Q & A

Q & A

What is the GSMA Personal Data Programme?

The Personal Data Programme 2014/15 has been built on the successes and strategic insights delivered by the work of the GSMA Mobile Identity Programme in 2013. Development of digital identity services has been prioritised by the GSMA Board, and the Programme with its operator partners will work together to deliver digital identity solutions to market with scale, seamless consumer experience, consistency of technology and low barriers to entry across the digital identity ecosystem.

What is the overall objective of the Programme?

The Programme is aimed at both driving the introduction of new services and the expansion of existing services around the world. The programme’s objective is to put mobile at the heart of managing digital identity. We think that now is the time for mobile operators to act, and the GSMA is focused on developing a consistent and standardised set of services for managing digital identity across the mobile industry. The GSMA is working with all leading mobile operators around the globe and also working in-county with a broader set of ecosystem players, such as governments, banks and retailers, to help roll-out mobile enabled digital identity solutions.

What is digital identity?

Digital identity services provide customers with the ability to authenticate and identify themselves remotely and securely via their mobile phone when using digital services. This opens up a range of opportunities for both mobile operators and consumer-focused service providers to build a rich suite of offerings for their customers, while ensuring the user’s private and confidential information is kept safe.

It also provides new options for consumers, who can chose to remain anonymous for the service provider – in the same way as providing a self-selected username and password. The identifier used by the mobile operator to manage the log-in credentials of the consumer may not have to be shared with the service provider.

What does authentication mean?

Authentication describes the process of establishing or confirming that someone is who they claim to be. In the digital spaces it refers to a person verifying or confirming their association with an electronic credential.

Why does digital identity matter?

There is a significant increase of online services being accessed via mobile devices, from government services to social networking. Unfortunately, this is accompanied by an increase in online identity thefts. Mobile operators, with their differentiated identity and authentication assets, have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.

In addition, for services which are accessible via the mobile device, standard log-in processes can be cumbersome, while leveraging existing mobile assets would significantly enhance the consumer experience through seamless login. In short, there is a growing need in the market for digital identity management with operators being in a unique position to address this opportunity with existing assets.

Why is the time for mobile enabled digital identity solutions now?

Digital identity solutions delivered via the GSMA Personal Data Programme are a response to market fragmentation and lack of a seamless authentication and identification systems that guarantee privacy and security to the end user. If not fixed, this will create barriers to market digitalisation and social inclusion. What mobile-enabled digital identity aims to deliver are new services to business and service providers that leverage on existing mobile operator assets and new credential management capabilities.

Do mobile enabled digital identity solutions use the phone number as a username?

It depends on the use case, as there are advantages and disadvantages of using the mobile number as the username. For lighter authentication scenarios, such as a website login requiring a relatively low level of security, successful models have shown that prompting the customer to use the mobile number is helpful as it’s easier to remember than an additional username and passcode combination. For stronger authentication and identity verification use cases, additional requirements may be added.

Why are mobile operators well positioned to provide digital identity solutions?

With their differentiated assets such as the SIM card, strong registration process, authentication, fraud detection and mitigation processes, mobile operators have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.

What is second factor authentication or multiple factor authentication?

Multiple factor authentication provides additional security layers compared to standard methods of authentication. In most cases it combines something I know (like a passcode or username) with something I have (like my mobile phone or SIM) or Something I am (for example biometrics). Mobile is potentially strong in delivering additional factors of authentication, as the mobile phone/SIM card is something I have but it can also be something I am, for example my location, my behavioural profile or simple biometrics (fingerprint scan, face recognition). In case of my mobile, I could be asked to confirm ownership of the mobile device with a one-time passcode delivered via SMS or via an applet installed on the SIM card.

What is mobile signature?

Mobile signature is a way of using the mobile as a replacement for legally binding ‘wet’ signatures utilising the highly secure environment of the SIM or a server to house certificates for message encryption. Users can sign and send documents, securely transmit and authenticate messages and m-payments, and provide verified ID for e-services. Enterprises and other service providers like governments or banks can verify the authenticity of messages, payments, and “permissions” for access based on the legal validity and non-repudiating feature of the mobile signature.

Why has the GSMA chosen to be part of the Open ID Connect Forum?

The GSMA’s role is one of helping the mobile operators deliver valuable propositions and services globally to their customers in a consistent way. We have found that one such area that is growing in importance for the industry is the use of the mobile phone by consumers for authenticating or identifying themselves to services they use.

At the GSMA we have been working with many of our mobile operator members for the last two years to launch varying identity solutions across the globe, using the mobile phone for user authentication and identification. These solutions covered legally binding authentication for government services (mobile signature) to single-sign on solutions which provide users with access to operator and 3rd party content. These solutions were customised and optimised for the local market and whilst most of them utilised operator assets to deliver a level of security and assurance which could hardly be matched by other market players, they were also using older identity and authorisation protocols such as Open ID 2.0 and OAuth 2.0 and this approach didn’t help to make operator solutions competitive on a global level.

