Let’s talk about digital identity with Niklas Bergvall, Chair of the Mobile Connect Interest Group at GSMA.

In episode 16, Niklas fills us in on how mobile operators around the world have joined forces to build a standard for strong authentication and other services to help protect our digital identity – Mobile Connect.

[Scroll down for transcript]

“It may be that you and I, and some of the listeners of the podcast, are interested in identity. For the rest of the world its a necessary evil.”

Niklas and Oscar discuss Mobile Connect (a mobile identity-based service), its proven global use cases (such as China Mobile), why digital identity became a strategic priority for GSMA and the unique insights of MNOs to improve digital identity.

Niklas Bergvall

Niklas Bergvall

Niklas Bergvall, Chair of the Mobile Connect Interest Group at GSMA, leads the international Mobile Connect community developing and commercialising new identity capabilities using Mobile Connect. The Mobile Connect community engages over 70 mobile operators in over 30 countries, countless service providers, reaching over half a billion people worldwide.

With over 20 years of experience in the mobile ecosystem, Niklas has an exceptional understanding of the key challenges being faced when launching products and services internationally. Prior to the GSMA, Niklas launched and managed a number of global business-to-business products and services in various roles at Vodafone, Oxford Instruments and Europolitan.

Find Niklas on LinkedIn.

Find out more about GSMA at www.gsma.com and Mobile Connect at www.gsma.com/identity/mobile-connect.

Ubisecure also has a useful blog on ‘What is Mobile Connect?‘ – check it out here: https://www.ubisecure.com/mobile-connect/what-is-mobile-connect/ – and an overview page on the Mobile Connect solution – read it here: https://www.ubisecure.com/mobile-connect-telecom/.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity
Ubisecure

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

 

[Podcast transcript]

[Intro] Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host Oscar Santolalla.

Oscar Santolalla: Hello and thanks for joining. Today we are going to hear how mobile operators around the world have joined forces to build a standard which brings not only strong authentication but also other services that help us to protect our digital identity.

So my guest today is Niklas Bergvall. He is Chair of the Mobile Connect Interest Group at GSMA. He leads the international Mobile Connect community developing and commercialising new identity capabilities using Mobile Connect. The Mobile Connect community engages over 70 mobile operators in over 30 countries, countless service providers, reaching over half a billion people worldwide.

With over 20 years of experience in the mobile ecosystem, Niklas has an exceptional understanding of the key challenges being faced when launching products and services internationally. Prior to the GSMA, Niklas launched and managed a number of global business-to-business products and services in various roles at Vodafone, Oxford Instruments and Europolitan.

Hi, Niklas.

Niklas Bergvall: Hi, Oscar. Very nice to be here on this podcast and thank you for inviting me to talk a little bit more about the identity and Mobile Connect specifically.

Oscar: Thanks to you. It’s really great talking with you. We really want to know more about how Mobile Connect is doing right now, what are the things coming during this New Year and ahead. But first, I would like to hear from you, how did you join, or your journey to come to, this world of digital identity?

Niklas: From the GSMA, it was really looking at our members. And our members’ networks as you know really underpin and have drive the– of the digital economy and its associated services. I mean as we see these services bring new challenges for businesses to protect customer identities and customer data which is both complex and costly. So, that was really the background to digital identity becoming a strategic priority for the GSMA Board a while back. We believe then and we still do that network operators have unique insights and unique capabilities that can be brought about to make digital identity better.

If we go from a journey where we started thinking about this to today where we have more than 4.5 billion internet users globally, accessing services, transacting personal data and money, the digital identity market is estimated to reach a value of something like 30 Billion US dollars by 2024, in five– just four years time. So it’s clearly an opportunity for lots of organisations, not least for network operators and other GSMA members.

Oscar: When Mobile Connect was created and how this originated?

Niklas: And so, I mean if you look at the history, GSMA identity program and its participating operator partners started working together about five years ago to deliver Mobile Connect, a mobile identity-based service which works by matching users with their mobile phone numbers. And we really started with this notion, digital identity is really important. At the moment, we are not doing enough there so let’s start by building a standard that we can corral together as an industry. It now offers a wide range of practical use cases such as being able to easily register and login to websites and apps, to authorising transactions and sharing specific set of personal data with online services.

