Identity & Authentication For Mobile Users

Uploaded on 2022-04-22 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Concerns over Personal Data Security and Privacy is now a reason to delete an application for more than a third of consumers; there is a similar level of nervousness surrounding installing apps in the first place.

Each year, the Mobile Ecosystem Forum (MEF) surveys the level of trust in the digital ecosystem, and 2021 data revealed a clear gap between the level of expectations from consumers versus real experience.

In 2015, global fraud amounted to $3trillion dollars. By 2025, the figure will be $10.5trillion from fraud and cybercrime. From the 2021 MEF Survey, the top user concerns are:   

  • Being defrauded / losing money – 49%
  • Cyber criminals gaining access to my data – 49% 
  • Someone gaining access to my mobile – 47% 

Consumers Are Worried.

The thing many people like about the Internet—that we are fundamentally anonymous and equally accepted to share information, that nobody really knows who we are on the Internet—is one of the biggest weaknesses in terms of cybersecurity and long-term sustainability of the digital economy. Digital identity has been an afterthought. 

Globally, we are seeing a clear move away from a distinctly unexceptional user experience and inadequate underlying security. Industry is having to develop new solutions that (a) meet the evolving needs of the user experience and (b) work to mitigate the threats, including:   

  • Device compromisation – where a hostile party can take control of a device remotely.
  • Smishing - when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally).
  • SIM (Subscriber Identity Modules) swapping - where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.).

Three architectures are developing and succeeding across the globe that link the individual’s attributes to databases. Interestingly, biometrics are the common thread across all these architectures:

Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing digital identity for a range of services. 

Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases. 

Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.

We are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials. An example of this would be an individual’s Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel. 

Clearly, there are issues around maintaining an individual’s privacy and how authentication fits into the process. Standards are developing that can provide further reassurance. Furthermore, there is the issue of regulation, how liability is distributed in this model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.

What is emerging is a pronounced move towards mobile device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints.

Mobile operators can play their part by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. Solutions like this could be asking users to confirm a PIN code via their phone SIM. 

The solutions are still widely fragmented though. The level of security required by each action is different, as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds, but to manage your online game features or change your plane seat you might want something faster, even if it is not as secure.

We are also seeing significant growth in approaches that are independent of either the device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.

Further efforts need to be made as there are inherent risks with online interactions and the sharing of personal data and the traditional ways of handling these are no longer fit for purpose.


Dario Betti is CEO of Mobile Ecosystem Forum, a global trade body that provides its members with global and cross-sector platforms for networking, collaboration and advancing industry solutions.  

You Might Also Read:

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Vital Importance Of Pen Testing
The Cyber Delusion Challenge For Small & Medium Businesses »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Block Armour

Block Armour

Block Armour is a Mumbai and Singapore based venture focused on harnessing emerging technologies to counter growing Cybersecurity challenges in bold new ways.

CSIRT-IE

CSIRT-IE

CSIRT-IE is the body within the NCSC that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland.

Communications Authority of Kenya

Communications Authority of Kenya

The Authority is responsible for facilitating the development of the information and communications sectors including; broadcasting, telecommunications, electronic commerce and cybersecurity.

Haventec

Haventec

Haventec’s internationally patented technologies reduce cyber risk and enable pervasive trust services with a decentralised approach to authentication.

Ockam

Ockam

Ockam gives you the tools you need to establish an architecture for trust within your connected device applications.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

NeuroChain

NeuroChain

NeuroChain is an intelligent ecosystem that is more secure, more reliable and much faster than blockchain.

VariQ

VariQ

VariQ is a premier provider of Cybersecurity, Software Development and Cloud services to federal, state, and local government.

Seadot Cybersecurity

Seadot Cybersecurity

Seadot offer cybersecurity services to organizations with a high demand for regulatory compliance and security.

SecOps Group

SecOps Group

SecOps Group is a boutique cybersecurity consultancy helping enterprises identify & eliminate security risks on a continuous basis.

Phriendly Phishing

Phriendly Phishing

Phriendly Phishing offers phishing awareness training programs designed to ward off potential security threats and minimise the impact of cyber attacks.

ASRC Federal

ASRC Federal

ASRC Federal’s mission is to help federal civilian, intelligence and defense agencies achieve successful outcomes and elevate their mission performance.

Nagomi Security

Nagomi Security

Nagomi is changing the way security teams balance risk and defense, empowering customers to focus on what matters now.

Velstadt Cybersecurity

Velstadt Cybersecurity

Velstadt's team of experienced professionals works on identifying vulnerabilities, analyzing threats, and developing strategies to ensure the highest level of security.

Verosint

Verosint

Verosint (formerly 443ID) provides real-time account fraud prevention that reveals fraudsters hiding in user accounts and proactively blocks them before their attacks can cause harm.

ClamAV

ClamAV

ClamAV is an open-source (GPL) anti-virus engine used in a variety of situations, including email and web scanning, and endpoint security.