[Article] Introducing Mobile Connect with WSO2 Identity Server
By Keet Sugathadasa
- 22 May, 2017
Online privacy and security is the biggest threat to sustainable digital growth. Today, authenticating a user is a very tricky process given the risks posed by many authentication mechanisms to the service provider as well as to the user. Service providers with large user stores tend to move their security aspects into identity providers (IDPs) leaving the safety and convenience of the user stores and the authentication process in the hands of the IDP. WSO2 Identity Server is one of the leading identity providers available in the market that supports a massive number of protocols and authentication mechanisms proven to be useful and convenient. Apart from the traditional username and password authentication approach, multi-factor authentications with higher security features are also available in the WSO2 Identity Server.
What is Mobile Connect?
Mobile connect is a mobile operator facilitated authentication solution that provides simple, secure, and convenient access to online services. It’s the convenient alternative to passwords that protect customer privacy. This concept, introduced by the GSMA Association, provides a global and secure authentication platform by combining the user's unique mobile number and PIN to verify and authenticate the user, anywhere anytime. It allows swift logins without the need to type usernames or passwords.
Why Mobile Connect?
In a world driven by technology, the mobile device has connected with the most number of users around the globe, connecting people from rural areas to the greater metropolis of the world. Consumers around the world are increasingly using mobile devices to access a wide range of online services while banks, government organizations, hospitals and merchants are adopting a “Mobile First” approach to the design and delivery of services. Over time, consumers around the world expect the mobile device to play a vital role in their lives with many of their daily activities being performed by the mobile device itself.
The 21st century is a digital era with cyber attacks becoming extremely common and rampant; many organizations are still concerned on how secure their systems and products are. The levels of security needed for data and information provided today have made access to these resources unavailable without proper registration with the resource provider. Therefore, it becomes mandatory for users to ‘sign up’ with the system, which means users have to remember numerous usernames and passwords. What if we had a simple and secure mechanism to carry out the authentication process without much hassle, in just seconds? Why can't we take advantage of having a mobile device as a sensible and secure way of authentication?
Since many people are becoming more reliant on digital services, consumers are vary of maintaining multiple usernames and passwords and also the use of a variety of security tokens. The mechanism of access and concerns about privacy implications of sharing personal data online to mostly unknown parties is yet another frustration. Today, both consumers and service providers look for a better authentication and identification solution, and mobile connect can be described as a universal authentication solution.
For service providers
Service providers seek more convenient and faster solutions for authentication and identification as it plays a vital role in securing a strong customer base within the system. Failing to adhere to these usability aspects will prompt users to drop and seek alternatives that are more user friendly. Due to this competitive industry and technology driven world, the service providers seek the following three main aspects for their systems, which are also provided by GSMA Mobile Connect without any hassle. Service providers are interested in Mobile Connect’s Potential to
- Accelerate and ease verification and authentication to make it easier to interact with consumers.
- Reduce friction (e.g. dropped logins, abandoned shopping carts) to increase registration and engagement.
- Enable access to operator’s subscriber attributes (regardless of their operator) to provide better and more secure services.
Research shows that most consumers would likely adopt Mobile Connect as their primary mode of log-in for most online services, applications, and websites. According to research done by GSMA, almost 90% of 1,000 smartphone users around the world were attracted to Mobile Connect’s three main functionalities.
- Universal log-in for multiple websites
- Strong security
- Control over personal data
Studies show that online services, websites, banks, and government agencies are eyeing widespread deployment of Mobile Connect to check attributes that can be indicators of fraud, such as individuals’ locations, while at the same time increasing end-user experience.
Consumer research statistics
By reducing the need for remembering the number of usernames and passwords, Mobile Connect eliminates the frustration of the end user, which drives more repeat businesses and ensures less abandoned transactions
The following statistics (as depicted in Figure 1) were obtained by "GSMA’s 2015 Consumer Research" which is related to use perspective on Cyber Security. From the overall number of users
- 87% would prefer just one strong password to remember
- 86% have left websites when asked to register or sign-up
- 86% are concerned about security when online
- 88% want reduced risk of identity theft and credit card fraud
- 81% don't feel that they are getting much value from their personal data as third-parties do
- 68% are more likely to return to a site that remembers them without a username or a password
This gives a much stronger argument as to why Mobile Connect will dominate the digital authentication industry in the near future.
