Marie Austenaa, VP and Head of Personal Data & Mobile Identity Programme at GSMA
In April this year, the World Retail Banking Report from Capgemini reported significant improvements for banks’ customer experience. A significant amount of progress can be attributed to the investment that banks have made over the last year to enhance their digital offering.
As digital identity technologies have developed, the financial sector has taken steps to incorporate them into core services that safeguard security and make banking easier. Most major banks now allow customers to check account balances from their mobile phones, often without the need to explicitly authenticate themselves, given the low-value risk.
Yet much more needs to be done before banking can really be described as seamless. A number of services still require account holders to physically visit a bank branch to verify their identity. Anyone who has visited a bank during their lunch break for this reason – and found scores of other people also doing the same – can attest to its inconvenience. The continued use of paper-based identity verification, via passports and driving licenses, also adds delays which are plainly out of step with the increased pace of digitisation in other industries.
Moreover, as more businesses move online, protecting vital data such as financial information has become much more difficult. Online security threats are becoming increasingly prolific and last year ‘phishing’ emails and ‘ransomware’ campaigns rose by 55% and 35% respectively with half a billion personal records stolen.
The old authentication norm of usernames and passwords are simply no longer secure. Hackers are getting better at cracking them or using social engineering to trick members of the public into inadvertently revealing them. And with the ever-increasing number of logins required today, it’s little surprise that 65 per cent of users default to using the same password for various accounts. Multiple passwords are also inconvenient: 37% admit having to reset a password at least once per month due to the sheer number they now have to remember, and 6 out of 10 businesses say this is having an effect on productivity.
The challenge for banks is balancing security with convenience. A secure digital identity solution that enables users to cut down on time lost to banking procedures is essential for the healthy development of financial services. Effective authentication solutions utilise two factors of authentication – typically relying on something the user has, as well as something they know (a PIN or password) or something they are (such as a biometric). Banks have some such solutions in place, but the common model of card-readers and PIN numbers is ineffective as few people want to carry such a device at all times.
This is where mobile authentication comes into play. By eliminating the need for an additional item, and relying instead on one the user has with them anyway – their mobile phone – it offers users the best of both worlds. Possession and control of the mobile phone (as a single factor of authentication) can be combined with a secret (e.g., PIN) or biometrics (e.g., fingerprint). In both cases, the information submitted by the user is verified locally on their mobile phone, mitigating the vulnerability of server-side databases of passwords or fingerprints.
Such an approach is far more secure that the current ‘out-of-band’ authentication mechanisms used by banks such as One Time Passwords via SMS or Interactive Voice Response (IVR) solutions, all of which can be easily targeted by malware on the device. Moreover, an operator solution can enhance security by leveraging unique contextual insights derived from the user’s behaviour on the mobile network to provide additional signals for capturing potential fraud.
When banks and operators pool their knowledge and expertise, they are able to create a more secure environment for transactions. In fact, the GSMA has already begun working with a number of operators and service providers to roll out Mobile Connect, an operator-based authentication service which provides a convenient and secure log-in solution with privacy protection. The digital journey in banking has started now in earnest, but there is more work to be done to ensure safe and convenient access to these new digital services.
Gautam Hazari, Technical Director, Personal Data, GSMA
‘Identity’ is a word often used to mean subtly different things. The Oxford English Dictionary defines it succinctly as “The fact of being who or what a person or thing is”; ISO29115 prefers the broader “Set of attributes related to an entity”.
Identity, therefore is not a singular characteristic but rather a set of attributes that vary by relationship and moreover the plurality of these relationships can enhance the confidence level that the identity being asserted is genuine through corroboration.
In the physical world this is fairly straightforward. A government institution for example, can attest the photograph, name and address of a citizen; these can then be corroborated through identity checks conducted by banks or telecommunication providers, who are regulated to ‘know their customers’ hence enhancing the confidence level of the attributes associated with a given identity and hence the identity itself.
Digital identities need to function in a similar way, but the nature of the digital world makes it much harder.
Source: Peter Steiner’s cartoon, as published in The New Yorker
In particular, some of the key challenges that digital identity faces include:
- Establishing trust in the trustless digital world
- Decentralisation: control and ownership of the identity attributes
- Immutability of the operations related to the digital identity
These requirements are also the fundamental building blocks behind blockchain.
A user’s digital identity can be represented in the blockchain as follows:
Here, the user’s identity starts its journey into the blockchain as a self-asserted block, containing the user’s identity attributes (hashed) and the user’s public key, all signed with the user’s private key. At this stage, the level of confidence in the user’s identity is at base level.
Other entities, such as a bank or electricity provider, with which the user has a relationship, are also represented within the blockchain, with their own sets of hashed attributes and public keys. These entities can establish relationships with the user by signing the particular hashed attributes of the user that are relevant to that relationship. For example, the Passport Office could sign the hashed address, name, and photograph of the subject if the attribute values asserted by the user match those on record at the Passport Office.
As more and more relationships are established for the user within the blockchain, confidence in the accuracy of the attributes – and hence the identity itself – grows organically. In addition, as more transactions take place involving the user (with other users or entities verifying or trusting the hashed attributes of the user), the ‘reputation capital’ of the identity also grows. In other words, confidence in the identity’s accuracy increases as does confidence in the trustworthiness of the person behind it, based on what they do online – all of which is transparent, and visible to anyone via the blockchain.
If any of the relationships change between the user and the entities, the change can be established within the blockchain as a separate block with a cryptographically signed timestamp hence enabling any new verifier to observe both previous and current relationships in a cryptographically protected sequence.
Making the blockchain usable for digital identity representation
One critical aspect of any service where users interact is finding the right balance between convenience and security. As Eve Maler once pointed out, “an application with 0% security and 100% functionality is still an application, but an application with 100% security and 0% functionality is useless”.
