Mobile ID Archives

Telecoms operators have been developing and providing digital identity solutions to customers for years, in many cases for over a decade. While a significant proportion of telecoms operators now provide digital identity solutions – 70 offer services leveraging the GSMA’s Mobile Connect standard – and some have attempted to build more broad-based solutions helping customers to manage personal data. So far these have not grown into significant revenue generators for telcos.

However, as more and more services move online, in part accelerated by the COVID-19 pandemic, consumers, businesses and governments are increasingly dependent on digital identity solutions to access basic and critical services. This is creating complexity and risk in managing and maintaining multiple identities for individuals, and multiple identity systems for businesses and government organisations. With all facets of life and work becoming ever more connected through the IoT, the potential attack surfaces where access and sensitive personal data can be exposed, raises the risk of identity theft and other forms of costly fraud against individuals and businesses.

Although the risks of insecure digital identities are well known, owing to regular high profile data breaches exposing users’ personal information, consumers in particular have been slow to invest in cybersecurity systems to protect themselves from these risks. Likewise, the potential benefits of greater integration between government- and privately-managed digital identity systems are also well understood, yet there has been limited progress in unifying digital identities. The digital identity market remains highly fragmented and users have little more visibility over where their personal information is stored and how it is shared than they did five years ago.

The key question we explore in this report is therefore whether telecoms operators can build on their existing roles in delivering authentication or other digital identity and personal data protection or management services to address the underlying scaling challenges in the digital identity market. How can they help customers to gain more control over their personal data and work with businesses and governments to reduce complexity in this market?

Enter your details below to download an extract of the report

The state of digital identity

Definitions and technology background

A digital identity is a digital record that uses a collection of attributes to represent a person or an entity such as a device, an organisation or a process online. Digital identities are used to verify and authenticate users before allowing them to access to digital systems. Digital identity technologies aim to streamline the identification process and minimise the human intervention while keeping the process highly secure.

Three core elements of a secure digital identity

Source: STL Partners, Mobile Ecosystem Forum

As outlined in the three components above, digital identities use two different types of information to identify individuals, which can be used alone or in combination:

Digital attributes are personal identifiable information (PPI) that is either inherent or assigned information about the user. These are usually part of the user’s nature and not affected by external factors. Inherent attributes can be a person’s date of birth or biometric data such as fingerprints, while assigned attributes can be their national insurance or social security number.
Digital activities refer to the user’s online behavioural patterns and contain trackable records of online transactions such as search history, purchase history, phone call log, location and geotagging, social media activities and online downloads.

At the second stage of authenticating users, organisations mainly use one of three ways to securely verify and authenticate their users. These are:

Information the individual knows such as a combination of a username and a password or personal security questions,
Items that the users have such as a token, a phone or a SIM card or any type of cryptographic key including network information in case of mobile phone users and,
Who they are, using inherent attributes such as biometric data, including fingerprint, handprint, eye scan, facial recognition, and voice recognition.

The first method is a very common way to authenticate users and provide access. However, it has become vulnerable on its own, especially for granting access to sensitive information, as passwords and PINs are particularly vulnerable to phishing scams and end users too often use the same password or PIN for multiple accounts. The use of a physical key is not necessarily safer either as it can also be stolen or lost.

This is driving increased usage of two- or multi-factor authentication, which combines information a user knows with something they have or who they are. Broadly, the more sensitive the data saved in the digital identity system, the more layers of authentication required.

Single-factor authentication (SFA) is the simplest type of authentication and requires the user to only provide their credentials in a single step similar to logging in using a username and a password.
Two-factor authentication (2FA) is when another set of credentials is asked of the user in addition to the password such as a one-time SMS / email pin code or a biometric scan.
Multi-factor authentication (MFA) requires two or more sets of credentials. More layers of security provide higher security. This can complicate and lengthen the access process for the average user, although in some instances it can be done in a frictionless way, e.g. the service provider can independently check that the user’s stated location matches their actual location by verifying the location of their mobile with their telecoms provider.

Increasing usage of 2FA and MFA has likely been a key factor contributing to a levelling off in the number of victims of data breaches over the last four years, despite persistent number of attacks, as illustrated in the graphic below.

Total number of data breaches and victims, 2016 – Q3 2022

Source: Identity Theft Resource Center

Executive Summary
Introduction
- The state of digital identity
- Definitions and technology background
- Types of digital identity
- A fragmented market
- Existing digital identity systems are not fit for purpose
Telco digital identity services: The story so far
- Mobile Connect
- Telco digital identity case studies
- National digital identity initiatives
- Estonia and Finland: Showing the way for national digital identity
- Telcos’ roles in national digital identity solutions
Recommendations for telco digital identity efforts

Related research

This report builds on previous STL research relating to digital identity and personal data:

Cybersecurity: What will consumers pay for?
Fighting the fakes: How telcos can help
Personal data: Treasure or trash? (a profile of Telefónica)
Blockchain for telcos: Where is the money?
Will web 3.0 change the role of telcos?

