Introduction: The Authentication Arms Race
Authentication: Ubiquitous, but increasingly complex
Authentication is the process of verifying a claim by (or for) an entity to an attribute, identity or unique identifier: it confirms that ‘you are what you claim to be’. The entity might be a human or machine, for example, and a peer in a transaction or the source of some data. This verification is achieved by presenting credential(s) (or ‘authentication information’) that corroborate the claim(s) of the entity.
Clearly, authentication is not a new issue: for thousands of years, societies have learned to cooperate and establish trust in non-digital environments. When an individual presents a credit card (the ‘credential’) for payment in a shop and, in some cases, enters a secret PIN code or signs a receipt (another credential), they are attempting to authenticate their claim that the bank account associated with the card is theirs to use (the ‘attribute’). When a letter is received with a difficult-to-replicate wax seal, this is an attempt to authenticate the origin of the letter. When two members of a secretive group meet for the first time, knowledge of a secret handshake can mutually authenticate their membership of the group.
Nor is it a new issue for STL Partners, either: we began our coverage of authentication, and the broader identity and personal data markets, in 2008 and have regularly provided market-leading research (e.g. Customer Data 2.0: Telcos Must Vie for a slice of the $Multi-Billion ‘PIE’; Personal Data: how to make it a viable, customer-centred industry) and advisory services since then.
What is new, however, is the growing digitisation of our everyday lives. This has driven new contexts for authentication (e.g. logging in to email accounts), new and sometimes more sophisticated methods of authentication (e.g. SMS one-time passwords, public key encryption), and created entire industries (e.g. Digital Certification). An example which covers all three of these areas is SSL (Secure Sockets Layer), the technology which establishes secure ‘HTTPS’ connections between servers and browsers using a sophisticated mechanism called ‘public key cryptography’, which we return to later.
Figure 1: Mutual SSL Authentication Handshake Message Flow
As we discussed in the recent Executive Briefing ‘Authentication Mechanisms: The Digital Arms Race’, another consequence has been the entrance to the ecosystem of companies not traditionally associated with this space, especially Facebook and Google. Among their many activities in this space is the provision of ‘federated’ authentication and identity services to third-party websites, which essentially allows their users to login and register using their existing social network credentials. Although usage metrics for these services are not publicly available, anecdotal evidence suggests they are both widely and frequently used. There are clear benefits to each party from using one of these services, such as users needing to remember fewer passwords; online service providers being able to outsource their credential management systems; and Facebook/Google/Twitter collecting more behavioural data for advertising; but, as we will see, there are also clear drawbacks, notably around reach and privacy.
Such user (consumer, citizen or employee) authentication services to remote, digital environments for third-parties (enterprises or governments) are the focus of this report.
Figure 2: The Internet players are providing authentication services to third-parties
Some MNOs are already active in authentication services
Authentication is not a new activity area for mobile operators, either. Most fundamentally, one of the two core purposes of the SIM cards that MNOs issue and manage is precisely that (as well as storage):
- Identity: The SIM contains, among others, a unique reference number (the international mobile subscriber identity, or ‘IMSI’) that identifies the SIM and the relevant subscription. The MNO recognises the reference number and ensures costs and usage are allocated against it correctly.
- Authentication: To provide assurance that the identity claim is valid, the MNO uses a security mechanism to grant access to the network. This is done by issuing a ‘challenge’ which only a particular SIM card can answer correctly using a unique 128-bit ‘Ki’ key associated with its identity. The specific mechanism is known as ‘symmetric key cryptography’.
Beyond authentication for their own use, MNOs have also been developing commercial propositions around user authentication services. In some cases, their role has been strictly limited to enabling the authentication process, such as the UK MNOs’ support of ValidSoft’s fraud prevention service for financial services. In other cases, MNOs have been providing complete mobile authentication services themselves. Some of these have achieved impressive traction and results (e.g. Swisscom’s Mobile ID, KDDI’s au ID), whilst others have struggled, and there are important lessons here.