How Mobile Connect works
The given sequence in Figure 2 depicts the mobile connect flow, from signup/login to the complete authentication in just 4 steps. The authentication process is carried out through your mobile device rather than your personal information.
- Step 1: Click on the "Sign up" or "Log in" button
- Step 2: Enter your mobile number (optional)
- Step 3: Confirm your authentication via the mobile device (USSD, SMS, etc.)
- Step 4: Login process is complete
This is where the user will be selecting an authentication mechanism that will best suit the user’s authentication needs. Without loss of generality, assume that the user picks Mobile Connect to proceed with the authentication to the service. This will let the service provider know that the Mobile Connect authentication process has been initiated and the service provider will trigger the necessary APIs to carry out the required processes.
If the user is using a network connection that’s not based on a mobile network operator, such as GPRS, 3G or 4G, the user will be prompted to enter the mobile number in order to connect the authentication process with the user’s mobile device. If the user is using a mobile device with a network connection provided by a mobile network operator, Mobile Connect will automatically identify the user’s mobile number and will proceed with the authentication process.
The only mode of user interaction in the authentication process is where the user will have to accept the login request sent to the mobile device by Mobile Connect servers. If the user is using the mobile device for this purpose, the authentication will happen seamlessly without the user’s interaction, which makes the proc
ess much more convenient and user friendly.
Following completion of the above steps, the user will be successfully logged into the online service, where the user’s privacy and convenience is fully assured.
Concepts of Mobile Connect
Mobile Connect assures three main concepts to the users that are briefly explained below:
Trusted operators will expose their APIs, supporting OpenID connect with the Mobile Connect Profile specified by the GSMA.
This is a consistent log in experience to all providers across any device. It could be a mobile device, laptop, tab6let or even a TV.
The GSMA has all license needs to comply with the privacy policies of each trusted operator. No personal data will be share
Mobile Connect facilitated mobile network operators
All operators listed below have signed up and agreed to a set of Standard Terms & Conditions for the Mobile Connect service. Mobile Connect is a global service and the following list gives you the name, country, and mobile connect status of each mobile network operator. If you wish to integrate Mobile Connect into your system for your own convenience, take a look at the mobile network operators that already provide this service.
- Live = service available now
- Pilot = will launch shortly
- Coming soon = date to be confirmed
|Bangladesh||Asia and the Middle East||Grameenphone||Live|
|Robi Axiata Limited||Live|
|India||Asia and the Middle East||Aircel India||Live|
|Indonesia||Asia and the Middle East||Indosat Ooredoo||Coming soon|
|Malaysia||Asia and the Middle East||Digi||Live|
|Myanmar||Asia and the Middle East||Ooredoo||Coming soon|
|Pakistan||Asia and the Middle East||Mobilink||Live|
|Philippines||Asia and the Middle East||Globe Telecom, Inc||Live|
|Vodafone Spain||Coming Soon|
|Sri Lanka||Asia and the Middle East||Dialog Axiata PLC||Live|
|Thailand||Asia and the Middle East||AIS||Live|
|Turkey||Asia and the Middle East||TURKCELL||Live|
Social media vs. Mobile Connect authentication
After crunching all the numbers and information, you must be wondering, how is this different from social media federated authenticators. In most web services and service providers, "Log in with Social Media" plays a major role.
The collaboration and sharing made possible by Web 2.0 also come with a specific set of risks in terms of privacy. Social networking sites are user hubs, where it’s meant for collecting a set of users to one place. And this is like the jackpot for attackers where they can use the information to earn a lot of return on investment if they are going after the social media users.
Many social media users do not think of this concept where their privacy is being dragged to a money-making business by many applications and service providers. The reason for social media being a free service to users and the ability for other applications to connect to social media networks via user permission is to gain insights and knowledge of a user’s day to day activities to cater to different needs of the user. Scientists and philosophers still argue on this fact where even though it is a privacy implication for the user, the modern world is driven by the data and patterns of user activity throughout the world.
