Identity & Authentication For Mobile Users
Concerns over Personal Data Security and Privacy is now a reason to delete an application for more than a third of consumers; there is a similar level of nervousness surrounding installing apps in the first place.
Each year, the Mobile Ecosystem Forum (MEF) surveys the level of trust in the digital ecosystem, and 2021 data revealed a clear gap between the level of expectations from consumers versus real experience.
In 2015, global fraud amounted to $3trillion dollars. By 2025, the figure will be $10.5trillion from fraud and cybercrime. From the 2021 MEF Survey, the top user concerns are:
- Being defrauded / losing money – 49%
- Cyber criminals gaining access to my data – 49%
- Someone gaining access to my mobile – 47%
Consumers Are Worried.
The thing many people like about the Internet—that we are fundamentally anonymous and equally accepted to share information, that nobody really knows who we are on the Internet—is one of the biggest weaknesses in terms of cybersecurity and long-term sustainability of the digital economy. Digital identity has been an afterthought.
Globally, we are seeing a clear move away from a distinctly unexceptional user experience and inadequate underlying security. Industry is having to develop new solutions that (a) meet the evolving needs of the user experience and (b) work to mitigate the threats, including:
- Device compromisation – where a hostile party can take control of a device remotely.
- Smishing - when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally).
- SIM (Subscriber Identity Modules) swapping - where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.).
Three architectures are developing and succeeding across the globe that link the individual’s attributes to databases. Interestingly, biometrics are the common thread across all these architectures:
Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing digital identity for a range of services.
Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases.
Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.
We are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials. An example of this would be an individual’s Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel.
Clearly, there are issues around maintaining an individual’s privacy and how authentication fits into the process. Standards are developing that can provide further reassurance. Furthermore, there is the issue of regulation, how liability is distributed in this model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.
What is emerging is a pronounced move towards mobile device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints.
Mobile operators can play their part by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. Solutions like this could be asking users to confirm a PIN code via their phone SIM.
The solutions are still widely fragmented though. The level of security required by each action is different, as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds, but to manage your online game features or change your plane seat you might want something faster, even if it is not as secure.
We are also seeing significant growth in approaches that are independent of either the device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.
Further efforts need to be made as there are inherent risks with online interactions and the sharing of personal data and the traditional ways of handling these are no longer fit for purpose.
Dario Betti is CEO of Mobile Ecosystem Forum, a global trade body that provides its members with global and cross-sector platforms for networking, collaboration and advancing industry solutions.
You Might Also Read:
Mobile Cyber Attacks: The Different Facets Of Smartphone Malware: