Digital identity solutions come in many forms – some of which have a long future ahead of them, especially where they can be combined usefully with others, and some of which have had their day.
But digital identity of any kind requires authentication, which is becoming increasingly mobile – and on this front, users face a range of difficulties. These include vulnerabilities in security, such as HTTP sniffing, and plain protocols used by header enrichment; shortfalls in privacy, as when sensitive data is shared without user consent or even awareness; and straightforward inconvenience, as with outdated methods like one-time SMS codes. But knowing which of the available methods to use – and in which contexts and combinations – is now itself one of the great challenges of the cybersecurity landscape.
Our own digital identity solution, IPification – a tool for seamless login and registration using a mobile device – seeks to allay such conundrums by addressing several existing known limitations among other methods, while being possible to combine with other factors where the user may choose.
IPification does not rely on any particular device or operating system – it verifies mobile identity using the information only a mobile operator would know, like which SIM card a user has been issued, which device is being used in combination with that SIM card, which IP address has been assigned to the user.
And, where most current mobile authentication solutions rely only on phone numbers – which offers hackers too many opportunities to carry out their fraudulent activities – IPification blends several pieces of mobile network information such as device and SIM card data. Privacy is then ensured by a service URI which makes it impossible to track users across different digital services.
This represents a pronounced advance not only in security but also user experience, over commonly used mobile authentication methods such as SMS one-time PINs. And it is in this combination of security and convenience that the success stories of the future in digital identity will be found – a combination which is not always so easy to achieve.
Where biometric identity solutions for instance generally meet user expectations of convenience, they are often not as secure as one might assume – due to a combination of poor standards and the permanence of loss where breaches do occur – and can, in any case, be unreliable due to background influences such as noise and light. Biometrics can, however, be used advantageously in concert with solutions like IPification – the key is to ensure that security-enhancing layers of authentication are added in such a way that does not detract from the user experience.
So what broad trends can we expect to see in the coming years? At the moment the world of digital identity is moving towards the use of HTTPS, whereby existing insecure methods of seamless authentication such as Header Enrichment and others using plain HTTP protocols will no longer work. Apple and Google, for instance, have both announced plans to ban HTTP requests coming from Android or iOS apps.
Over the longer term, the trend is towards decentralized identity solutions, such as blockchain, which aim to put identity management back into the hands of the users themselves. While the appeal of such solutions is clear from a perspective of privacy, there is some way to go before adoption at scale, not least due to ongoing lack of awareness among mainstream users.
More immediately on the horizon is likely a consolidation of multi-factor authentication, whereby users are verified through a combination of methods such as network attributes, biometrics, AI, soft tokens and more – the key will be ensuring the complexity of user experience does not increase with the number of factors, which could easily work to the detriment of adoption.
One thing that looks very likely this year is a final farewell to the password as a mainstream form of digital identification, as users become increasingly wary of cybersecurity – in Q1 of last year alone there were more than 50,000 breaches in 65 countries – but, as the GSMA’s research shows, 9 in 10 would prefer a single strong form of login to several.
Using solutions like IPification will also bring in a wholly new revenue stream for operators, as they’ll be able to leverage technical capabilities they have until now not generally monetized. Operators can thereby also help to stimulate other growing and rapidly digitizing industries, by enhancing their security credentials and trust among their users.
Mobile network operators have been among the most trusted brands for user security in the last two decades – if they can use their unique technological capabilities to further enhance that trust while ensuring the seamless user experience today’s consumers expect as standard, all sides of the ecosystem stand to benefit.
Stefan Kostic is CEO of IPification. He will be speaking at the upcoming seminar, The Future of Digital Identity in China, at MWC19 Shanghai.