Q & A

Q & A

What is the GSMA Personal Data Programme?

The Personal Data Programme 2014/15 has been built on the successes and strategic insights delivered by the work of the GSMA Mobile Identity Programme in 2013. Development of digital identity services has been prioritised by the GSMA Board, and the Programme with its operator partners will work together to deliver digital identity solutions to market with scale, seamless consumer experience, consistency of technology and low barriers to entry across the digital identity ecosystem.

What is the overall objective of the Programme?

The Programme is aimed at both driving the introduction of new services and the expansion of existing services around the world. The programme’s objective is to put mobile at the heart of managing digital identity. We think that now is the time for mobile operators to act, and the GSMA is focused on developing a consistent and standardised set of services for managing digital identity across the mobile industry. The GSMA is working with all leading mobile operators around the globe and also working in-county with a broader set of ecosystem players, such as governments, banks and retailers, to help roll-out mobile enabled digital identity solutions.

What is digital identity?

Digital identity services provide customers with the ability to authenticate and identify themselves remotely and securely via their mobile phone when using digital services. This opens up a range of opportunities for both mobile operators and consumer-focused service providers to build a rich suite of offerings for their customers, while ensuring the user’s private and confidential information is kept safe.

It also provides new options for consumers, who can chose to remain anonymous for the service provider – in the same way as providing a self-selected username and password. The identifier used by the mobile operator to manage the log-in credentials of the consumer may not have to be shared with the service provider.

What does authentication mean?

Authentication describes the process of establishing or confirming that someone is who they claim to be. In the digital spaces it refers to a person verifying or confirming their association with an electronic credential.

Why does digital identity matter?

There is a significant increase of online services being accessed via mobile devices, from government services to social networking. Unfortunately, this is accompanied by an increase in online identity thefts. Mobile operators, with their differentiated identity and authentication assets, have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.

In addition, for services which are accessible via the mobile device, standard log-in processes can be cumbersome, while leveraging existing mobile assets would significantly enhance the consumer experience through seamless login. In short, there is a growing need in the market for digital identity management with operators being in a unique position to address this opportunity with existing assets.

Why is the time for mobile enabled digital identity solutions now?

Digital identity solutions delivered via the GSMA Personal Data Programme are a response to market fragmentation and lack of a seamless authentication and identification systems that guarantee privacy and security to the end user. If not fixed, this will create barriers to market digitalisation and social inclusion. What mobile-enabled digital identity aims to deliver are new services to business and service providers that leverage on existing mobile operator assets and new credential management capabilities.

Do mobile enabled digital identity solutions use the phone number as a username?

It depends on the use case, as there are advantages and disadvantages of using the mobile number as the username. For lighter authentication scenarios, such as a website login requiring a relatively low level of security, successful models have shown that prompting the customer to use the mobile number is helpful as it’s easier to remember than an additional username and passcode combination. For stronger authentication and identity verification use cases, additional requirements may be added.

Why are mobile operators well positioned to provide digital identity solutions?

With their differentiated assets such as the SIM card, strong registration process, authentication, fraud detection and mitigation processes, mobile operators have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.

What is second factor authentication or multiple factor authentication?

Multiple factor authentication provides additional security layers compared to standard methods of authentication. In most cases it combines something I know (like a passcode or username) with something I have (like my mobile phone or SIM) or Something I am (for example biometrics). Mobile is potentially strong in delivering additional factors of authentication, as the mobile phone/SIM card is something I have but it can also be something I am, for example my location, my behavioural profile or simple biometrics (fingerprint scan, face recognition). In case of my mobile, I could be asked to confirm ownership of the mobile device with a one-time passcode delivered via SMS or via an applet installed on the SIM card.

What is mobile signature?

Mobile signature is a way of using the mobile as a replacement for legally binding ‘wet’ signatures utilising the highly secure environment of the SIM or a server to house certificates for message encryption. Users can sign and send documents, securely transmit and authenticate messages and m-payments, and provide verified ID for e-services. Enterprises and other service providers like governments or banks can verify the authenticity of messages, payments, and “permissions” for access based on the legal validity and non-repudiating feature of the mobile signature.

Why has the GSMA chosen to be part of the Open ID Connect Forum?

The GSMA’s role is one of helping the mobile operators deliver valuable propositions and services globally to their customers in a consistent way. We have found that one such area that is growing in importance for the industry is the use of the mobile phone by consumers for authenticating or identifying themselves to services they use.

At the GSMA we have been working with many of our mobile operator members for the last two years to launch varying identity solutions across the globe, using the mobile phone for user authentication and identification. These solutions covered legally binding authentication for government services (mobile signature) to single-sign on solutions which provide users with access to operator and 3rd party content. These solutions were customised and optimised for the local market and whilst most of them utilised operator assets to deliver a level of security and assurance which could hardly be matched by other market players, they were also using older identity and authorisation protocols such as Open ID 2.0 and OAuth 2.0 and this approach didn’t help to make operator solutions competitive on a global level.