The block representing a digital identity in the blockchain is identified using the public key associated with the user, and the corresponding private key is the credential that the user needs to keep protected. In a sense, therefore, the public key can be considered equivalent to a user ID and the private key equivalent to a “password” or biometric.
However, a public key is not a convenient “user id” and the private key is not something that can be easily remembered (such as a password) or be inherent to the user (such as a biometric). Securely storing the private key to ensure that it can’t be used by others whilst also being able to easily use it to assert the associated identity is a real challenge.
A solution is to introduce the concept of a wallet through which the user can self-assert their attributes and manage their public and private keys. This wallet can then be identified through a more convenient user ID (such as the user’s MSISDN) and be unlocked using conventional multi-factor authentication mechanisms. The user can then prove ownership of the private key, and hence confirm their identity.
Mobile Connect is an ideal framework for supporting such wallets, and providing users with a simple means of authenticating their identities in a way which is both convenient and secure.
The combination of Mobile Connect for administering the wallets and Blockchain for administering the identity in a decentralised fashion is a perfect solution to providing digital identity and in a way that is ‘conveniently secure’ for the user.
 In truth, the blockchain ID is derived from the public key by using SHA256 and RIPEMD160, but for simplicity we will simply call it the public key.
Gautam Hazari, Technical Director, Personal Data, GSMA
The Internet of Things (IoT) will transform a great many facets of daily life. One casualty of this coming change which tends to go unnoticed, however, will be the traditional username-and-password method of online authentication. The advent of the IoT will quickly render that present norm outdated.
The coming proliferation of new connection points, and consequent multiplicity of new security checks, will leave that solution cumbersome; there simply will be too many logins for anyone to remember a username and password for each. A natural replacement is already stepping into the breach: biometric authentication, whereby users verify their identity by presenting a part of their own body such as a fingerprint.
Few can now doubt that biometric authentication is set to expand vastly over the next decade. By 2020, for example, the number of biometric smartphones is expected to increase tenfold to two billion.
Market research shows that consumers anticipate the added convenience biometric solutions can offer in transactions, and want to see their adoption. According to a survey conducted by Visa, more than two thirds of Europeans are interested in using biometric authentication while making payments. The evidence also confirms, however, that consumers do not wholly trust the security credentials of biometric authentication, and prefer to see it integrated with other security measures than as a standalone method of verification.
These are not merely cautious instincts over a nascent technology. Reservations over the safety of biometric authentication are well-founded. At a glance the technology may seem foolproof, resting on such unique and complex personal identifiers as an iris.
However, biometric credentials are not secret. Hackers are already devising ways of obtaining and replicating the information from different sources. For example, fingerprints can be obtained in various ways, and unlike usernames and passwords, when that information is stolen it cannot be changed.
Once the security of biometric data is compromised, it stays compromised; it cannot therefore be relied upon on its own. The security of biometric data can be improved by being used in tokenised form but as David Emm, principal security researcher at IT security company Kaspersky puts it, the future of security is in “combining more than one item from something you know, something you have and something you are to verify your identity.”
It is therefore imperative that the sector provide consumers with what they demand: an additional means of authentication to allay security concerns over biometrics, but without the added inconvenience of usernames and passwords.
Mobile Connect does precisely that. By using the possession of the mobile device as the first factor and then allowing users to verify their identity biometrically as a second factor; and they need no longer concern themselves with details to remember – nor the potential for stolen data to compromise their accounts. These technologies should not be seen as competitors for the same market; they are natural and effective collaborators in the security landscape of the near future.
There has been a history of doubt over the security credentials of mobile payment solutions. Consumers have generally seen traditional methods such as physical credit cards as ensuring greater safety from fraud, and have been sceptical that mobile payment can offer the same level of protection. At the extreme end of caution, these fears have seen some parts of India favouring cash in up to 90% of online purchases. Western consumers have taken more readily to the technology, but have remained relatively wary.
This may be on the verge of change, however. A new white paper from respected cybersecurity consultancy ISACA argues that mobile payment may, in some crucial respects, now surpass the security potential of alternatives. Chief among their findingsare that two developments in identity verification promise the enhanced security necessary to open a new chapter for mobile payment: tokenisation and two-factor authentication (2FA).
Tokenisation allows purchasers to eliminate exposure of their primary account number during transactions, by generating unique identification symbols which cannot be reused outside specific parameters. The ‘token’ is composed of information containing partial identification of the account, and information relating to the particular transaction, rendering it useless to any intercepting fraudster. 2FA requires not only a username and password, but some form of additional verification information – for instance a code generated by a specific device. 2FA is not itself new, but is rapidly becoming a standard requirement; indeed, the forthcoming European Payment Services Directive (PSD2) will make strong 2FA regulations standard across EU member states, in pursuit of the European Digital Single Market.
The emergence of new answers to the old concerns about security comes at a key moment for potential consumer adoption: new market research by Ovum projects an exponential rise in users of mobile payments on the horizon, from 44.55 million in 2014 to 1.09 billion in 2019. This represents a total market value of $142 billion in 2019, nearly triple what it is now. This accelerated uptake is predicted despite, only last year, ISACA concluding that a mere 23 percent of cybersecurity experts had confidence in mobile payments.
With consumers testing the water in ever-greater numbers, despite their own reservations – and opinion-leaders newly assured of the security situation ahead – this is an auspicious time for Mobile Connect. PSD2 will soon require of mobile payments a feature which Mobile Connect was designed to provide, and which it provides in the most convenient manner possible, by acting through a device billions of people keep on their person as a matter of course. In addition, a market which grows rapidly in the face of security fears can only become more buoyant with added assurances from the most trusted voices in the industry. We very much look forward to seeing the shape it takes next.