Q & A

What does authentication mean?

Authentication describes the process of establishing or confirming that someone is who they claim to be. In the digital spaces it refers to a person verifying or confirming their association with an electronic credential.

What is mobile signature?

Mobile signature is a way of using the mobile as a replacement for legally binding ‘wet’ signatures utilising the highly secure environment of the SIM or a server to house certificates for message encryption. Users can sign and send documents, securely transmit and authenticate messages and m-payments, and provide verified ID for e-services. Enterprises and other service providers like governments or banks can verify the authenticity of messages, payments, and “permissions” for access based on the legal validity and non-repudiating feature of the mobile signature.

Why has the GSMA chosen to be part of the Open ID Connect Forum?

The GSMA’s role is one of helping the mobile operators deliver value propositions and services globally to their customers in a consistent way. We have found that one such area that is growing in importance for the industry is the use of the mobile phone by consumers for authenticating or identifying themselves to services they use.

At the GSMA we have been working with many of our mobile operator members for the last two years to launch varying identity solutions across the globe, using the mobile phone for user authentication and identification. These solutions covered legally binding authentication for government services (mobile signature) to single-sign-on solutions which provide users with access to the operator and 3rd party content. These solutions were customised and optimised for the local market and whilst most of them utilised operator assets to deliver a level of security and assurance which could hardly be matched by other market players, they were also using older identity and authorisation protocols such as Open ID 2.0 and OAuth 2.0 and this approach didn’t help to make operator solutions competitive on a global level.

In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers they work with, it is important to have a consistent approach for the Service Provider to integrate with the Mobile Operators and this is what Open ID Connect provides. With OpenID Connect, the Mobile Operator community will be able to swing behind a single technology, and one which best meets the needs for providing authentication and identity services for the next generation of mobile and online services.

An important consideration for the GSMA was the ability for its members to work alongside other companies within the OpenID Foundation to create the Open ID Connect standard; by doing so, the resulting standard accommodates the requirements and needs across a whole range of devices and access channels (mobile, Internet etc.) hence driving economies of scale as well as ensuring a consistent and coherent experience for consumers.

How secure is mobile-enabled digital identity technology?

Security has been critical to the success of GSM technologies, which used cryptographic solutions and smart card technology to provide security levels for mobile users that had not previously been seen. The evolution of third and fourth generation mobile technologies has facilitated the development and use of even more robust security features because the increased data speeds enable the deployment of more complex security protocols without negatively impacting the end-user performance.

The security of services and customer data is vital to the success of mobile identity services as customer confidence is critical. Industry defined technical standards enable a range of security features that provide authenticity, confidentiality and integrity to verify the identity of communicating parties and to protect traffic and data against interception and modification. Weather data is being communicated across mobile networks or stored within dedicated security domains on the SIM card, (which has proven itself to be tamper-resistant and resilient to attack), robust measures need to be implemented to provide adequate security levels that meet the requirements of users and regulators.