Figure 3: Map of MNO mobile authentication services, 2014 (incl. examples)
Source: GSMA, STL Partners
Back in May 2014, the GSMA recognised the shaded countries in Figure 3 as having active mobile authentication services, although some of these offer more than ‘pure’ authentication (e.g. extending towards identity) whilst others have the MNO acting as more of an enabler. Example operators (or service logos where available) are overlaid on the map.
Perhaps the most significant recent development in this space was the GSMA’s announcement of the collaborative ‘Mobile Connect’ initiative in February 2014. Mobile Connect aims to facilitate industry-wide collaboration between MNOs so that they can offer privacy-centric authentication, identity and attribute services to relying parties with single technical and commercial interfaces, thereby maximising their reach (3.9 billion unique mobile subscribers) and therefore the attractiveness of these services to relying parties.
Following successful trials and development of the authentication proposition with a lead group of operators during 2014, Mobile Connect is now beginning to go live: March 2015 saw the official launch of Mobile Connect by 17 operators in 13 countries, with others committed to launch during the remainder of 2015 and 2016. The launch proposition is pure authentication, and leverages operator assets (e.g. the SIM card) to allow the use of mobile phones as authentication devices independently of the service provided and independently of the device used to consume the service.
So, what are the opportunities for MNOs in authentication?
Whilst MNOs also have other strengths around privacy, customer support capabilities, and more, they have several weaknesses, and the business case for mobile authentication services is not yet clear to most. To clarify the situation, this report covers the following:
- Key Concepts: The basics of authentication, identity and attributes
- The Need: The practical advantages of mobile authentication mechanisms
- The Vision: Short-term, ‘tactical’ opportunities in premium authentication; long-term, ‘strategic’ opportunities for the industry
- SWOT: MNO’s strengths, weaknesses, opportunities, and threats in authentication
- Case Studies: (Swisscom) Mobile ID, GSMA Mobile Connect
- Conclusions and Next Steps
The report concludes that now is indeed the time for MNOs to strongly and collectively embrace authentication services. MNOs can be successful in authentication and have an opportunity to directly and indirectly monetise it across three key areas, but this opportunity will not last and there will be few more like it.
- Executive Summary
- Introduction: The Authentication Arms Race
- Authentication: Ubiquitous, but increasingly complex
- Some MNOs are already active in authentication services
- So, what are the opportunities for MNOs in authentication?
- Key Concepts in Authentication and Identity
- Authentication, Credentials and Authorisation
- Attributes, Identity and Identifiers
- X-Party Authentication and the ‘Digital Identity Ecosystem’
- The Need for Mobile Authentication Services
- The need for more convenient & secure digital authentication
- The advantages of SIM-based, mobile authentication
- The Vision: Authentication is the First Step
- Context: MNO Authentication Services SWOT
- (Swisscom) Mobile ID: Success in ‘premium’ authentication
- GSMA Mobile Connect: Free, ubiquitous authentication?
- Looking Beyond Authentication: Monetising attributes
- STL Partners and Telco 2.0: Change the Game
- Figure 1: Mutual SSL Authentication Handshake Message Flow
- Figure 2: The Internet players are providing authentication services to third-parties
- Figure 3: Map of MNO mobile authentication services, 2014 (incl. examples)
- Figure 4: Summarising key definitions in authentication and identity
- Figure 5: Google’s SMS two-factor authentication system
- Figure 6: The ‘Digital Identity Ecosystem’
- Figure 7: The Most Common Passwords of 2014
- Figure 8: Time Spent per adult user per day with internet media, USA, 2008-2015
- Figure 9: Breaking the relationship between security and convenience
- Figure 10: The Vision for MNOs in Authentication Services
- Figure 11: MNO Authentication Services SWOT
- Figure 12: Consumers are increasingly concerned about online privacy
- Figure 13: Authentication Market Growth Dynamics
- Figure 14: The (Swisscom) Mobile ID Proposition
- Figure 15: Authentication using Public Key Encryption
- Figure 16: Mobile ID’s User Experience
- Figure 17: Logical Technical Architecture for Mobile Connect
- Figure 18: Mobile Connect’s User Experience – ‘Click ok’, initiated on PC/tablet
- Figure 19: Mobile Connect Roadmap – Authentication, Identity and Attributes