Over the years, for example, mobile operators here in the UK, where I’m now based, offer attribute-based identity services to some of the biggest financial mergers in the countries like American Express or HSBC. In the US, this autumn we saw mobile operators launched ZenKey to allow users to login into their apps with their smartphone. Also, in other countries such as Russia, India, Spain and Germany, mobile operators have all come together, working together to bring identity services to the ecosystem.

So that’s really where we started, we looked at that there is a strategic opportunity, we then created some standards around this and specification, which is Mobile Connect. And then over the years we see in adoption and so the manifestation or those strategies were being put into place and can be of great use to the ecosystem.

Oscar: Yes, as you already started mentioning there are several use cases and today different use cases have been implemented/deployed in different countries. Coming a little bit back on the concept itself, how would you describe Mobile Connect to an end user, to an individual?

Niklas: For an end user, if you look at some of the authentication services, and what service providers and end users are struggling with is the need to manage risk or prevent the wrong person to get hold of data or transact on your behalf, as well as create a simple and nice experience for you as a user, friction free is often mentioned. And if we look for instance, China Mobile, they are using a service from Mobile Connect called Verified MSISDN Share. Basically, China Mobile shares the MSISDN with the service provider of the devices connected to the service provider. And the SP then uses that MSISDN, that phone number, as an identifier to give access to the correct user account.

In this case, the user doesn’t really see Mobile Connect at all. All they are seeing is that they are being logged in and they get hold of the right data, and obviously they also take confidence that this data is not being given to someone else. But there you have a fiction free experience and we’ve seen some tremendous numbers in this over the last two years. China Mobile have grown transactions per day with over 800% and they’re now doing 1.1 billion daily transaction, powering an ecosystem in China with over 300 commercial partners, enabling over- secure authentication on over 3,000 applications including 82 of the top 200 apps and 6 out of the 10 top applications. So, clearly, great use for the ecosystem partners, great service from China Mobile. But as an end user, you don’t really see it or experience that this is Mobile Connect, all you’re seeing is that you’re being simply logged in.

In other countries, when you look at the authentication services, you might see a SIM applet, for instance the operators in Spain have launched a new click OK to login and so forth. So there it’s the clear user experience and it’s clear that there’s an authentication service called Mobile Connect provided by the operator.

Oscar:  And now that you mentioned this in Spain, I have seen that one in Spain so it’s very, very simple. It’s no password so that’s one of the biggest benefits, authentication without passwords.

Niklas: Absolutely. Authentication without passwords and it’s really coming to what are we trying and what is everyone working really hard in the ecosystem, to create friction free journeys that allow for you to place the trust in service provider, to trust them with your data, with your money or whatever it is that you’re transacting as an end user.

Oscar: Yeah, exactly. I can see a huge potential because mobile operators are big, you know the exact numbers but a huge number of billions of people already have a mobile subscription, something that many people don’t have like a bank account for instance, but they have a mobile subscription. And in this mobile subscription, the operator already has verified their identity, the personal identity and has some personal information that helps to do these services like strong authentication based on verified identity or the other services you mentioned – the one in China, for instance. Could you tell us now, how is the adoption worldwide nowadays, let’s say in terms of countries or continents, what would you say?

Niklas: So, at the moment, the numbers we’re tracking, we got about 70 mobile network operators that have implemented Mobile Connect residing in approximately 40 markets. Obviously, they’re at various stages in let’s say, maturity, a number of success stories are emerging. And I think there are a number of factors that are driving how quickly the operators are able to march in their individual market.

And one of the key things we’ve noted within the GSMA in order for these types of solution to really get traction in a particular market, it’s important for the operators, typically you would have three, four mobile operators in a country that also operators are working together so that for a service provider you were able to authenticate the entire user base in a consistent manner – otherwise it’s much harder to really drive adoption and a lot of usage.

