Trust touches on so much of what we do with our connected devices. Can we trust the companies we are giving our data to? Can those companies trust that we are who we say we are? Can we trust the individuals we interact with online, especially with the rise of peer-to-peer platforms like Airbnb? Mobile technology has connected us together, but we lack the ability to trust these connections.
There is an opportunity for mobile operators to own digital identity. But to do so they need to be careful—they cannot rely on the technology that makes them unique.
Mobile’s identity crisis
Getting identity and authentication right is vital. A paper-based enrollment system is useless for a mobile-only bank. Multifactor authentication will protect your customers, unless it drives them away thanks to an awful SMS- or hardware-based system that demands they type in a generated six-digit code every time they need access.
Digital identity and mobile authentication can help solve these issues, and there’s an opportunity for whatever industry wants to be a part of this. In Norway the banking sector cooperated to create Bank ID that fixes some of these issues. There’s no reason why mobile operators cannot be part of the solution. High mobile penetration means operators have a relationship with almost every potential customer.
Unfortunately, mobile industry solutions focus on the SIM card. SIM cards are ubiquitous — every mobile device has one. They are also secure and, crucially, they are only accessible by the operators, meaning they get to stay relevant and ‘in-control’.
Operators have essentially lost many of the battles they have fought against “over-the-top” providers like Hulu and Netflix to provide services to their customers. This has relegated operators to a mere “dumb pipe”. So digital identity is a timely and viable opportunity to put their hardware at the centre of solving a vital issue, using a part of the smartphone that only they have access to, right?
Wrong. This is a mistake. Operators, if they want to stand a chance, need to fight this battle instead in mobile app ecosystems. If they don’t, they will lose like before.
Abandoning the higher ground
The capabilities of a SIM card is by its nature limited. This is for good reason. Every connected device requires a SIM card, and even a small additional cost to this piece of hardware will multiply into something unsustainable. There is also the problem of interoperability. A SIM-card based authentication system may work well, but it will only work well for the operator that creates it. Any business that adopts it will only be providing access to its users of that particular network.
It’s also limited in the features it can access. Smartphones have a wide array of sensors that can help authenticate someone — cameras for facial recognition, fingerprint sensors, GPS for location, even accelerometers can help — and SIM-based authentication just can’t make use of these. The best authentication practices will make use of a number of these sensors to provide access depending on the risk of the transaction.
And while the security of the SIM card itself may be excellent, that does not extend to the security of SIM-based authentication. One-time password solutions — usually an SMS — are insecure and highly susceptible to “man in the middle” attacks.
Authentication that opens customers up to fraud will inevitably result in lost customers. Operators must have an opportunity to take a lead in digital identity, but they will squander it with SIM-based solutions. They need to instead compete on a more level playing field by creating or partnering with app-based solutions that use the full capabilities of modern smart devices. This does mean abandoning what seems like a big advantage — it’s actually the only way to stay relevant in this space.