Imagine Dr Evil patting his cat, squinting his eyes, saying "Let's turn one hundred thousand people into our minions" and ending it with a megalomaniac laugh. But Number 2 is not impressed, coughs into his hand and says "We can reach hundreds of millions of users already!" Dr Evil has been away too long – he's not aware that through a single technology he could reach that many online users.
What is Mobile Connect?
The Mobile Connect Working Group, under the personal data program of GSMA, has been promoting a federated identity solution for mobile network operators for a while. The idea is simple. Offer exactly the same user experience for the online user no matter which service they use and authenticate them using their mobile device. Even better, users on the other side of the world using a local service can be authenticated thanks to the federative nature of the technology.
To avoid the traditional chicken and the egg problem, mobile network operators around the world are now piloting or launching their commercial availability of Mobile Connect to their subscribers. This approach quickly puts a convenient and easy-to-use authentication method into the hands of hundreds of millions of people. They can authenticate themselves to online services with their most beloved gadget, their phone. No more new passwords, no more clunky one-time-password generators getting lost, or batteries dying out.
Too good to be true? Yes and no. There's a potential for Mobile Connect to really disrupt the market for authentication. The basic idea is solid and easy enough for anyone to grasp. The mobile network operators are interested in deploying Mobile Connect authenticators to their subscribers and they are willing to "lean forward". The authenticators are smart phone apps, SIM applications, or other methods with which the end user can utilize their mobile device as an authentication token. By leaning forward, I mean that the success of the initiative depends on the online service providers and their willingness to adopt an easy-to-use, federated, and secure method of customer authentication.
Thousands of online services utilize Facebook, Google, or other social identities to enable easy registration and authentication for their sites. For us end users, it's easy if we happen to have a social media account and are willing to share our profile with the service. This has become the norm, but there are problems with this. I don't like to share my profile with online services too eagerly. What if Facebook decides to change their policies and hand over everything I've written and posted to third parties? They've done funny stuff in the past. Personally, I'm not too worried about that. It just feels uncomfortable and I think quite a few fellow online users share this sentiment. The other challenge that bugs me personally is the wholesale tracking. I don't need to see constant car adverts on my Facebook feed after I've visited a website for used cars.
Not all of us have social media accounts, but there are quite a bit more mobile subscriptions in the world than there are social media accounts and Mobile Connect also works with older phones. You don't have to have the latest iPhone or Android devices to be able to benefit from Mobile Connect. For the online service providers, Mobile Connect can bring a whole lot more to the table when talking about identifying your users. It might not be as straightforward or as easy as social identities, as you have to dig out your phone, but this is a minor issue.
Mobile Connect technology assures trust
A bigger issue is the concept called level of assurance. Depending on where you look (or Google), around 10% Facebook accounts are bogus or fake. With the amount of Facebook accounts, that's a huge number. An online service provider can trust a social media identity only so far. Mobile Connect identities however provide better assurance for the online service provider. The specifications of Mobile Connect list assurance levels between 1-4. The higher the number, the stronger the authentication. So, Level Of Assurance (LOA) 3-4 will provide online service providers some seriously strong authentication in the form of mobile PKI for example, where the signing keys are stored in the Secure Element (SIM).
Authentication is only one part of the benefit. The other part is that in most cases these identities have been appropriately vetted at some point. Post-paid schemes, pre-paid with automatic top-up etc. involve credit cards and in some countries you can't even get a pre-paid without some form of identity verification at the point-of-sale, let alone a post-paid subscription.
Mobile Connect helps reduce risk and improve sales
Our online identity is defined through attributes. A phone number is one of those attributes, but there's more. Our mobile network operator accounts have a ton of other useful attributes that can help fight fraud for example. Attributes are useful, not only to the service providers, but also for us end users. Registering to an online service is much easier if we approve the sending of these attributes to the service. In a best case scenario, the whole registration process can be automated and as it's tied to the Mobile Connect identity, we can decouple the link any time we want (GSMA is taking privacy and consent management seriously). But best of all – we don't have to create and remember yet another new password. The 70% cart abandonment rate in online commerce could be reduced with the help of something like Mobile Connect.
Mobile Connect is one protocol amongst others. To enable "Bring Your Own Identity" your online service should support not just Mobile Connect, but also other authentication and federation standards.
See how our IAM solution can help you reach more customers, convert visitors, know your business customers better and improve your business.
You can also visit us in Barcelona in the Mobile World Congress, 22-25 February, at our stand 7J12 and see a live demo of Mobile Connect and how to use biometric authentication for online sites.