Online Privacy and Security is the biggest threat to sustainable digital growth. In a world driven by technology, the mobile device is the device that has connected with the most number of users around the globe, connecting people from rural areas to the greater metropolis of the world. Why can't we take advantage of having a mobile device as a sensible and secure way of authentication?
Mobile Connect is the mobile operator facilitated authentication solution, that provides simple, secure, and convenient access to online services. It is a convenient alternative to passwords that protect customer privacy. This is a concept introduced by the GSMA (GSM Association), which provides a global and secure authentication platform, by combining the user's unique mobile number and PIN, to verify and authenticate the user, anywhere anytime. It also allows the user to log into swiftly, without the need for any usernames or passwords.
How Does it Work?
The given sequence above depicts the mobile connect flow, from signup/login to the complete authentication in just 4 steps. The authentication process is carried out through your mobile device, rather than your personal device.
Step 1: Click on the "Sign up" or "Log in" button
Step 2: Enter your mobile number (optional)
Step 3: Confirm your authentication via the mobile device (USSD, SMS, etc)
Step 4: The log-in process is complete
Why Mobile Connect?
The 21st century is a Digital Era where cyber attacks have become a critical problem and many organizations are still concerned about how secure their systems and products are. The levels of security needed for data and information provided today has made access to these resources unavailable without proper registration with the resource provider. Therefore, it becomes mandatory for users to sign up with the system which results in remembering numerous usernames and passwords. What if we had a simple and secure mechanism to carry out the authentication process without much hassle, in just seconds?
By reducing the need for remembering the number of usernames and passwords, Mobile Connect eliminates the frustration of the end-user, drives more repeat business, and ensures less abandoned transactions.
The following statistics were obtained by the "GSMA’s 2015 Consumer Research" which is related to the user's perspective on Cyber Security. From the overall number of users,
87% - Would prefer just one Strong Password to remember
86% - Have left websites when asked to register or signup
86% - Are concerned about security when online
88% - Want reduced risk of identity theft and credit card frauds
81% - Don't feel that they are getting much value from their personal data as third parties do
68% - Are more likely to return to a site that remembers them without a username or a password
This gives a much stronger argument as to why Mobile Connect will dominate the Digital Authentication industry in the near future.
The 3 Concepts of Mobile Connect
SECURE
Trusted operators will expose their APIs, supporting OpenID connect with the Mobile Connect Profile specified by the GSMA.
CONVENIENT
This is a consistent login experience for all providers across any device. It could be a mobile device, laptop, tablet or even a TV
PRIVATE
The GSMA has all license needs to comply with the Privacy Policies for each trusted operator. No Personal Data will be shared.
Social Media vs Mobile Connect Authentication
After crunching all the numbers and information, you must be wondering, how is this different from Social Media Federated Authenticators. Almost in most of the web services and service providers, "Log in with Social Media" plays a major role.
Collaboration and sharing is made possible by Web 2.0, which also inherits a specific set of risks, in terms of privacy. Social networking sites are user hubs, where it is meant for collecting a set of users in one place. This is like the jackpot for attackers where they can use the information to earn a lot of return on investment if they are going after the users on social media.
Mobile Connect is a powerful tool that can be used to move us all away from using social media as an easier way to log in, which is tagged along with a lot of unnecessary risks. Even though social networks can eliminate the need for passwords, there is no assurance that this information is secure. But with mobile connect and its privacy policies, empowered by the GSMA, no information is available to the service providers, without the user's consent, making log-in and signing up much safer and private.
How Safe is Mobile Connect?
With the typical username and password schemes, or the social media authentication schemes, there is high risk and danger of losing your privacy if an attacker can discover or guess the password of the user. There are many ways that attackers might use to gain access to accounts. Brute force attacks, SQL injection, session hijacking, browser cookies, and many more. In the case of social media, access to one social media account may expose all other accounts via, social media log in.
However, in Mobile Connect, the users use their unique Mobile Number (MSISDN) and mobile device to prove their identity. Since a mobile device is considered to be a single-user device, the user who is in possession of the device, is the only person who can log in.
But what happens if the mobile device is stolen?
In this scenario, the user always has the option of calling the respective mobile network operator and reporting that the mobile device is lost or stolen. To avoid unnecessary parties from accessing your private accounts via the stolen device, we can either cancel the sim card or the mobile connect facility of the mobile number.
Can the Security Level be increased in Mobile Connect?
The levels of security in each application are different from its environment and purpose of use. For example, a bank or an e-payment site would need a higher level of security than an ordinary information system. Considering these possibilities, Mobile Connect provides the developer with options on selecting a level of Security, which is also known as the Level of Assurance (LoA).
LoA or the Level of Assurance, describes the degree of confidence, in various security processes including authentication. (According to the ISO/IEC 29115 Standard). It provides assurance that the entity claiming a particular identity is the entity to which that identity was assigned.
During the Mobile Connect Authorization process, the application declares the degree of confidence required in the returned identity (For more: read Mobile Connect for Developers). The greater the risk associated with an erroneous authentication, the higher the Level of Assurance recommended.
There are four Levels of Assurance (LoA)
1) Level of Assurance 1 (not supported by Mobile Connect)
2) Level of Assurance 2 (Requires a simple key press)
3) Level of Assurance 3 (Requires a simple key press)
4) Level of Assurance 4 (not supported by Mobile Connect)
for more details view Level of Assurance (LoA)
Mobile Connect Privacy Policy
The Mobile Connect Service does a privacy promise to all the users to have confidence that any information that the user provides to Mobile Connect, will only be used for its intended purpose. The service providers can use this promise to build trust in the service. The Mobile Connect Service promises,
1) We won't share your mobile phone number
2) We won't disclose personal information with anyone else without your consent.
Mobile Connect Privacy Principles
Mobile Connect service is one of the fastest and growing authentication systems in the world and the key to the success of such a service is to ensure that it establishes good privacy policies to foster the trust of the users and service providers. The principles given below are intended to enforce the use of personal information of the user, not being rendered to 3rd party service providers. the individuals who use the mobile connect service, have the right to expect that the service providers who have implemented mobile connect, have followed the privacy policies given below.
These principles apply to the "Mobile Operators" and the "3rd party service providers" in the provision of Mobile Connect branded identity services under the GSMA's Mobile Connect program.
Principle 1: Openness, Transparency, and Notice
Principle 2: Purpose and Use Limitations
Principle 3: User Choice and Control
Principle 4: Data Minimization and Retention
Principle 5: Data Quality
Principle 6: Respect User Rights – Individual Participation
Principle 7: Security
Principle 8: Education
Principle 9: Children and Adolescents
Principle 10: Accountability and Enforcement
References