Telecoms operators have been developing and providing digital identity solutions to customers for years, in many cases for over a decade. While a significant proportion of telecoms operators now provide digital identity solutions – 70 offer services leveraging the GSMA’s Mobile Connect standard – and some have attempted to build more broad-based solutions helping customers to manage personal data. So far these have not grown into significant revenue generators for telcos.
However, as more and more services move online, in part accelerated by the COVID-19 pandemic, consumers, businesses and governments are increasingly dependent on digital identity solutions to access basic and critical services. This is creating complexity and risk in managing and maintaining multiple identities for individuals, and multiple identity systems for businesses and government organisations. With all facets of life and work becoming ever more connected through the IoT, the potential attack surfaces where access and sensitive personal data can be exposed, raises the risk of identity theft and other forms of costly fraud against individuals and businesses.
Although the risks of insecure digital identities are well known, owing to regular high profile data breaches exposing users’ personal information, consumers in particular have been slow to invest in cybersecurity systems to protect themselves from these risks. Likewise, the potential benefits of greater integration between government- and privately-managed digital identity systems are also well understood, yet there has been limited progress in unifying digital identities. The digital identity market remains highly fragmented and users have little more visibility over where their personal information is stored and how it is shared than they did five years ago.
The key question we explore in this report is therefore whether telecoms operators can build on their existing roles in delivering authentication or other digital identity and personal data protection or management services to address the underlying scaling challenges in the digital identity market. How can they help customers to gain more control over their personal data and work with businesses and governments to reduce complexity in this market?
Enter your details below to download an extract of the report
The state of digital identity
Definitions and technology background
A digital identity is a digital record that uses a collection of attributes to represent a person or an entity such as a device, an organisation or a process online. Digital identities are used to verify and authenticate users before allowing them to access to digital systems. Digital identity technologies aim to streamline the identification process and minimise the human intervention while keeping the process highly secure.
Three core elements of a secure digital identity
Source: STL Partners, Mobile Ecosystem Forum
As outlined in the three components above, digital identities use two different types of information to identify individuals, which can be used alone or in combination:
- Digital attributes are personal identifiable information (PPI) that is either inherent or assigned information about the user. These are usually part of the user’s nature and not affected by external factors. Inherent attributes can be a person’s date of birth or biometric data such as fingerprints, while assigned attributes can be their national insurance or social security number.
- Digital activities refer to the user’s online behavioural patterns and contain trackable records of online transactions such as search history, purchase history, phone call log, location and geotagging, social media activities and online downloads.
At the second stage of authenticating users, organisations mainly use one of three ways to securely verify and authenticate their users. These are:
- Information the individual knows such as a combination of a username and a password or personal security questions,
- Items that the users have such as a token, a phone or a SIM card or any type of cryptographic key including network information in case of mobile phone users and,
- Who they are, using inherent attributes such as biometric data, including fingerprint, handprint, eye scan, facial recognition, and voice recognition.
The first method is a very common way to authenticate users and provide access. However, it has become vulnerable on its own, especially for granting access to sensitive information, as passwords and PINs are particularly vulnerable to phishing scams and end users too often use the same password or PIN for multiple accounts. The use of a physical key is not necessarily safer either as it can also be stolen or lost.
This is driving increased usage of two- or multi-factor authentication, which combines information a user knows with something they have or who they are. Broadly, the more sensitive the data saved in the digital identity system, the more layers of authentication required.
- Single-factor authentication (SFA) is the simplest type of authentication and requires the user to only provide their credentials in a single step similar to logging in using a username and a password.
- Two-factor authentication (2FA) is when another set of credentials is asked of the user in addition to the password such as a one-time SMS / email pin code or a biometric scan.
- Multi-factor authentication (MFA) requires two or more sets of credentials. More layers of security provide higher security. This can complicate and lengthen the access process for the average user, although in some instances it can be done in a frictionless way, e.g. the service provider can independently check that the user’s stated location matches their actual location by verifying the location of their mobile with their telecoms provider.
Increasing usage of 2FA and MFA has likely been a key factor contributing to a levelling off in the number of victims of data breaches over the last four years, despite persistent number of attacks, as illustrated in the graphic below.
Total number of data breaches and victims, 2016 – Q3 2022
Source: Identity Theft Resource Center
Table of contents
- Executive Summary
- The state of digital identity
- Definitions and technology background
- Types of digital identity
- A fragmented market
- Existing digital identity systems are not fit for purpose
- Telco digital identity services: The story so far
- Mobile Connect
- Telco digital identity case studies
- National digital identity initiatives
- Estonia and Finland: Showing the way for national digital identity
- Telcos’ roles in national digital identity solutions
- Recommendations for telco digital identity efforts
This report builds on previous STL research relating to digital identity and personal data:
- Cybersecurity: What will consumers pay for?
- Fighting the fakes: How telcos can help
- Personal data: Treasure or trash? (a profile of Telefónica)
- Blockchain for telcos: Where is the money?
- Will web 3.0 change the role of telcos?