Video and Slides
Session Outline
Is Mobile Identity still an opportunity for telcos?
Jesus Cruz Manjavacas, VAS Development Expert at PLAY
- What indeed is Mobile Identity?
- Which are the security threats and benefits for users and service providers that Mobile Identity could bring?
- The talk will give you a different view about this topic, from a mobile operator perspective. I will show you some production use cases currently used in our Play Identity GW, ending up by talking about which are the main challenges telcos have to still try to succeed, and how to monetize it.
Review
Its great Jesus is back to present after his excellent presentation last year on Programmable Telecoms inside a Telco.
In this presentation Jesus reviews: Mobile Identity, its Benefits, Play’s Identity GW, some interesting Use Cases, how telcos can Monetize, and the Challenges.
Mobile Identity is not new, Play’s gateway was implemented in 2014. TeleSign a first mover in identity verification was founded in 2005. Today there are lots of mobile identity focused companies such as Prove, TeleSign, TruID, Boku, etc. The potential convergence of mobile identity and cloud identity is a topic discussed in my Programmable Communications Review at TADSummit EMEA Americas 2021.
Mobile Identity is secure online authentication and authorization where the SIM card, and the phone number related to it, is the user ID. And implementing web-centric protocols such as OAuth2/OIDC (Open Authentication Version 2 / OpenID Connect) ensures its easy for developers. The GSMA’s Mobile Connect did not gain most developers’ interest as it was designed with telcos not developers in mind. The GSMA should use the W3C for its Web related specifications, in my opinion.
Play’s Mobile Identity Gateway has been available sinec 2014 and implements OAuth2 (https://oauth.net/2/), OpenID Connect (OIDC) (https://openid.net/connect/), and Mobile Connect (GSMA product, https://mobileconnect.io/), with some variations according to an agreement between all Polish MNOs.
Jesus runs through a broad set of use cases, and the sad demise of USSD, it could have done so much. Then focuses on the key question of how do telcos make money? Clearly there’s lots of opportunity given the rising demand for 2FA, as well as many established companies in identity verification.
- It could replace or increase current SMS A2P related revenue, enhancing security. – A2P continues to grow, but is depreciated by the US NIST (National Institute for Standards and Technology), presenting secure SMS is an opportunity for carriers.
- Seamless authentication (Number Verify) is a valuable asset for Service Providers
- Mobile Identity enhance services providing additional user’s attributes to Service Providers. Attributes like SIM swap and other network information as location, roaming status, etc.
- Additional user info like subscriber scoring related to financial services, fraud risk, etc.
- Partnerships with integrators could attract more Service Providers and generate more successful use cases.
Then on the challeneges Jesus identifies:
- UX: currently the higher security is provided the lower UX. LoA3 methods (PIN or biometric) require user onboarding, account life cycle and user consent handling.
- Agreement with governments to become an Identity Provider. Mobile ID would be enhanced with official user identity (name, surname, date birth, etc.).
- Regulations, directives and other acts. To be able to share attributes user explicit consent is needed. How to engage users to accept such consent?
- eSIM: new use cases and threats
- Integrators, yes or no? Build a common SDK by some integrator losing a piece of the cake?
- More chances to succeed if all MNOs in given country (or group) implement MobileID
- Is it too late? – here Jesus shows there is business but given the challenge a stronger commitment is required.
In my view, Mobile Identity is essential for telcos to implement to protect their customers. There is no choice. For many of the cloud and enterprise opportunities, I think span of control means telcos will struggle to package and sell mobile identity as competitively as the likes of Prove, TeleSign, TruID, Boku, and the many other cloud identity providers. Cooperation between telcos is never fast or easy, and tends to focus on telco standards that the rest of the world do not use. Partnering is going to be an essential part of a telcos’ Mobile Identity strategy.
Hi Jesus, thank you for an excellent presentation on Mobile Identity for Telcos. I have some questions:
1) What was the first application of Play’s Mobile Identity Gateway?
2) Why haven’t telcos implemented secure SMS?
3) Why is SMS based 2FA still growing given the security issues and being depreciated by the NIST?
4) What do you use the GSMA’s Mobile Connect for?
5) Poland has shown cooperation is possible between telcos is possible for Mobile Identity. But is it focused only on the GSMA’s Mobile Connect? Do you think telcos will be able to cooperate fast enough to be competitive in mobile identity?
Thank you Alan.
Regarding the first question, in 2014 we launched a simple webphone webrtc application where you could login just using your phone number. The access token fetched was used for authorizing calls to our Websockets API allowing to perform calls.
2) To be honest, I don’t think that the issue is that SMS is not secure, what it is not right is to deliver a password for accessing or authorazing transactions by SMS… Maybe the focus should be there. I wonder if a one time password would be delivered through Facebook Messenger, Whatsapp or even Signal, it would be safer? We have to focus on avoiding SIM SWAP scams.
3) SMS A2P in general is still growing. We see that specially in SME bussinesses. SMS is the easiest channel for a small business to comunicate with their clients. That does not fully answered the question, but part of this traffic is related to OTP as a simple (not secure) way for authorization. Also, UX designers or product owners prefer SMS OTP over other methods we have implemented, so I refer again to the battle UX-security I mention in the presentation.
4) It was created to fullfil requirements from the Polish Ministry of Digital Affairs, providing higher security (LoA3) as an alternative solution for SMS OTP. We are still checking where to apply such LoA3, with a PIN or biometry, in some other services.
5) Tehcnical focused was in a solution based on OpenID Connect. GSMA specification is based on OIDC, and it is mobile-phone centric, so we based on that, but we were open to modifications, or even adding for instance a back channel spec not from GSMA (same happended in other countries, not necessarily spec from GSMA are chosen).
Integrators can help getting telcos together, or at least unify APIs from their side building SDKs. Even not being telcos the ‘Usain Bolt’ in terms of innovation, I believe that MobileID products could be still a thing, and could help service providers improve security in their services, as well as providing users with a proper security and UX.
Jesus – great presentation and summary. This is exactly what we (Trusona) are working on here in Europe (mainly in France and UK so far). We are working with telcos and the resellers of mobile connect and the CPaaS vendors to stitch together an end to end service that includes all the comms options (SMS, push, QR scan etc) but moving the majority (where possible) to WebAuthN. We have also deployed this into the voice channel to replace knowledge based authentication. I would love to chat.
Thanks, we’ll set up shortly a meeting to have a chat.