I recently tried to explain to you what Mobile Connect is. If you missed the fundamentals and wish to learn the basics I recommend you peek into this blog article. Now that we’ve covered the fundamentals, we can move to the more interesting topic – the actual benefits of this initiative and technology.
Participants
There are three distinctive participants in a typical Mobile Connect scenario. The difference here between the typical online authentication with the application password and Mobile Connect is that the identity (and therefore authentication) comes from a trusted third party, the mobile network operator.
- The end-user that is trying to access a web-based application and is in a possession of a Mobile Connect-enabled mobile device and subscription (phone number).
- The application itself (or using other terms – relying party or service provider).
- The trusted third party, the mobile network operator.
The User
Do you have a bank issued token for generating one-time-passwords? Have you noticed that it’s always in the wrong place? Are you reusing your passwords across multiple sites? Have you noticed the news about hackers gleaning access credentials from one breach and using them to penetrate accounts in other services? Have you tried to use your eID card issued to you by your local government and become frustrated with the card reader issues, not to mention the fact that in practice you can only use it at home? Have you emptied your browser cache and found out that you’ve forgotten the password to half of the sites you visit infrequently, and all of a sudden you’re in the password reset hell?
Mobile Connect is convenient to the user. For the end user this is probably the biggest advantage. The authentication device is the mobile device. People forget their wallets and leave them at home more often than they forget their mobile phone. It travels easily. It works globally. The Mobile Connect specification supports different types of authentication options from simply clicking “ok” to biometrics + PKI. It can utilize the SIM card for feature phones, or you can have an app in your phone.
The convenience and security works for the service provider as well. If a visitor can register easily and use their mobile phone for authentication when they return, the result will be higher conversions and more frequent returning customers.
Another big benefit for the user is the global and federative nature. A Mobile Connect user can login to online services on the other side of the globe with the identity issued to them by their home operator. This is especially useful when using large multinational sites, or when you are travelling and wish to use local services.
The Application (Service Provider)
Online service providers should move away from passwords. This has been clear for a long time. As Mobile Connect is a global and federative method of authenticating a user, it is the best option to complement the password method in your online services for end user authentication. Compared to e.g. Google, Facebook, or other wide-spread social media identities, the online service can put a lot more trust on the actual identity behind the authentication, as the identity and possible attributes come from the mobile network operator based on the subscription information. It is also very privacy oriented, following the “privacy by design” principle to which e.g. the new General Data Protection Regulation is based.
One of the key issues with online services is conversion – how to turn a random visitor into a customer. One of the biggest reason for high abandonment rates is the registration requirement. GSMA who is responsible for the Mobile Connect standard is introducing a new product called Mobile Connect SignUp. This would allow a visitor easy registration to the online services by simply using the phone number – the required attributes such as name, address etc. would come automatically from the operator and delivered to the online service, with specific and active user consent complying to e.g. GDPR requirements.
The user credentials are stored in the phone. Not in the service provider databases and not in the mobile network operator repositories. In this way we move towards the so called gunpoint security – meaning that in order for the criminal to steal your identity they have to hold a gun pointed at you saying “Could you be so kind and hand your mobile phone over to me? … And your PIN code please? And if you have nothing better to do, would you accompany me to my lair where we can do bad deeds online, because I do need your fingerprint. I’ll buy you a beer afterwards – with your money of course.”
The Mobile Network Operator
Identity is an asset. Vetted identity attributes are valuable for online services. Mobile Connect is a toolbox with which the mobile network operator can commercialize these assets. Authentication services can be sold to online services. Attributes can be part of helping online services better convert visitors (e.g. Mobile Connect SignUp). In countries (e.g. UK, Canada, US) without a unified (digital) government-issued attribute such as social security number, these verified attributes become very important.
The identity is tied to the subscription. This will increase the loyalty and reduce churn.
The Edge
When everything is running smoothly in a closed system you can just sit back, relax and watch the bank account fill up. This is not the case for the Mobile Connect. You have to consider cases where something changes. People lose their phones, change operators, change numbers etc. When the identity resides on the mobile device is tied to the subscription, these edge cases need to be taken care of to ensure a smooth customer experience.
What if the online service provider wishes to buy authentication services from the mobile network operator, but wants to use other protocols and methods on top of Mobile Connect? The mobile network operator when selecting the identity gateway product should confirm that the identity gateway can support the relevant web-based authentication and federation protocols, and possible IoT scenarios where devices act as services, but cannot be updated to include the Mobile Connect protocol because they use something else, like OAuth.
Deployment
The responsible party for deploying the Mobile Connect will be the mobile network operator as it will provide the access to the subscriber. Surprisingly we’ve already seen cases where extremely competitive markets have decided to collaborate with Mobile Connect. Typically, this is on a country basis where all major operators have decided to create a country hub for the Mobile Connect. This a very good alternative as this will cover then not just a single operator in a single market place, but the whole subscriber base in the country. A recommended approach is to build a deployment as a managed service in these types of situations.
Still, the many existing Mobile Connect deployments happen per operator basis and use an on-premise deployment model. Some of the operators have gone so far as to develop their own Mobile Connect solution. For commercial Mobile Connect solutions you can take a look at the GSMA list of Mobile Connect vendors here.
The third option is something called the Mobile Connect Accelerator (MCX). This is basically a turn-key solution for the operator from the cloud. The MCX vendors have gone through the GSMA requirement specification to become and MCX in order to become an official MCX partner of GSMA. Ubisecure did that just a while ago.
About The Author: Petteri Ihalainen
More posts by Petteri Ihalainen