Two-Factor Authentication is Crucial in the Fight against Fake Online Identities

The internet’s relative anonymity is heralded by some as among its greatest assets: a means by which one can escape the pressures and disappointments of outside life, and find outlets for sides of ourselves which might otherwise find no expression.  There’s clearly some good to be preserved in that respect, and a complete loss of anonymity online could take with it some of the creativity the internet age has unleashed.  However, serious problems do arise, of course, where people not only shed their own identities, but assume those of others – and, as is becoming worryingly evident now, we now face a global pandemic of such false identity.  If a better balance is to be struck – if we are to maintain a low profile where we can do little harm, but be required to prove our identities clarity where more is at stake – we need to add layers of identity verification to our everyday authentication processes as standard.

There are distressing human costs to the ease with which identities can be faked online, with sometimes harrowing effects on innocent lives.  Earlier this month the news broke that prominent Australian actor Lincoln Lewis had, without realising at the time, been impersonated online in a malicious ‘catfishing’ saga which had a devastating impact on its two victims.  “Having your number, address, personal details illegally obtained and photos doctored was scary,” reflected Lewis, “and having them used to catfish people is sickening.” The story is just one of the latest in what is now a disturbingly ordinary pattern – this is now such a common phenomenon that a few moments on a search engine can turn up detailed instructions on how to create a false persona online.

In purely commercial terms, there are costs to identity theft beyond the obvious ones of fraudulent purchases and illicit withdrawals, however: the effectiveness of eCommerce itself is under threat by the false claims and bogus activity identity fraud facilitates.  The digital informational ecosystem on which much of contemporary marketing relies is being steadily undermined by the misleading data which now proliferates online. False positives in click-through rates are bad enough; but where even the most basic identity information can be faked, such as IP address and geodata, the accuracy with which advertising can be targeted is severely threatened.

Even the public square suffers from this.  One recent study suggested that up to 15% of Twitter users are fake accounts impersonating real people, and Facebook has conceded that around 10% of its 2 billion user base are fake. These false accounts cannot only be used for malicious private purposes as in the Lincoln Lewis case; they can be used in the political arena, as seen recently in a mayoral race in the US.  In fact, as we face up to increasingly shaken confidence worldwide in democratic processes – with ever-more bitter disputes over campaign claims and results, loss of faith in self-professed expert opinion, and ‘fake news’ now a household term – delivering solid verification of online identity could become an existential question for our way of life.

In light of all this, we are likely to see increased merging of analogue and digital identities in the coming years: as our offline and online lives become ever more integrated, the distinction will soon become largely meaningless.  This means we can expect to provide more rigorous verification of our identities every time we access digital services, perhaps even very basic ones.  This may sound onerous at a glance, but it doesn’t mean we’ll need to go through lots of extra steps – indeed, our ease can be enhanced in the process, as we dispense with the insecurity and inconvenience of using an ever-increasing number of passwords.  It simply means the methods we use to prove who we are will need to be underpinned by stronger processes as standard – most notably, through two-factor or multi-factor authentication. Some of the big players such as Facebook are already moving in this direction; the essential thing, however, is making it so standard it becomes second nature.

The mobile industry is already helping here, through its globally interoperable identity solution Mobile Connect: by matching users with something they have about their person as a matter of course (their mobile device), and cross-checking that with something they know (a PIN), or something they are (a biometric scan), solutions of these kinds can bring clarity to what is still a concerningly murky online world.

But beyond providing the digital tools people need to prove who they are with confidence, operators recognise the need to play a role in raising awareness and collaboration across the ecosystem.  Ensuring secure and reliable digital identity is essential to inclusivity as the digital economy expands – and equally vital to its ability to do so. What is sometimes assumed to be a competence of governments is really in the interests of all who work in the digital economy, and as such the GSMA will on 12 June host our Identity Hangout: Controlling Fake Online Identities, to convene strategic discussions of how these challenges can be addressed by players in the tech world. We hope to see many of those who have something to contribute at VENUE between 9am and 10am on 12 June, for this essential meeting of minds in online security.