Mobile Connect is a powerful tool that can be used to move us all away from using social media as an easier way to log in, where social media authentication is tagged along with a lot of unnecessary risks. Even though social networks can eliminate the need for passwords, there is no assurance that this information is secure. But with Mobile Connect and its privacy policies, empowered by GSMA, no information is available to service providers without the user's consent, making logging in and signing up much safer and private.
How safe is Mobile Connect?
With the typical username and password schemes, or social media authentication schemes, there is a high risk and danger of losing your privacy if an attacker can discover or guess the password of the user. There are many ways that the attackers might use to gain access to accounts. Brute force attacks, SQL injection, session hijacking, browser cookies, are some examples among others. In the case of social media, access to one social media account may expose all other accounts via social media login.
However, with Mobile Connect, users use their unique mobile number (MSISDN) and mobile device to prove their identity. Since a mobile device is considered to be a single-user device, the user who’s in possession of the device is the only person who can log in to the service through Mobile Connect.
What happens if the mobile device is stolen?
In this scenario, the user always has the option of calling the respective mobile network operator and reporting that the mobile device is lost or stolen. To avoid unnecessary parties from accessing your private accounts via the stolen device, we can either cancel the sim card or the mobile connect facility of the mobile number.
Can the security level be increased in Mobile Connect?
The levels of security in each application is different from its environment and the purpose of use. For example, a bank or an e-payment site would need a higher level of security than an ordinary information system. Considering these possibilities, Mobile Connect provides the developer with options of selecting a level of Security, which is also known as the Level of Assurance (LoA).
LoA describes the degree of confidence in various security processes including authentication (according to the ISO/IEC 29115 Standard). It provides assurance that the entity claiming a particular identity is the entity to which that identity was assigned.
During the Mobile Connect Authorization process, the application declares the degree of confidence required in the returned identity (for more read Mobile Connect for Developers). The greater the risk associated with an erroneous authentication, the higher the LoA recommended.
There are four LoAs
- Level of Assurance 1 (not supported by Mobile Connect)
- Level of Assurance 2 (Requires a simple key press)
- Level of Assurance 3 (Requires a simple key press + pin)
- Level of Assurance 4 (not supported by Mobile Connect)
For more details view Level of Assurance (LoA)
The Mobile Connect service does a privacy promise to all users to have confidence in the fact that any information that the user provides to Mobile Connect will only be used for its intended purpose. The service providers can use this promise to build trust in the service. The Mobile Connect service promises
- We won't share your mobile phone number
- We won’t disclose personal information with anyone else without your consent.
Mobile Connect privacy principles
Mobile Connect service is one of the fastest and growing authentication systems in the world and the key to success of such a service is to ensure that it establishes good privacy policies to foster the trust of users and service providers. The principles given below are intended to enforce the use of personal information of the user not being rendered to third-party service providers. Individuals who use the Mobile Connect service have the right to expect that the service providers who have implemented Mobile Connect have followed the privacy policies given below.
These principles apply to the "Mobile Operators" and the "third-party service providers" in the provision of Mobile Connect branded identity services under GSMA's Mobile Connect program.
- Principle 1: Openness, Transparency and Notice
- Principle 2: Purpose and Use Limitations
- Principle 3: User Choice and Control
- Principle 4: Data Minimization and Retention
- Principle 5: Data Quality
- Principle 6: Respect User Rights – Individual Participation
- Principle 7: Security
- Principle 8: Education
- Principle 9: Children and Adolescents
- Principle 10: Accountability and Enforcement
Use Case 1: Peter using Mobile Connect to log in to his online services
Peter is a businessman who gets very stressed trying to manage his digital life. He has got so many things to do online and the way he authenticates himself is not convenient at all. After accessing his company network, he also has to fill in his tax return and manage his bank accounts, as well as log in to his favourite websites and buy items from e-merchants. With all these activities, he has to remember dozens of different usernames and passwords, and he’s also anxious about his privacy online as he doesn’t trust where his personal information is being stored. This is a nightmare.
There’s a solution that enables him to securely access all his online services with a unique login system. It’s a universal authentication solution and it doesn’t matter what kind of device is used - it can be a laptop, a phone, a tablet, or even a TV. The solution is Mobile Connect. With Mobile Connect, Peter can disregard all usernames and passwords that were previously maintained. He just has to enter his mobile phone number as his unique username and tap the okay button on his handset. He can also enter his unique password if more security is required.
