Remember Mobile Signature, a product deployed by Turkcell that we covered in a case study back in May, 2008? Developed by Valimo Wireless, it’s an identity/authentication system that uses a two-sided telecoms business model to reportedly raise messaging ARPU by 20%. It is approaching a major Telco 2.0 growth milestone in that customers on more than one network should be able to use the service, greatly increasing its appeal and usefulness. This article reviews recent progress and outlook, how Mobile Signature works, the total opportunity, and the two-sided principles it embodies.
Mobile Signature uses an application resident on the SIM card and a remote server controlled by the operator to provide two-factor authentication for online or offline transactions. Briefly, when you set it up, it creates a public-private key pair and registers you with the operator’s server. When someone needs to check that you are who you say you are, they call a Web service API, which has the operator send you a challenge. The application asks you to enter a password to unlock the private key, and signs the challenge before returning it; then the transaction goes ahead. Your secret is never transmitted over the network.
This gets round two of the classic problems in cryptography; it’s all very well having a public key and being able to digitally sign a message, but this only proves that someone having that public key signed it, not necessarily that you signed it. Various solutions exist, none of them satisfactory; public-key infrastructures (PKIs) have the keys signed by some sort of issuing authority, whose key signing key is itself signed by some other authority in a hierarchical structure, but this relies on the infrastructure’s existence and that all the authorities in the certificate chain remain trustworthy.
Alternative systems like PGP (Pretty Good Privacy) use a so-called web of trust, in which individual users vouch for each other, but this has an obvious scaling problem - it’s only useful to know that Mr X vouches for the fact that 8EF5T3ZK0 is Mr Y’s key if you know who Mr X is and what his public key is, and the more people Mr X vouches for, the less likely he is to be absolutely certain of each one. On the other hand, it’s necessary for individuals to be vouched for by as many others as possible, or otherwise attackers could conspire to sign each other’s keys as different people.
With Mobile Signature, the key is associated with the operator’s billing record, which should usually mean somewhere they can collect money from you. And for most commercial purposes, this is what you need - the ability to collect on the other guy’s half of the contract, not their identity per se.
The other key crypto problem this solves is the danger of a man-in-the-middle or replay attack, where the attacker poses as one of the parties to the transaction and either intercepts your authentication credentials - PINs, passwords, etc - for later use, or attempts to repeat the log-in at the same time. Mobile Signature handles this by carrying out the authentication on a different communications channel to the original transaction, for example via your mobile phone when the transaction occurs on the Web or through an in-store merchant terminal. So, even getting full control of the user’s PC or the merchant terminal won’t guarantee your ability to steal; either the challenge would come from the wrong person or for the wrong amount, and be refused, or else it would come to the user and give away the fact that someone was trying to use their credit card details.
So what is the business model? For the operator, it’s incremental messaging revenue; in the first deployment, with Turkcell, the identifications were charged at the same rate as text messaging. According to Turkcell, this resulted in an average of 21 extra messages a month for each user who signed up for Mobile Signature; as a typical user sent 95 messages a month, that amounts to a 20% boost to messaging ARPU. Of course, if it was possible to gear the pricing of identity services to the size of the transactions they support, there would be the possibility of truly fascinating margins.
There are many opportunities to apply digital ID/authorisation, providing the service works effectively and the user experience is good. Increasing numbers of customers creates the 'virtuous circle' - more customers, more uses, more value.
It’s therefore critical to get as many customers on board who will accept Mobile Signature as possible; it’s a two-sided market, with the telco acting as the facilitating platform. As such, partnerships are crucial. Turkcell took the sensible option of signing up the banks first, being heavy users of identity/authentication with mass customer bases who face a constant threat from fraud. They stand to reduce fraud losses and reinforce their customers’ confidence in their security; it’s worth pointing out that, as with most two-sided markets, it will be a delicate judgment whether the platform can charge both sides or whether it has to subsidise one side.
In a nutshell, “more customers”. As well as the launch customers, Turkcell and Telefonica, Valimo can now claim TeliaSonera, Telenor Sweden, Elisa, and Mobitel Slovenia as customers, plus a significant IT systems integrator (Tieto) and the Finnish Slot Machine Association. This last may seem a little bathetic, but it’s more serious than that; depending on whether legislation on the status of digital ID passes the Finnish parliament, a national roll-out with all three Finnish GSM networks and a line-up of banks is planned for next year.
This would be the first inter-operator digital ID deployment in the world, and a major milestone in Telco 2.0. It involves inter-carrier cooperation to create a major new platform, transactional VAS for business, and a two-sided business model which sets out to attract the upstream customers first in order to build scale and create the value that will attract the customers on the other side.
And it’s a direct attempt to execute on one of the key capabilities we’ve defined as areas of opportunity for the telecoms industry - identity and authentication, which creates a thin layer of value across a huge area of the economy.
In the 2-Sided Business Models report, we estimated that the market for ID/authentication services in Europe and North America might reach $15bn a year by 2017, based on our analysis of key vertical industries. Interestingly, and tellingly, it seems to be around the fringes of Europe that Valimo’s product is getting traction; perhaps there might be even bigger opportunities in the BRICs?
We're currently working on a new report detailing the most interesting Telco 2.0 Use Cases and Case Studies from around the world (please email firstname.lastname@example.org for more), and this will be a key subject at our events in EMEA in November and the US in December.