Q & A
Q & A
The Personal Data Programme 2014/15 has been built on the successes and strategic insights delivered by the work of the GSMA Mobile Identity Programme in 2013. Development of digital identity services has been prioritised by the GSMA Board, and the Programme with its operator partners will work together to deliver digital identity solutions to market with scale, seamless consumer experience, consistency of technology and low barriers to entry across the digital identity ecosystem.
The Programme is aimed at both driving the introduction of new services and the expansion of existing services around the world. The programme’s objective is to put mobile at the heart of managing digital identity. We think that now is the time for mobile operators to act, and the GSMA is focused on developing a consistent and standardised set of services for managing digital identity across the mobile industry. The GSMA is working with all leading mobile operators around the globe and also working in-county with a broader set of ecosystem players, such as governments, banks and retailers, to help roll-out mobile enabled digital identity solutions.
Digital identity services provide customers with the ability to authenticate and identify themselves remotely and securely via their mobile phone when using digital services. This opens up a range of opportunities for both mobile operators and consumer-focused service providers to build a rich suite of offerings for their customers, while ensuring the user’s private and confidential information is kept safe.
It also provides new options for consumers, who can chose to remain anonymous for the service provider – in the same way as providing a self-selected username and password. The identifier used by the mobile operator to manage the log-in credentials of the consumer may not have to be shared with the service provider.
Authentication describes the process of establishing or confirming that someone is who they claim to be. In the digital spaces it refers to a person verifying or confirming their association with an electronic credential.
There is a significant increase of online services being accessed via mobile devices, from government services to social networking. Unfortunately, this is accompanied by an increase in online identity thefts. Mobile operators, with their differentiated identity and authentication assets, have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.
In addition, for services which are accessible via the mobile device, standard log-in processes can be cumbersome, while leveraging existing mobile assets would significantly enhance the consumer experience through seamless login. In short, there is a growing need in the market for digital identity management with operators being in a unique position to address this opportunity with existing assets.
Digital identity solutions delivered via the GSMA Personal Data Programme are a response to market fragmentation and lack of a seamless authentication and identification systems that guarantee privacy and security to the end user. If not fixed, this will create barriers to market digitalisation and social inclusion. What mobile-enabled digital identity aims to deliver are new services to business and service providers that leverage on existing mobile operator assets and new credential management capabilities.
It depends on the use case, as there are advantages and disadvantages of using the mobile number as the username. For lighter authentication scenarios, such as a website login requiring a relatively low level of security, successful models have shown that prompting the customer to use the mobile number is helpful as it’s easier to remember than an additional username and passcode combination. For stronger authentication and identity verification use cases, additional requirements may be added.
With their differentiated assets such as the SIM card, strong registration process, authentication, fraud detection and mitigation processes, mobile operators have the ability to provide sufficient authentication to enable consumers, businesses and governments to interact in a private, trusted and secure environment and enable access to services.
Multiple factor authentication provides additional security layers compared to standard methods of authentication. In most cases it combines something I know (like a passcode or username) with something I have (like my mobile phone or SIM) or Something I am (for example biometrics). Mobile is potentially strong in delivering additional factors of authentication, as the mobile phone/SIM card is something I have but it can also be something I am, for example my location, my behavioural profile or simple biometrics (fingerprint scan, face recognition). In case of my mobile, I could be asked to confirm ownership of the mobile device with a one-time passcode delivered via SMS or via an applet installed on the SIM card.
Mobile signature is a way of using the mobile as a replacement for legally binding ‘wet’ signatures utilising the highly secure environment of the SIM or a server to house certificates for message encryption. Users can sign and send documents, securely transmit and authenticate messages and m-payments, and provide verified ID for e-services. Enterprises and other service providers like governments or banks can verify the authenticity of messages, payments, and “permissions” for access based on the legal validity and non-repudiating feature of the mobile signature.
The GSMA’s role is one of helping the mobile operators deliver valuable propositions and services globally to their customers in a consistent way. We have found that one such area that is growing in importance for the industry is the use of the mobile phone by consumers for authenticating or identifying themselves to services they use.
At the GSMA we have been working with many of our mobile operator members for the last two years to launch varying identity solutions across the globe, using the mobile phone for user authentication and identification. These solutions covered legally binding authentication for government services (mobile signature) to single-sign on solutions which provide users with access to operator and 3rd party content. These solutions were customised and optimised for the local market and whilst most of them utilised operator assets to deliver a level of security and assurance which could hardly be matched by other market players, they were also using older identity and authorisation protocols such as Open ID 2.0 and OAuth 2.0 and this approach didn’t help to make operator solutions competitive on a global level.
In order to achieve global scale and ease of implementation both for Mobile Operators and for the Service Providers they work with, it is important to have a consistent approach for the Service Provider to integrate with the Mobile Operators and this is what Open ID Connect provides. With OpenID Connect, the Mobile Operator community will be able to swing behind a single technology, and one which best meets the needs for providing authentication and identity services for the next generation of mobile and online services.
An important consideration for the GSMA was the ability for its members to work alongside other companies within the OpenID Foundation to create the Open ID Connect standard; by doing so, the resulting standard accommodates the requirements and needs across a whole range of devices and access channels (mobile, Internet etc.) hence driving economies of scale as well as ensuring a consistent and coherent experience for consumers.
Security has been critical to the success of GSM technologies, which used cryptographic solutions and smart card technology to provide security levels for mobile users that had not previously been seen. The evolution of third and fourth generation mobile technologies has facilitated the development and use of even more robust security features because the increased data speeds enable the deployment of more complex security protocols without negatively impacting the end user performance.
The security of services and customer data is vital to the success of mobile identity services as customer confidence is critical. Industry defined technical standards enable a range of security features that provide authenticity, confidentiality and integrity to verify the identity of communicating parties and to protect traffic and data against interception and modification. Whether data is being communicated across mobile networks or stored within dedicated security domains on the SIM card, (which has proven itself to be tamper resistant and resilient to attack), robust measures need to be implemented to provide adequate security levels that meet the requirements of users and regulators.
Mobile enabled digital identity services are already available in many countries today. The GSMA is working on standardising the approach the operators are taking in order to achieve consistency and predictability in the market.
This might be an overstatement, but it is increasingly clear that the technological means by which identity is created, managed and asserted in the digital world appears increasingly inadequate as consumers are looking for a mechanism that gives them confidence but more importantly ease of use.