Summary: Mobile Authentication could be Telcos’ key asset in the digital economy, but they are in danger of losing out through insufficient action. There are good case studies and an excellent blueprint in the GSMA’s Mobile Connect initiative for how to monetise their assets and stay relevant. So why aren’t they getting on with it? (June 2015, Executive Briefing Service, Dealing with Disruption Stream.)
Below is an extract from this 33 page Telco 2.0 Report that can be downloaded in full in PDF format by members of the Telco 2.0 Executive Briefing Service and Dealing with Disruption Stream here.
For more on any of these services, please email firstname.lastname@example.org / call +44 (0) 207 247 5003.
Authentication is the process of verifying a claim by (or for) an entity to an attribute, identity or unique identifier: it confirms that ‘you are what you claim to be’. The entity might be a human or machine, for example, and a peer in a transaction or the source of some data. This verification is achieved by presenting credential(s) (or ‘authentication information’) that corroborate the claim(s) of the entity.
Clearly, authentication is not a new issue: for thousands of years, societies have learned to cooperate and establish trust in non-digital environments. When an individual presents a credit card (the ‘credential’) for payment in a shop and, in some cases, enters a secret PIN code or signs a receipt (another credential), they are attempting to authenticate their claim that the bank account associated with the card is theirs to use (the ‘attribute’). When a letter is received with a difficult-to-replicate wax seal, this is an attempt to authenticate the origin of the letter. When two members of a secretive group meet for the first time, knowledge of a secret handshake can mutually authenticate their membership of the group.
Nor is it a new issue for STL Partners, either: we began our coverage of authentication, and the broader identity and personal data markets, in 2008 and have regularly provided market-leading research (e.g. Customer Data 2.0: Telcos Must Vie for a slice of the $Multi-Billion ‘PIE’; Personal Data: how to make it a viable, customer-centred industry) and advisory services since then.
What is new, however, is the growing digitisation of our everyday lives. This has driven new contexts for authentication (e.g. logging in to email accounts), new and sometimes more sophisticated methods of authentication (e.g. SMS one-time passwords, public key encryption), and created entire industries (e.g. Digital Certification). An example which covers all three of these areas is SSL (Secure Sockets Layer), the technology which establishes secure ‘HTTPS’ connections between servers and browsers using a sophisticated mechanism called ‘public key cryptography’, which we return to later.
As we discussed in the recent Executive Briefing ‘Authentication Mechanisms: The Digital Arms Race’, another consequence has been the entrance to the ecosystem of companies not traditionally associated with this space, especially Facebook and Google. Among their many activities in this space is the provision of ‘federated’ authentication and identity services to third-party websites, which essentially allows their users to login and register using their existing social network credentials. Although usage metrics for these services are not publicly available, anecdotal evidence suggests they are both widely and frequently used. There are clear benefits to each party from using one of these services, such as users needing to remember fewer passwords; online service providers being able to outsource their credential management systems; and Facebook/Google/Twitter collecting more behavioural data for advertising; but, as we will see, there are also clear drawbacks, notably around reach and privacy.
Such user (consumer, citizen or employee) authentication services to remote, digital environments for third-parties (enterprises or governments) are the focus of this report.
Authentication is not a new activity area for mobile operators, either. Most fundamentally, one of the two core purposes of the SIM cards that MNOs issue and manage is precisely that (as well as storage):
Beyond authentication for their own use, MNOs have also been developing commercial propositions around user authentication services. In some cases, their role has been strictly limited to enabling the authentication process, such as the UK MNOs’ support of ValidSoft’s fraud prevention service for financial services. In other cases, MNOs have been providing complete mobile authentication services themselves. Some of these have achieved impressive traction and results (e.g. Swisscom’s Mobile ID, KDDI’s au ID), whilst others have struggled, and there are important lessons here.
Source: GSMA, STL Partners
Back in May 2014, the GSMA recognised the shaded countries in Figure 3 as having active mobile authentication services, although some of these offer more than ‘pure’ authentication (e.g. extending towards identity) whilst others have the MNO acting as more of an enabler. Example operators (or service logos where available) are overlaid on the map.
Perhaps the most significant recent development in this space was the GSMA’s announcement of the collaborative ‘Mobile Connect’ initiative in February 2014. Mobile Connect aims to facilitate industry-wide collaboration between MNOs so that they can offer privacy-centric authentication, identity and attribute services to relying parties with single technical and commercial interfaces, thereby maximising their reach (3.9 billion unique mobile subscribers) and therefore the attractiveness of these services to relying parties.
Following successful trials and development of the authentication proposition with a lead group of operators during 2014, Mobile Connect is now beginning to go live: March 2015 saw the official launch of Mobile Connect by 17 operators in 13 countries, with others committed to launch during the remainder of 2015 and 2016. The launch proposition is pure authentication, and leverages operator assets (e.g. the SIM card) to allow the use of mobile phones as authentication devices independently of the service provided and independently of the device used to consume the service.
Whilst MNOs also have other strengths around privacy, customer support capabilities, and more, they have several weaknesses, and the business case for mobile authentication services is not yet clear to most. To clarify the situation, this report covers the following:
The report concludes that now is indeed the time for MNOs to strongly and collectively embrace authentication services. MNOs can be successful in authentication and have an opportunity to directly and indirectly monetise it across three key areas, but this opportunity will not last and there will be few more like it.
To access the rest of this 33 page Telco 2.0 Report in full, including...
...and the following report figures...
...Members of the Telco 2.0 Executive Briefing Service and Dealing with Disruption Stream can download the full 33 page report in PDF format here. Non Members, please subscribe here. For other enquiries, please email email@example.com / call +44 (0) 207 247 5003.
Technologies and industry terms referenced include: attributes, authentication, credential, digital certificate, Facebook Anonymous Login, Facebook Login, FIDO Alliance, Google+ Sign-in, GSMA, identity, Mobile Connect, Mobile ID, MSISDN, multi-factor authentication, OpenID Connect, personal data, PKI, privacy, pseudonymous customer reference, public key encryption, relying party, seamless login, SIM applet, SIM-swap fraud, SSL, STK, Swisscom, USSD, X-party authentication.