Oscar: Is that a requirement, let’s say, if one mobile operator in one country wants to start using Mobile Connect, it’s a requirement that all the other operators in the country have to also use Mobile Connect or make agreements?

Niklas: No, I wouldn’t say it’s a requirement as such, but we see that typically in markets where you have, let’s say, competition between operators and they are about equal size, it helps if they are working in concert. Maybe not all of them have to launch on the same day but it there’s a roadmap to get to let’s say 60%, 70% of the users in that market up to a mobile authentication solution or an attribute service or something that helps to really create that marketplace.

But we have outliers like for instance Turkcell have been very successful with their Fast Connect implementation, Fast Login, based on Mobile Connect. And they are now processing transaction of well over 30 million per month. They are doing that across the ecosystem and they’ve opened it up for service providers. Turkcell as well, they are a very strong operator with outspoken ambition to become more than a mobile operator and a digital service provider. They have music services and digital services and so forth where they are using their Fast Login service as well, obviously driving transaction, training users and therefore creating more value for other service providers to take after Fast Login solution.

Oscar: Yeah. Sure. I understand that. It’s not required that all the operators have to agree to implement Mobile Connect. But yeah, I understand that it’s in their best interest of one operator that also some of the other operators at least also implement it, at least are in the roadmap. So the ecosystem, the market is significant in that country.

So, I would like to hear now more a bit more in detail some concrete examples in some countries how some operators in one country have implemented some other services, and how others in different countries, different service of Mobile Connect.

Niklas: OK. I mean I think I’ve already referenced China Mobile. I think that really something to pause for thought. The fact that a service such as Verified MSISDN Share can get up to 1.1 billion daily transactions and the growth that they’ve had 800% over the last two years to get to that stage and still growing. It just shows this need for friction free and secured user journeys. And what we’re seeing now that the European operators across a number of countries are looking to enable those types of services. And we can talk a little bit about what’s going to happen next later, but I think that’s a key success I think for just to proving the case for Mobile Connect.

I think another thing that’s very, very interesting and topical in Europe today and it relates to strong customer authentication and PSD2, some regulation that the European Union is driving in the financial services space where a number of banks now were looking at how can we harden or improve on SMS OTP. And that was then the UK operators have launched the service called Account Takeover Protection or ATP. In this service they share information when the lost SIM swap happen on that particular MSISDN so if you received a new SIM card basically.

Why is this important? I think across a number of countries not only in Europe but across the world, fraudsters through social engineering are tricking mobile operators to handout a SIM card to them and obviously with that SIM card and other information they are now able to transact on someone’s bank account and with the new SIM card they can then connect the SMS OTP and transfer money for that user illegitimately. Obviously for the bank to find out what the date of the lost SIM swap gives them an indication, is this high risk transaction or is it low risk transaction for that type of account takeover.

And the UK, we’re seeing promising signs and there and as I said the European operators are now looking to roll that type of attribute service out across the continent. And this in combination with the service that China Mobile has sold out Verified MSISDN Share or match those two services together, it can really I’d say tighten up on secure authentication when you’re looking at some ways to replace or harden SMS OTP.

Oscar: About the one in UK that you just mentioned this Mobile Connect, Account Takeover Protection, so who offer to whom? So, for instance, the operator offers this service to the financial institutions that is the…

Niklas: Yes. So, I mean the way you look at the ecosystem, obviously the banks are large enough to buy directly from the operators in the UK but typically they would go through some type of channel partner, not talking specifically about this solution or any particular bank but in the Mobile Connect Interest Group, we’ve got companies such as Payfone, Boku, BICS Telesign, Infobip who are all working to aggregate this type of attribute services from all operators and then as a single point provide this to a financial institution. And that’s typically what we’re seeing happening here in the UK in terms of how the banks and the financial services particularly is considering these services from the operators. It’s very similar to the messaging and how SMS is being consumed by banks for SMS OTP.

Oscar: Correct. Yes, other countries for instance?

