Identity & Authentication For Mobile Users

Concerns over Personal Data Security and Privacy is now a reason to delete an application for more than a third of consumers; there is a similar level of nervousness surrounding installing apps in the first place.

Each year, the Mobile Ecosystem Forum (MEF) surveys the level of trust in the digital ecosystem, and 2021 data revealed a clear gap between the level of expectations from consumers versus real experience.

In 2015, global fraud amounted to $3trillion dollars. By 2025, the figure will be $10.5trillion from fraud and cybercrime. From the 2021 MEF Survey, the top user concerns are:   

  • Being defrauded / losing money – 49%
  • Cyber criminals gaining access to my data – 49% 
  • Someone gaining access to my mobile – 47% 

Consumers Are Worried.

The thing many people like about the Internet—that we are fundamentally anonymous and equally accepted to share information, that nobody really knows who we are on the Internet—is one of the biggest weaknesses in terms of cybersecurity and long-term sustainability of the digital economy. Digital identity has been an afterthought. 

Globally, we are seeing a clear move away from a distinctly unexceptional user experience and inadequate underlying security. Industry is having to develop new solutions that (a) meet the evolving needs of the user experience and (b) work to mitigate the threats, including:   

  • Device compromisation – where a hostile party can take control of a device remotely.
  • Smishing - when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally).
  • SIM (Subscriber Identity Modules) swapping - where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.).

Three architectures are developing and succeeding across the globe that link the individual’s attributes to databases. Interestingly, biometrics are the common thread across all these architectures:

Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing digital identity for a range of services. 

Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases. 

Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.

We are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials. An example of this would be an individual’s Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel. 

Clearly, there are issues around maintaining an individual’s privacy and how authentication fits into the process. Standards are developing that can provide further reassurance. Furthermore, there is the issue of regulation, how liability is distributed in this model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.

What is emerging is a pronounced move towards mobile device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints.

Mobile operators can play their part by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. Solutions like this could be asking users to confirm a PIN code via their phone SIM. 

The solutions are still widely fragmented though. The level of security required by each action is different, as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds, but to manage your online game features or change your plane seat you might want something faster, even if it is not as secure.

We are also seeing significant growth in approaches that are independent of either the device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.

Further efforts need to be made as there are inherent risks with online interactions and the sharing of personal data and the traditional ways of handling these are no longer fit for purpose.


Dario Betti is CEO of Mobile Ecosystem Forum, a global trade body that provides its members with global and cross-sector platforms for networking, collaboration and advancing industry solutions.  

You Might Also Read:

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Vital Importance Of Pen Testing
The Cyber Delusion Challenge For Small & Medium Businesses »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

ON-DEMAND WEBINAR: 2024 and beyond: Top six cloud security trends

Learn about the top cloud security trends in 2024 and beyond, along with solutions and controls you can implement as part of your security strategy.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Experian

Experian

Experian provide software solutions to help organizations prevent identity fraud and crime.

Conference-Service.com

Conference-Service.com

Conference-Service.com provides a categorised calendar of conferences and events which includes Information Security.

BMS Group

BMS Group

BMS is an independent, employee-owned specialist insurance broking group. Broking solutions include Cyber and Technology.

Sepio Cyber

Sepio Cyber

Sepio is the leading asset risk management platform that operates on asset existence rather than activity.

Valtori

Valtori

Government ICT Centre Valtori provides sector-independent ICT services for the central government, while taking into account the special requirements related to security and preparedness.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

National Cybersecurity Student Association (NCSA)

National Cybersecurity Student Association (NCSA)

The National Cybersecurity Student Association is a one-stop-shop to enhance the educational and professional development of cybersecurity students through activities, networking and collaboration.

Identity Defined Security Alliance (IDSA)

Identity Defined Security Alliance (IDSA)

IDSA is a group of identity and security vendors, solution providers and practitioners that acts as an independent source of education and information on identity-centric security strategies.

ProWriters

ProWriters

As a leading cyber insurance company, ProWriters offers flexible Cyber Liability Insurance coverage designed to cover privacy, data, and network exposures.

Axxum Technologies

Axxum Technologies

Axxum Technologies is a premier provider of Network Communications and Information Technology Security Solutions.

Selectron Systems

Selectron Systems

Selectron offers system solutions for automation in rail vehicles and support in dealing with your railway cyber security challenges.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

HacWare

HacWare

HacWare is a data driven cybersecurity awareness product that leverages machine learning and behavior analytics help IT professionals combat phishing.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Com Olho

Com Olho

Com Olho provides the measurement, analytics, quality assurance, and fraud protection technologies brands need for their business and customers.

Intigriti

Intigriti

Intigriti helps companies protect themselves from cybercrime. Our community of ethical hackers provides continuous, realistic security testing to protect our customer’s assets and brand.