Identity & Authentication For Mobile Users

Uploaded on 2022-04-22 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Concerns over Personal Data Security and Privacy is now a reason to delete an application for more than a third of consumers; there is a similar level of nervousness surrounding installing apps in the first place.

Each year, the Mobile Ecosystem Forum (MEF) surveys the level of trust in the digital ecosystem, and 2021 data revealed a clear gap between the level of expectations from consumers versus real experience.

In 2015, global fraud amounted to $3trillion dollars. By 2025, the figure will be $10.5trillion from fraud and cybercrime. From the 2021 MEF Survey, the top user concerns are:   

  • Being defrauded / losing money – 49%
  • Cyber criminals gaining access to my data – 49% 
  • Someone gaining access to my mobile – 47% 

Consumers Are Worried.

The thing many people like about the Internet—that we are fundamentally anonymous and equally accepted to share information, that nobody really knows who we are on the Internet—is one of the biggest weaknesses in terms of cybersecurity and long-term sustainability of the digital economy. Digital identity has been an afterthought. 

Globally, we are seeing a clear move away from a distinctly unexceptional user experience and inadequate underlying security. Industry is having to develop new solutions that (a) meet the evolving needs of the user experience and (b) work to mitigate the threats, including:   

  • Device compromisation – where a hostile party can take control of a device remotely.
  • Smishing - when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally).
  • SIM (Subscriber Identity Modules) swapping - where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.).

Three architectures are developing and succeeding across the globe that link the individual’s attributes to databases. Interestingly, biometrics are the common thread across all these architectures:

Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing digital identity for a range of services. 

Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases. 

Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.

We are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials. An example of this would be an individual’s Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel. 

Clearly, there are issues around maintaining an individual’s privacy and how authentication fits into the process. Standards are developing that can provide further reassurance. Furthermore, there is the issue of regulation, how liability is distributed in this model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.

What is emerging is a pronounced move towards mobile device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints.

Mobile operators can play their part by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. Solutions like this could be asking users to confirm a PIN code via their phone SIM. 

The solutions are still widely fragmented though. The level of security required by each action is different, as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds, but to manage your online game features or change your plane seat you might want something faster, even if it is not as secure.

We are also seeing significant growth in approaches that are independent of either the device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.

Further efforts need to be made as there are inherent risks with online interactions and the sharing of personal data and the traditional ways of handling these are no longer fit for purpose.


Dario Betti is CEO of Mobile Ecosystem Forum, a global trade body that provides its members with global and cross-sector platforms for networking, collaboration and advancing industry solutions.  

You Might Also Read:

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Vital Importance Of Pen Testing
The Cyber Delusion Challenge For Small & Medium Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

Brit

Brit

Brit PLC is a market-leading global specialty insurer and reinsurer, focused on underwriting complex risks including cyber, privacy and technology.

Paramount Computer Systems

Paramount Computer Systems

Paramount is a regional leader in the Middle East for cybersecurity solutions and consulting services.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Calian Group

Calian Group

Calian is a diverse Canadian company offering professional services in areas including Advanced Technologies, Health, Learning and IT & Cyber Solutions.

Fair Isaac Corporation (FICO)

Fair Isaac Corporation (FICO)

FICO provides analytics software and tools used across multiple industries to manage risk, fight fraud, optimize operations and meet strict government regulations.

Polyrize

Polyrize

The Polyrize continuous authorization platform for SaaS and IaaS stops tomorrow's public cloud cyber threats, today.

Charities Security Forum (CSF)

Charities Security Forum (CSF)

The Charities Security Forum is the premier membership group for information security people working for charities and not-for-profits in the UK.

PreEmptive Solutions

PreEmptive Solutions

PreEmptive Protection hit the sweet spot between cost, convenience and functionality by helping you protect and secure your apps in a smarter way.

Bleckwen

Bleckwen

Bleckwen is a proven fraud detection system that helps financial institutions build trust with customers.

SEIRIM

SEIRIM

SEIRIM delivers cybersecurity solutions in Shanghai China specializing in Web Application Security, Network Security for SME's, Vulnerability Management, and serving as Managed Security as a Service.

Terra Quantum

Terra Quantum

Terra Quantum is a deep tech pioneer, developing revolutionary quantum applications to shape the technology of the future.

CYDEF

CYDEF

CYDEF provides comprehensive, state-of-the-art cybersecurity protection that is accessible and affordable to organizations of any size.

Cyber Security Partners (CSP)

Cyber Security Partners (CSP)

Cyber Security Partners specialise in the provision of Cyber Security Consultancy, Data Protection and Certification and Compliance services.

Nullify

Nullify

Nullify is your automated security sentry that continuously finds and fixes security issues across your codebase.

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center (ACC)

Azerbaijan Cybersecurity Center is a state-of-the-art facility to deliver advanced cyber training programs and build the next generation of Azerbaijan’s cybersecurity professionals.