Niklas: On the authentication side, I also touched on Turkcell before and I think that is really a case in just showing how an operator is saying you know, we want to be more than an operator and drive, let’s say, become a digital service player and that identity has a place in our strategy to become just that.

Another example I think again, I think I’ll come back to the UK, but Three here integrated with Boku to offer some fraud prevention capabilities to service providers such as MoneyGram, a money transfer service. And in this case, new customers that register to MoneyGram will check the information such as name and address with the records that the mobile operator Three has on file for that number. And this kind of case study has shown that the KYC data helped MoneyGram to comply with their own KYC regulations and prove identity with the customers. And at the same time, it proves the case for mobile attributes for Three.

Oscar: And in the case of using Mobile Connect for authentication you mentioned Turkcell as it seems to be one of the best implementations for Mobile Connect for authentication. In that case, is it because Turkey doesn’t have strong authentication methods or there are others competing in that country? So, how is the scenario in strong authentication in Turkey and how Turkcell found this niche?

Niklas: If you want to take that of users or consumers to start using your authentication service, it’s so important to have the services that are of interest to those consumers. And Turkcell working hard to become a digital service provider and having all of those services, music and TV and so forth, they were able to quickly connect their identity efforts with great services which users and consumers wanted to consume and needed to authenticate to consume. So they had that they– since they act as a service provider themselves and an identity provider and an operator, they had all of that in-house and then they were also able to attract external service providers to use their authentication service.

I think in some countries where you’re launching an operator identity service and the only thing that you’re being able to authenticate against is the operator’s internal portal for services, as an end user, as a consumer, you don’t go in often enough there to really warrant your learning and using in earnest a new authentication solution, so it’s much harder. And without consumers being trained to authenticate, it’s also much harder to attract service providers to add your authentication solution as one of the ways that they allow their consumers to authenticate on their sites.

Oscar: Yes. Yes. And now it’s clear at least to me that in the case of Turkcell, they invested a lot in creating services because that is what people really want are their buying services and they added the identity as part of the portfolio. So definitely a very good example.

Niklas: Yeah, I think you know Oscar, it may be that you and I and you know some of the listeners of this podcast, they are interested in identity. For most of the world, it’s just the necessary evil to get to the service you want to access and also to protect your data. But it’s not something that you just try out or play with. You simply just accept it’s there and you want it to be easy and reasonable.

Oscar: Yeah, exactly. Most of the people are not trying, “OK, let’s try the 10 coolest authentication methods, right?” Nobody does that. People are trying apps. I guess a few guys will do it but not many. Yeah, that’s correct. Many people are trying all the time new services, new apps. That’s what majority people are doing. That’s true. It’s an excellent observation you have done.

What about for service providers who might be listening to these, organisations who are using some authentication methods, some strong, some not so strong, but might consider using Mobile Connect now they are listening to us. How in concrete organisations can benefit with having Mobile Connect as an authentication method?

Niklas: It really comes down to the chain of digital experience that you’re looking to create for your users and consumers. And what’s getting in the way of making those experiences amazing at the moment, and since we’re talking about Mobile Connect particularly when it comes to logging in and using and protecting the services and the data in there. So, I think you know I highlighted it with at least some of the success cases and examples. What some service providers have found really appealing with operator in network data is that services can be designed with little or no impact to the user experience as well as reduce the risk of fraud. So you have an ability to reduce friction and reduce the risk of fraudulent access to services. I think that’s really something to consider.

I mean in Europe now, we’re seeing a momentum amongst all of the operators across the continent to either launch or they are in the process or launching identity services such as a Verified MSISDN and ATP.

Again, just to make sure that it’s clear a Verified MSISDN, that’s a service provider request, operates to match the mobile number associated with the IP address of the SP’s users, the mobile number that the SP has on file. And once you have that matches an SP, you can then say, “Now, I know this user is browsing into my portal and can open up the services without the user having to do something.” So this can be used as the single authentication or it can used alongside the usual, or let’s say authentication ways that you have already put in place such as a password and username.