In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers they work with, it is important to have a consistent approach for the Service Provider to integrate with the Mobile Operators and this is what Open ID Connect provides. With OpenID Connect, the Mobile Operator community will be able to swing behind a single technology, and one which best meets the needs for providing authentication and identity services for the next generation of mobile and online services.

An important consideration for the GSMA was the ability for its members to work alongside other companies within the OpenID Foundation to create the Open ID Connect standard; by doing so, the resulting standard accommodates the requirements and needs across a whole range of devices and access channels (mobile, Internet etc.) hence driving economies of scale as well as ensuring a consistent and coherent experience for consumers.

How secure is mobile enabled digital identity technology?

Security has been critical to the success of GSM technologies, which used cryptographic solutions and smart card technology to provide security levels for mobile users that had not previously been seen. The evolution of third and fourth generation mobile technologies has facilitated the development and use of even more robust security features because the increased data speeds enable the deployment of more complex security protocols without negatively impacting the end user performance.

The security of services and customer data is vital to the success of mobile identity services as customer confidence is critical. Industry defined technical standards enable a range of security features that provide authenticity, confidentiality and integrity to verify the identity of communicating parties and to protect traffic and data against interception and modification. Whether data is being communicated across mobile networks or stored within dedicated security domains on the SIM card, (which has proven itself to be tamper resistant and resilient to attack), robust measures need to be implemented to provide adequate security levels that meet the requirements of users and regulators.

When will mobile enabled digital identity technology be ready for delivery?

Mobile enabled digital identity services are already available in many countries today. The GSMA is working on standardising the approach the operators are taking in order to achieve consistency and predictability in the market.

Is the password dead?

This might be an overstatement, but it is increasingly clear that the technological means by which identity is created, managed and asserted in the digital world appears increasingly inadequate as consumers are looking for a mechanism that gives them confidence but more importantly ease of use.

Digital Identity: Realising Smart Cities As we look further ahead to the mid-century, intelligent public services will move beyond the mechanical: two decades from now, increasingly complex and sensitive aspects of our ...

Read more | See all Identity Resources

Industry Seminar Presentations from MWC18: Regulations and Attributes   Download presentations from the Mobile World Congress identity seminars Watch on-demand seminar videos from the Mobile World Congress identity seminars Security and Privac...

Read more | See all Identity Resources

Strong Mobile Customer Authentication under PSD2: Comparisons and Cons The new PSD2 regulations will bring about major changes to the digital security landscape. Among the most significant of these will be the requirement to use strong customer auth...

Read more | See all Identity Resources

Mobile Connect for Cross-Border Digital Services: Lessons Learned from The GSMA has released the results of the Mobile Connect and eIDAS implementation pilot. The year-long collaboration brought together several public and private sector organisatio...

Read more | See all Identity Resources

Mobile Authentication: Capitalising on China’s Identity Market China Mobile have firmly established themselves in the digital identity market. The network operator’s identity service, Mobile Authentication, offers a range of authentication...

Read more | See all Identity Resources

Mobile Connect in the GSMA Innovation City @MWC18 Mobile Connect, the mobile industry’s identity solution, will be present at Mobile World Congress’ GSMA Innovation City where attendees will have the opportunity to e...

Read more | See all Identity Resources

Mobile Connect Helping to Secure Online Commerce in India India’s economy is becoming increasingly mobile-centric. 39 million smartphones were sold on the subcontinent in Q3 2017 alone – up 20% on the previous year – and almost 70...

Read more | Visit Identity Blog

Industry Seminar Presentations from MWC18: Regulations and Attributes   Download presentations from the Mobile World Congress identity seminars Watch on-demand seminar videos from the Mobile World Congress identity seminars Security and Privac...

Read more | Visit Identity Blog

Digital Identity Demonstrates its Crucial Role in Transforming Healthc Across the world, healthcare continues to be one of the biggest sources of public expenditure. As such, there is increasing pressure to find more efficient means of delivery. Dig...

Read more | Visit Identity Blog

Identity Now Key to Statecraft Say Experts One of the chief concerns of those in the identity ecosystem is the formulation of policy befitting for the emerging digital age. With the recent completion of PSD2 and successiv...

Read more | Visit Identity Blog

Mobile Network Operators to Provide Key Piece in Identity Puzzle As digital services grow in number and sophistication, consumers have whetted their appetite for those which provide unrivalled everyday convenience. As businesses harness the va...

Read more | Visit Identity Blog

CAPS Report on Authentication and Mobile Payments to aid Implementatio With PSD2’s Regulatory Technical Standards now published, the broader financial ecosystem is moving closer towards full-scale implementation of the EU’s revised payment servi...

Read more | Visit Identity Blog

Mobile 360 Series – Privacy and Security May 30, 2018 Mobile 360 Series – Privacy & Security is a two-day event that explores the importance of security for Mobile Network Operators and the wider digital ecosystem. Attendees w...

Read more | See all Identity Events

Contact GSMA Legal Email Preference Centre Copyright © 2018 GSMA. GSM and the GSM Logo are registered and owned by the GSMA.