In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers they work with, it is important to have a consistent approach for the Service Provider to integrate with the Mobile Operators and this is what Open ID Connect provides. With OpenID Connect, the Mobile Operator community will be able to swing behind a single technology, and one which best meets the needs for providing authentication and identity services for the next generation of mobile and online services.

An important consideration for the GSMA was the ability for its members to work alongside other companies within the OpenID Foundation to create the Open ID Connect standard; by doing so, the resulting standard accommodates the requirements and needs across a whole range of devices and access channels (mobile, Internet etc.) hence driving economies of scale as well as ensuring a consistent and coherent experience for consumers.

How secure is mobile enabled digital identity technology?

Security has been critical to the success of GSM technologies, which used cryptographic solutions and smart card technology to provide security levels for mobile users that had not previously been seen. The evolution of third and fourth generation mobile technologies has facilitated the development and use of even more robust security features because the increased data speeds enable the deployment of more complex security protocols without negatively impacting the end user performance.

The security of services and customer data is vital to the success of mobile identity services as customer confidence is critical. Industry defined technical standards enable a range of security features that provide authenticity, confidentiality and integrity to verify the identity of communicating parties and to protect traffic and data against interception and modification. Whether data is being communicated across mobile networks or stored within dedicated security domains on the SIM card, (which has proven itself to be tamper resistant and resilient to attack), robust measures need to be implemented to provide adequate security levels that meet the requirements of users and regulators.

When will mobile enabled digital identity technology be ready for delivery?

Mobile enabled digital identity services are already available in many countries today. The GSMA is working on standardising the approach the operators are taking in order to achieve consistency and predictability in the market.

Is the password dead?

This might be an overstatement, but it is increasingly clear that the technological means by which identity is created, managed and asserted in the digital world appears increasingly inadequate as consumers are looking for a mechanism that gives them confidence but more importantly ease of use.

Operator cooperation in South Korea has created a successful identity To ensure broad service provider adoption, SKT and the other Korean operators realised that they needed to offer a single identity solution with full market coverage, and subsequ...

Read more | See all Identity Resources

Driving Mobile Connect Usage – Turkcell Looking to improve its customers’ experience and further differentiate its proposition, Turkcell launched Mobile Connect initially on its self-care mobile application and websi...

Read more | See all Identity Resources

Mobile Connect London Summit: Presentations Taking place on the 25th and 26th April, the Mobile Connect London Summit was a forum for leading figures in the wider mobile industry to debate the most pressing issues in the...

Read more | See all Identity Resources

The PSD2 Opportunity: Mobile Operators and Fintech This paper discusses the opportunities relating to the partnership between mobile network operators and fintech companies, and how both parties can benefit from each others&#...

Read more | See all Identity Resources

SK Telecom: Integrating Existing Identity Solutions into Mobile Connec In December 2016, SKT adapted both T-Auth and T-ID to comply with the Mobile Connect specifications. The goal was to make it easier for international customers to use SKT’s app...

Read more | See all Identity Resources

Seminar Presentations from Mobile World Congress 2017 Mobile World Congress 2017 hosted three industry seminars on Mobile Connect and the future of digital identity.  You can find out more about each of these subjects by downloadin...

Read more | See all Identity Resources

US Operators Join Forces on Authentication Mobile network operators are taking the lead in identity authentication.  It was announced last week that the four largest operators in the United States – AT&T, Sprint, T...

Read more | Visit Identity Blog

3 Reasons to Attend MWCA’s Identity Seminar Whilst digital technology has stimulated the growth of new and innovative services across practically every sector in the, service providers have yet to fully capitalise on this ...

Read more | Visit Identity Blog

Could UK’s Planned GDPR Implementation Signal Global Trend? Earlier this week, the UK Government announced its plans to introduce new legislation that will give citizens greater control of their personal data. The legislation will expand ...

Read more | Visit Identity Blog

MWCA: Digital Identity in the Innovation City See below for a list of digital identity demonstrations in the GSMA Innovation City As the Americas experiences explosive growth in its digital economy, businesses across the...

Read more | Visit Identity Blog

Markets Turn Their Focus to Cross-Border Trade of Digital Services Since the drafting of eIDAS in 2014, there has been a renewed interest from businesses, particularly in Europe, in secure cross-border trade using digital services. Initiatives s...

Read more | Visit Identity Blog

Mobile Connect-eIDAS Pilot Prepares for Secure Cross-Border Trade Marta Ienco, Head of the Government & Regulatory affairs, Personal Data   As we draw closer to the implementation of the eIDAS Regulation in September 2018, both governments...

Read more | Visit Identity Blog

Mobile Connect Summit – Singapore November 21, 2017 Following April’s successful Mobile Connect Summit in London, we are pleased to confirm that we will soon be hosting another regional Summit – this time in Singapore...

Read more | See all Identity Events

Contact GSMA Legal Email Preference Centre Copyright © 2017 GSMA. GSM and the GSM Logo are registered and owned by the GSMA.