from Mobile World Congress 2017 Mobile World Congress 2017 hosted three industry seminars on Mobile Connect and the future of digital identity.  You can find out more about each of these subjects by downloadin...

Read more | See all Personal Data Resources

SIM Toolkit Device Requirements to Improve Mobile Connect Customer Exp This document presents the requirements for the device to improve the user experience of the Mobile Connect SIM applet authenticator. The ETSI (The European Telecommunications St...

Read more | See all Personal Data Resources

Mobile Connect demonstrations As Mobile Connect advances, more examples of its uses continue to emerge. These two videos are the latest demonstrations of Mobile Connect in action. The first illustrates how Mo...

Read more | See all Personal Data Resources

Mobile Connect: mobile high-security authentication This non-technical paper is designed to address security questions related to authentication, especially with respect to payments, banking and online commerce. It explains how Mo...

Read more | See all Personal Data Resources

Trust & Privacy will be Increasingly Important to eID Market ‘Cybercrime keeps Climbing’. This was one of the principal findings from PwC’s Global Economic Crime Survey 2016, and a reminder that many businesses are unprepared for -or...

Read more | Visit Personal Data Blog

The Next Phase of Cross-Border Public Services With over 3 billion enabled users worldwide and its federated distributed architecture, Mobile Connect is a leading example of a mobile identity and authentication solution for g...

Read more | Visit Personal Data Blog

Mobile Connect’s collaboration with leading brands during MWC17 poin Mobile World Congress revealed many ways in which mobile technology is evolving to deliver a new range of digital services. Inside the event’s GSMA Innovation City, we were giv...

Read more | Visit Personal Data Blog

Restoring Trust in the Digital Age – the Great Debate at MWC Industr The security of customer data has never been more crucial. In our digital world, the risk of fraud has reached unprecedented heights and consumers are increasingly cautious about...

Read more | Visit Personal Data Blog

The Future of Identity – Mobile, Invisible, seamless The identity landscape is beginning to evolve at breakneck speed. With new financial legislation set to introduce plethora of commercial opportunities yet potentially create a nu...

Read more | Visit Personal Data Blog

MWC 17: Examining the Mobile Industry’s Digital Identity Solution Authorisation and integration with emerging technologies are two of  Mobile Connect’s advances at this year’s GSMA Innovation City showcase Identity is quickly becom...

Read more | Visit Personal Data Blog

Mobile Connect Summit – London April 25, 2017 Sponsored by: We are pleased to be hosting the first Mobile Connect Summit of the year in London on the 25 & 26 April. As it becomes more apparent that digital identity so...

Read more | See all Personal Data Events

The Meaning of Being eIDAS Compliant: Update on the eIDAS-Mobile Conne May 04, 2017 This year, the GSMA will execute phase 2 of the pilot to demonstrate the scalability of Mobile Connect as a Europe-wide solution for eIDAS. The pilot will enable cross-border aut...

Read more | See all Personal Data Events

Contact GSMA Legal Email Preference Centre Copyright © 2017 GSMA. GSM and the GSM Logo are registered and owned by the GSMA.