And you know ATP again to get the information of when the last SIM change took place to be able to assess the risk that this mobile number might have been taken over by a fraudster and then have a slightly different journey if you believe there might be a risk for that.

The ones who are in Europe, I would it’s worthwhile to discuss with your operators or potentially a channel partner such as Boku, Payfone, IDEMIA, Callsign and BICS Telesign about what are the new attributes that are coming out here that we should potentially be considering in the digital markets.

For your listeners in the US, who’re looking at this, you know these top services are Verified MSISDN and KYC and then Account Takeover Protection have been available in the States for some time. And I would now believe that you will be able to access similar type of services from them as here in Europe so that means that you can bring over some of those learnings and experiences created for emerging users over to Europe.

Oscar: And now, as you mentioned, how’s– not only the operators are the ones who offer these services because they are distributors, could you tell me what is the best way if someone is from some country where Mobile Connect is less developed where the operator is already working in that, may have some service but it’s difficult to find out about that. So what is the best way if maybe you are a service provider in a country where you haven’t heard so much about Mobile Connect? The best way is to contact to the operator or whom to contact?

Niklas: You can contact operators if you have a contact. If you are already using let’s say SMS services and you’re buying it from someone there, the channel partners, that is probably a quicker route to get access. Typically, where we’re seeing the operators, this kind of resides either in their business unit for corporate services or it resides in carrier services and either way it can be slightly difficult for a service provider to find the right contact and a lot of the operators are using channel partners and I mentioned a few of them – Payfone, Infobip, Boku and BICS and Telesign. They are probably the ones that are already selling SMS and other messaging services to you today so this could be where you need to extend that relationship and consume a little bit more from those players.

However, if you do end up not finding the right contact, you’re always welcome to browse into GSMA and you’ll find us there under Mobile Connect GSMA or Identity GSMA and you can send us a message and we’ll do our best to connect it to the relevant players in the countries where you have interest.

Oscar: All right. Yeah, thanks for that clarification. Yeah. But it make sense, the channel partners such as the one who provide SMS services or message services are of course, most likely good channels to find more information about Mobile Connect in every country. So, if you like to say something else about Mobile Connect…

Niklas: Well, I think you know it’s always worth plugging a little bit the Mobile Connect Interest Group that you introduced in the beginning of this call which I chair. And basically, it’s a forum which is open for all GSMA members, operators as well as associate members, to basically share, collaborate and learn about what the community is doing about in identity. We run our online collaboration, we have monthly calls and we organise two summits every year. So for those who are members in the GSMA feel free to contact us and join the group.

Oscar: OK, excellent. Niklas, now could you finally give us a tip for anybody, how to protect our digital identities?

Niklas: The rule that I tried to live by is never to pick up unsolicited messages. If it’s not being initiated by myself, I simply don’t engage. That’s helped me to protect my identity so far, so that’s something that I would always encourage my family members and others to abide by.

Oscar: Yeah, I would be very suspicious about any unsolicited message whatever the channel it comes.

Niklas: Exactly Oscar. And do you have final questions, final thoughts?

Oscar: No, I think it has been very, very educational, the many things about Mobile Connect that I didn’t know and I know it’s interesting to share with us, with our audience. It’s a standard Ubisecure has been working together also for a few years. And yeah, I think they like to see how things are being implemented in other continents. So yeah, thanks a lot for sharing this with us. Could you finally tell us how we can find even more information about Mobile Connect?

Niklas: Yes. And thanks again Oscar for inviting us to talk about identity. I’ve really enjoyed our conversation. So, if you want to find out more about Mobile Connect and the identity efforts that the GSMA is driving, please put this in any search engine “GSMA identity” or “GSMA Mobile Connect” and you’ll find our pages, there you’ll contact details and a bit more information about our programme and how we work. And don’t be a stranger. Feel free to get in touch. We love to hear from the community and to help drive the digital identity agenda.

Oscar: Excellent. Well, thanks a lot Niklas for this every interesting conversation, for sharing everything that’s going on in Mobile Connect. And I wish you all the best.

Niklas: Thank you.

[Outro] Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]