Enter your details below to download an extract of the report

Introduction: The Authentication Arms Race

Authentication: Ubiquitous, but increasingly complex

Authentication is the process of verifying a claim by (or for) an entity to an attribute, identity or unique identifier: it confirms that ‘you are what you claim to be’. The entity might be a human or machine, for example, and a peer in a transaction or the source of some data. This verification is achieved by presenting credential(s) (or ‘authentication information’) that corroborate the claim(s) of the entity.

Clearly, authentication is not a new issue: for thousands of years, societies have learned to cooperate and establish trust in non-digital environments. When an individual presents a credit card (the ‘credential’) for payment in a shop and, in some cases, enters a secret PIN code or signs a receipt (another credential), they are attempting to authenticate their claim that the bank account associated with the card is theirs to use (the ‘attribute’). When a letter is received with a difficult-to-replicate wax seal, this is an attempt to authenticate the origin of the letter. When two members of a secretive group meet for the first time, knowledge of a secret handshake can mutually authenticate their membership of the group.

Nor is it a new issue for STL Partners, either: we began our coverage of authentication, and the broader identity and personal data markets, in 2008 and have regularly provided market-leading research (e.g. Customer Data 2.0: Telcos Must Vie for a slice of the $Multi-Billion ‘PIE’; Personal Data: how to make it a viable, customer-centred industry) and advisory services since then.

What is new, however, is the growing digitisation of our everyday lives. This has driven new contexts for authentication (e.g. logging in to email accounts), new and sometimes more sophisticated methods of authentication (e.g. SMS one-time passwords, public key encryption), and created entire industries (e.g. Digital Certification). An example which covers all three of these areas is SSL (Secure Sockets Layer), the technology which establishes secure ‘HTTPS’ connections between servers and browsers using a sophisticated mechanism called ‘public key cryptography’, which we return to later.

Figure 1: Mutual SSL Authentication Handshake Message Flow

Source: CodeProject

As we discussed in the recent Executive Briefing ‘Authentication Mechanisms: The Digital Arms Race’, another consequence has been the entrance to the ecosystem of companies not traditionally associated with this space, especially Facebook and Google. Among their many activities in this space is the provision of ‘federated’ authentication and identity services to third-party websites, which essentially allows their users to login and register using their existing social network credentials. Although usage metrics for these services are not publicly available, anecdotal evidence suggests they are both widely and frequently used. There are clear benefits to each party from using one of these services, such as users needing to remember fewer passwords; online service providers being able to outsource their credential management systems; and Facebook/Google/Twitter collecting more behavioural data for advertising; but, as we will see, there are also clear drawbacks, notably around reach and privacy.

Such user (consumer, citizen or employee) authentication services to remote, digital environments for third-parties (enterprises or governments) are the focus of this report.

Figure 2: The Internet players are providing authentication services to third-parties

Source: Adweek

Some MNOs are already active in authentication services

Authentication is not a new activity area for mobile operators, either. Most fundamentally, one of the two core purposes of the SIM cards that MNOs issue and manage is precisely that (as well as storage):

Identity: The SIM contains, among others, a unique reference number (the international mobile subscriber identity, or ‘IMSI’) that identifies the SIM and the relevant subscription. The MNO recognises the reference number and ensures costs and usage are allocated against it correctly.
Authentication: To provide assurance that the identity claim is valid, the MNO uses a security mechanism to grant access to the network. This is done by issuing a ‘challenge’ which only a particular SIM card can answer correctly using a unique 128-bit ‘Ki’ key associated with its identity. The specific mechanism is known as ‘symmetric key cryptography’.

Beyond authentication for their own use, MNOs have also been developing commercial propositions around user authentication services. In some cases, their role has been strictly limited to enabling the authentication process, such as the UK MNOs’ support of ValidSoft’s fraud prevention service for financial services. In other cases, MNOs have been providing complete mobile authentication services themselves. Some of these have achieved impressive traction and results (e.g. Swisscom’s Mobile ID, KDDI’s au ID), whilst others have struggled, and there are important lessons here.

Figure 3: Map of MNO mobile authentication services, 2014 (incl. examples)

Source: GSMA, STL Partners

Back in May 2014, the GSMA recognised the shaded countries in Figure 3 as having active mobile authentication services, although some of these offer more than ‘pure’ authentication (e.g. extending towards identity) whilst others have the MNO acting as more of an enabler. Example operators (or service logos where available) are overlaid on the map.

