Identity and Authentication: challenges and threats

Business Insights
08/06/2022

Each year, the Mobile Ecosystem Forum surveys the level of trust in the digital ecosystem. From the 2021 survey, the top three user concerns are:

  • Being defrauded / losing money – 49%

  • Cybercriminals gaining access to my data – 49%

  • Someone gaining access to my mobile – 47%


Consumers are worried – they have good reason to be. In 2015, global fraud amounted to $3trillion dollars; by 2025, the figure will be $10.5trillion from fraud and cybercrime.


A huge weakness in terms of cybersecurity and long-term sustainability of the digital economy is that nobody really knows who we are on the Internet. Digital identity has been an afterthought.


Concerns over Personal Data Security and Privacy is now a reason to delete an app (37%), avoid installing one (33%) or stop using a service altogether (29%). The level of authentication/security is an element with clear impact to consumer preferences.


Some of the major issues we are currently seeing include:

  • Device compromisation – where a hostile party can take control of a device remotely

  • Smishing - when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally)

  • SIM (Subscriber Identity Modules) swapping: where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.)


The 2021 data revealed a clear gap between the level of expectations from consumers versus real experience. The gap for mobile apps and services keeping data secure (versus the expectation) is 27 percentage points; the gap for privacy is 28 percentage points. This size of gap usually indicates a breaking point in the level of trust between users and a product.


In short, the situation looks serious.


Looking for solutions

We can identify three architectures that are developing and succeeding across the globe that link the individual’s attributes to databases. Interestingly, biometrics are the common thread across all these architectures:


Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing digital identity for a range of services.


Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases.


Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.


In practice, we are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials.


There is a pronounced move towards device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints; and secondly, the role that the mobile operator can play by using the unique assets of a mobile device and knowledge of the SIM.


The solutions are still widely fragmented though. The level of security required by each action is different, as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds, but to manage your online game features or change your plane seat you might want something faster, even if it is not as secure.


We are seeing significant growth in approaches that are independent of either mobile device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.


Looking to the future

The ecosystem is fighting back from the threats of cyberattacks and we will see more of these innovative solutions emerge. There might not be an overall winner, but the co-existence of alternative approaches is now expected.


The good news is that inadequate access control and authentication will be replaced or enhanced by upcoming technologies.


By Dario Betti, CEO, Mobile Ecosystem Forum


ABOUT THE AUTHOR

Dario Betti is CEO of MEF (Mobile Ecosystem Forum) a global trade body established in 2000 and headquartered in the UK with members across the world. As the voice of the mobile ecosystem, it focuses on cross-industry best practices, anti-fraud and monetisation. The Forum provides its members with global and cross-sector platforms for networking, collaboration and advancing industry solutions.


Web: https://mobileecosystemforum.com/

Twitter: https://twitter.com/mef

LinkedIn: https://www.linkedin.com/company/mobile-ecosystem-forum

Facebook: https://www.facebook.com/MobileEcosystemForum/