Identity & Authentication For Mobile Users

Uploaded on 2022-04-22 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Concerns over Personal Data Security and Privacy is now a reason to delete an application for more than a third of consumers; there is a similar level of nervousness surrounding installing apps in the first place.

Each year, the Mobile Ecosystem Forum (MEF) surveys the level of trust in the digital ecosystem, and 2021 data revealed a clear gap between the level of expectations from consumers versus real experience.

In 2015, global fraud amounted to $3trillion dollars. By 2025, the figure will be $10.5trillion from fraud and cybercrime. From the 2021 MEF Survey, the top user concerns are:   

  • Being defrauded / losing money – 49%
  • Cyber criminals gaining access to my data – 49% 
  • Someone gaining access to my mobile – 47% 

Consumers Are Worried.

The thing many people like about the Internet—that we are fundamentally anonymous and equally accepted to share information, that nobody really knows who we are on the Internet—is one of the biggest weaknesses in terms of cybersecurity and long-term sustainability of the digital economy. Digital identity has been an afterthought. 

Globally, we are seeing a clear move away from a distinctly unexceptional user experience and inadequate underlying security. Industry is having to develop new solutions that (a) meet the evolving needs of the user experience and (b) work to mitigate the threats, including:   

  • Device compromisation – where a hostile party can take control of a device remotely.
  • Smishing - when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally).
  • SIM (Subscriber Identity Modules) swapping - where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.).

Three architectures are developing and succeeding across the globe that link the individual’s attributes to databases. Interestingly, biometrics are the common thread across all these architectures:

Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing digital identity for a range of services. 

Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases. 

Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.

We are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials. An example of this would be an individual’s Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel. 

Clearly, there are issues around maintaining an individual’s privacy and how authentication fits into the process. Standards are developing that can provide further reassurance. Furthermore, there is the issue of regulation, how liability is distributed in this model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.

What is emerging is a pronounced move towards mobile device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints.

Mobile operators can play their part by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. Solutions like this could be asking users to confirm a PIN code via their phone SIM. 

The solutions are still widely fragmented though. The level of security required by each action is different, as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds, but to manage your online game features or change your plane seat you might want something faster, even if it is not as secure.

We are also seeing significant growth in approaches that are independent of either the device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.

Further efforts need to be made as there are inherent risks with online interactions and the sharing of personal data and the traditional ways of handling these are no longer fit for purpose.


Dario Betti is CEO of Mobile Ecosystem Forum, a global trade body that provides its members with global and cross-sector platforms for networking, collaboration and advancing industry solutions.  

You Might Also Read:

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Vital Importance Of Pen Testing
The Cyber Delusion Challenge For Small & Medium Businesses »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Digital DNA

Digital DNA

Digital DNA provides Law-Enforcement-Grade Computer Forensics, Cyber Security and E-Discovery Investigations.

National Cyber Security Centre (NCSC) - Netherlands

National Cyber Security Centre (NCSC) - Netherlands

NCSC Netherlands coordinates enhancing the cyber resilience of the Netherlands in the digital domain.

Pole SCS (Secure Communicating Solutions)

Pole SCS (Secure Communicating Solutions)

SCS is a world-class competitiveness cluster dedicated to digital technologies in the fields of Microelectronics, Internet Of Things, Digital Security, Artificial Intelligence And Big Data.

Verlingue

Verlingue

Verlingue (formerly ICB Group) is a leading corporate insurance broker providing Insurance, Risk Management and related advice to businesses and private clients.

FoxGuard Solutions

FoxGuard Solutions

FoxGuard Solutions develops customized cyber security, compliance and industrial computing solutions for critical infrastructure entities and control system vendors.

National Cyber Security Centre (NCSC) - Ireland

National Cyber Security Centre (NCSC) - Ireland

The National Cyber Security Centre (NCSC) is the operational side of the Department of Communications in regard to network and information security in the Republic of Ireland.

Honeywell Process Solutions (HPS)

Honeywell Process Solutions (HPS)

Honeywell's Industrial Cyber Security Solutions help plants and critical infrastructure sectors defend the availability, reliability and safety of their industrial control systems.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

Cambridge Cybercrime Centre

Cambridge Cybercrime Centre

The Cambridge Cybercrime Centre is a multi-disciplinary initiative combining expertise from the Department of Computer Science and Technology, Institute of Criminology and Faculty of Law.

Senserva

Senserva

Senserva delivers a deep analysis for security user accounts and applications within the Microsoft cloud environment.

Deft

Deft

Deft (formerly ServerCentral Turing Group) is a trusted provider of colocation, cloud, and disaster recovery services.

CloudCover

CloudCover

CloudCover is a software-defined cybersecurity risk solution that provides risk awareness, risk analytics, and data security in real time.

Dawgen Global

Dawgen Global

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region providing a range of services including Risk Management and Information Systems Assurance.

Difenda

Difenda

Difenda Shield is a fully integrated and modular cybersecurity suite that gives your organization the agility it needs to implement a world-class cybersecurity system.

LegalByte

LegalByte

LegalByte is a leading provider of comprehensive legal and forensic services dedicated to addressing the complex challenges of the digital age.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.