The Evolution of Identity and Authentication

The wave of digital transformation triggered by the pandemic has changed many organisations quickly: from governments to restaurants, enterprises are now getting digitally ready.

The beauty of the Internet is also its biggest drawback: nobody really knows who you are online. Digital identity has been an afterthought. Today, this is one of the biggest weaknesses in terms of cybersecurity and the long-term sustainability of the digital economy. Things are changing though – and fast.

 

Is my identity secure?

The security of their personal data and identity is now a major concern for consumers. The Mobile Ecosystem Forum surveys yearly the level of trust in the ecosystem. In 2021, data showed a clear gap between the level of expectation from consumers versus the real experience. This size of the gap indicates a breaking point in the level of trust between users and a product.

According to the MEF survey, 49% of people say they are worried about being defrauded and losing money. Criminals accessing their personal data (i.e., identity) is also top at 49%, and access to their mobile (i.e., ability to authorise transactions) is second with 47%. The top users’ concerns, from the 2021 MEF Survey, are shown in the table below.

Concerns over Personal Data Security and Privacy are now reasons to delete an app (37%), avoid installing one (33%), or stop using a service altogether (29%). The level of authentication/security is an element with a clear impact on consumer preferences.

 

Online threats

New risks are continually emerging, and regulation is playing an increasing role in how the ecosystem operates. In 2015, global fraud amounted to $3trn dollars. By 2025, the figure will be $10.5trn from fraud and cybercrime. The implication is that identity and access management to enterprise systems is becoming increasingly critical.

Globally, we are seeing a pronounced move towards an increasing reliance on digital identity and a clear move away from a distinctly unexceptional user experience and inadequate underlying security. The industry is having to develop new solutions that a) meet the evolving needs of the user experience and b) work to mitigate the threats. The use of biometrics is becoming established to link the proxy of a person digitally to the actual individual. They are currently in use by a third of enterprises surveyed.

Solutions based on a mobile device are increasingly important. Over 50% of organisations are now using these in a variety of applications from SMS one-time passwords to more sophisticated approaches involving digital identity proofing, from SIM swaps to mobile digital identity proofing. There is considerable interest from enterprises for further adoption of these services.

 

Major changes expected

We are seeing dramatic changes in the approaches to personal data and authentication. These are driven by the threats we are facing online and by the need to prove and verify who we are. Governments and industries are responding with a series of initiatives and solutions.

After cyber threats, compliance is the second driver whereby enterprises need to adhere to a broad range of organisational and regulatory requirements. Of the 450 enterprises surveyed by MEF globally, around 22% cite compliance as the main driver for the adoption of digital authentication. These compliance requirements can be global, regional, country-specific, and even sectoral.

 

Models for Personal Data and Identity

There are three architectures that are developing and succeeding across the globe that link the individual’s attributes to databases. Biometrics is the common thread:

  • Centralised model – often operated by a government or consortium of financial institutions. In this model, an individual’s information is handled on a centralised database from cradle to grave and has the effect of offering a simplified means of establishing a digital identity for a range of services. An example of this approach is Singapore’s SingPass
  • Federated model – operating with a series of distributed databases that represent different groupings and where parties can access personal data in one of those databases. The European eIDAS system is an example of one federated approach where trusted service providers can issue and deliver digital signatures and identity. Countries adopting this model include Belgium, the Netherlands, and Italy.
  • Self-sovereign identity model – which has no centralised database where the individual owns, manages, controls, and issues their personal data.

In practice, we are starting to see the emergence of a new model based on these three models. This could be considered as the establishment of digital credentials. An example of this would be an individual’s Covid status. This would allow a person to obtain their signed and verified health credentials which would then be trusted for access to venues or travel.

 

The Role of Mobile Solutions

What is emerging is 1) a pronounced move towards device-based technology and using the hardware device itself to authenticate the user and produce a result, such as a face ID or fingerprints, and 2) the role that the mobile operator can play by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. A solution like this could be asking users to confirm a PIN code via their phone/SIM.

The solutions are still widely fragmented though. It should not be surprising that overall, authentication is a fragmented market. The level of security required by each action is different as is the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure system and be happy to wait a few more seconds but to manage your online game features or change your plane seat you might want something faster even if it is not as secure.

Finally, we are seeing significant growth in approaches that are independent of either the device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area.

 

A look at the future…

The ecosystem is fighting back from the threats of cyberattacks and we will see more of these innovative solutions emerge. There might not be an overall winner, but the co-existence of alternative approaches is now expected. Expect variety.

 

Article written by Dario Betti, CEO of MEF (Mobile Ecosystem Forum)

More
articles