Perhaps the most significant recent development in this space was the GSMA’s announcement of the collaborative ‘Mobile Connect’ initiative in February 2014. Mobile Connect aims to facilitate industry-wide collaboration between MNOs so that they can offer privacy-centric authentication, identity and attribute services to relying parties with single technical and commercial interfaces, thereby maximising their reach (3.9 billion unique mobile subscribers) and therefore the attractiveness of these services to relying parties.

Following successful trials and development of the authentication proposition with a lead group of operators during 2014, Mobile Connect is now beginning to go live: March 2015 saw the official launch of Mobile Connect by 17 operators in 13 countries, with others committed to launch during the remainder of 2015 and 2016. The launch proposition is pure authentication, and leverages operator assets (e.g. the SIM card) to allow the use of mobile phones as authentication devices independently of the service provided and independently of the device used to consume the service.

So, what are the opportunities for MNOs in authentication?

Whilst MNOs also have other strengths around privacy, customer support capabilities, and more, they have several weaknesses, and the business case for mobile authentication services is not yet clear to most. To clarify the situation, this report covers the following:

Key Concepts: The basics of authentication, identity and attributes
The Need: The practical advantages of mobile authentication mechanisms
The Vision: Short-term, ‘tactical’ opportunities in premium authentication; long-term, ‘strategic’ opportunities for the industry
SWOT: MNO’s strengths, weaknesses, opportunities, and threats in authentication
Case Studies: (Swisscom) Mobile ID, GSMA Mobile Connect
Conclusions and Next Steps

The report concludes that now is indeed the time for MNOs to strongly and collectively embrace authentication services. MNOs can be successful in authentication and have an opportunity to directly and indirectly monetise it across three key areas, but this opportunity will not last and there will be few more like it.

Executive Summary
Introduction: The Authentication Arms Race
Authentication: Ubiquitous, but increasingly complex
Some MNOs are already active in authentication services
So, what are the opportunities for MNOs in authentication?
Key Concepts in Authentication and Identity
Authentication, Credentials and Authorisation
Attributes, Identity and Identifiers
X-Party Authentication and the ‘Digital Identity Ecosystem’
The Need for Mobile Authentication Services
The need for more convenient & secure digital authentication
The advantages of SIM-based, mobile authentication
The Vision: Authentication is the First Step
Context: MNO Authentication Services SWOT
(Swisscom) Mobile ID: Success in ‘premium’ authentication
GSMA Mobile Connect: Free, ubiquitous authentication?
Looking Beyond Authentication: Monetising attributes
STL Partners and Telco 2.0: Change the Game

Figure 1: Mutual SSL Authentication Handshake Message Flow
Figure 2: The Internet players are providing authentication services to third-parties
Figure 3: Map of MNO mobile authentication services, 2014 (incl. examples)
Figure 4: Summarising key definitions in authentication and identity
Figure 5: Google’s SMS two-factor authentication system
Figure 6: The ‘Digital Identity Ecosystem’
Figure 7: The Most Common Passwords of 2014
Figure 8: Time Spent per adult user per day with internet media, USA, 2008-2015
Figure 9: Breaking the relationship between security and convenience
Figure 10: The Vision for MNOs in Authentication Services
Figure 11: MNO Authentication Services SWOT
Figure 12: Consumers are increasingly concerned about online privacy
Figure 13: Authentication Market Growth Dynamics
Figure 14: The (Swisscom) Mobile ID Proposition
Figure 15: Authentication using Public Key Encryption
Figure 16: Mobile ID’s User Experience
Figure 17: Logical Technical Architecture for Mobile Connect
Figure 18: Mobile Connect’s User Experience – ‘Click ok’, initiated on PC/tablet
Figure 19: Mobile Connect Roadmap – Authentication, Identity and Attributes

Tag: Mobile ID

Sample Reports

Enter your details below to download an extract of the report

The state of digital identity

Definitions and technology background

Three core elements of a secure digital identity

Total number of data breaches and victims, 2016 – Q3 2022

Table of contents

Related research

Enter your details below to download an extract of the report

Introduction: The Authentication Arms Race

Authentication: Ubiquitous, but increasingly complex

Figure 1: Mutual SSL Authentication Handshake Message Flow

Figure 2: The Internet players are providing authentication services to third-parties

Some MNOs are already active in authentication services

Figure 3: Map of MNO mobile authentication services, 2014 (incl. examples)

So, what are the opportunities for MNOs in authentication?

Sample Reports