Peter’s digital life has just become much easier. He has to remember just one username now, and in certain cases, one password as well. He can now quickly access and register for web services, confirm transactions and payments, and sign documents digitally. It’s also easy for him to access his company network, make money transfers from his bank account, legally sign his tax returns, shop online, log in easily to his favourite websites, and even confirm a payment for movie tickets on his online movie box. All of this is enabled by Mobile Connect, which allows Peter to login to online services securely and conveniently with just a tap of a button.
Thanks to the different levels of security (LoAs) provided by Mobile Connect Peter now has ease of mind because he knows that his accounts and details are in safe hands. There’s also a lesser risk of his personal data being misused. With Mobile Connect, Peter’s digital life has become easier, because it provides
- A fast and simple online authentication
- A single ID and password
- Protected privacy and reinforced security
Use Case 2: OnlineShopper wants to provide user friendly and fast authentication to its users
OnlineShopper is a worldwide online shopping platform that provides various kinds of fashion items, electronics, and mobile devices online. At present, it has a large global customer base and is currently worried about servicing this base due to certain competitive challenges in the market. The analysts at OnlineShopper decided to do a research and survey on customer satisfaction with the current system and found out that many customers leave the website when they were asked to register with the system. They also found out that many customers log out of the system after every visit due to sensitive data being saved in this system, such as online purchases and credit card information. These problems are common in any online service available today where authentication of the user plays a vital role. Many users need an authentication solution that’s hassle-free and safe, while ensuring the privacy of the user. OnlineShopper currently uses WSO2 Identity Server to manage its users and OnlineShopper is looking for a digital authentication solution that will allows its users to log in to the system swiftly without any hassle.
OnlineShooper decided to integrate Mobile Connect into its system as a global digital identity for users to authenticate themselves to the system with ease. Currently, the only available solution to integrate Mobile Connect with a tap of a button is WSO2 Identity Server; it introduces Mobile Connect as a federated authenticator for the service in use. Any service provider can simply integrate Mobile Connect to their system by simply using WSO2 Identity Server and linking the Mobile Connect connector; this allows the service provider to easily configure it according to their needs and will allow them to directly start using Mobile Connect instantly.
Now OnlineShopper doesn’t have to worry about its customers’ authentication needs because Mobile Connect takes care of them all. Its customers are satisfied with the one tap authentication provided by WSO2 Identity Server through Mobile Connect, which has already driven a lot of sales from around the world due to the fast and easy authentication solution available to all of their users.
Thanks to the different levels of security provided by WSO2 Identity Server via Mobile Connect, OnlineShopper can now enforce higher security authentications whenever a payment or transaction is carried out. This solution provides the following three features:
- Accelerates and ease verification and authentication
- Reduces friction in transactions and activities
- Enables access to operators’ subscriber attributes regardless of their operator
WSO2 Identity Server is one of the leading identity providers available in the market that supports a significant number of protocols and authentication mechanisms proven to be useful and convenient. Apart from the traditional username and password authentication approach, multi-factor authentications with higher security features are also available in WSO2 Identity Server. It now provides easy configuration of Mobile Connect authentication to its applications to easily integrate Mobile Connect within a very short period of time. Mobile Connect is a mobile network operator facilitated authentication solution provided by the GSM Association. It provides a secure and convenient authentication solution for users to login to any system just by the tap of a button, while using the mobile device as a global identity of the user. Configuration documentation for Mobile Connect is available here.
Table of content
- What is Mobile Connect?
- Why Mobile Connect?
- Why Mobile Connect?
- How Mobile Connect works
- Concepts of Mobile Connect
- Mobile connect facilitated mobile network operators
- Social media vs. Mobile Connect authentication
- How safe is Mobile Connect?
- Can the security level be increased in Mobile Connect?
- Use Case 1: Peter using Mobile Connect to log in to his online services
- Use Case 2: OnlineShopper wants to provide user friendly and fast authentication to its users
- Keet Sugathadasa
- Trainee Software Engineer