[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital Economy
By WSO2 Team
- 8 Nov, 2017
Keynote: Mobile Identity in the Digital Economy
Good morning everyone and thank you for allowing me to come and talk to you about what we are doing in the GSMA.
GSMA is a mobile trade association, you may or may not know we gather people in Barcelona every year, about hundred thousand of them. In addition we work a lot in the regulation spectrum. But the most exciting thing that we are doing, I think is encouraging collaboration across mobile operators in order to develop new services and new products that requires interoperatability. I’m going to talk about one of these today. 00:00 ▶
There is a number of major market trends that are driving the need for a secure digital identity. I put digital identity at the core of any digital transformation - in society, in an enterprise, among the government services, and so forth. Firstly we see that digital is obviously everywhere. You go to your banking app and you have everything on your phone these days. We also see that security is not really up to the task. You become too reliable, there are too many things that can go wrong if you lose that phone, or if your network services are being hacked. But a third one, is what we are entering into now in Europe, which is almost like a perfect storm when it comes to regulatory changes. And is not just in Europe, it’s across the world as well. So an example I’m sure you all are familiar with is the interposable electronic identities, so they are now being put in place across the member states within the EU. It means that you can go to any country and prove who you are. Primarily for government services, but increasingly for public services as well, based on the digital identity issued from one government. That is huge. We are doing a very nice pilot at the moment between France and the UK, where you can take your French digital identity and open a bank account in the UK. In fact it’s almost easier to open a bank account if you are a French citizen. It’s at pilot stage, but it's a very exciting use case.
The second one is PSD2, that you are probably aware of as well. This is the Payment Service Directive 2. It raises a separation between the banking infrastructure, the access to the accounts, and the user information about the accounts and transactions. Its means that banks are now looking for ways to keep their relationship with their end users. They are being ‘OTT’ as we say. Again, it’s enormous. It’s a huge change for the industry, and it’s really opening up a number of new opportunities as well, but also a number of new challenges when it comes to security. Just another example worth mentioning I think.
And the last one that you all are probably familiar with is the GDPR, the General Data and Privacy Regulation in Europe, where you have to have consent for any kind of information that you are using or you face a huge fine. The rules haven’t gone through the court system yet in testing the boundaries of this, but again it’s enormous. Any personal data that enterprises hold today, have they got consent or not, it’s going to be important that they know the value of that data. We’ve seen similar changes now happening in China as well on cyber security and privacy law. There was a new law adopted in June, again it’s all about transparency, consent, and control for the end user.
So digital identity, privacy and trust are increasingly important. And I could stand and talk about it all day, but I will not. I’ll probably bore you with it. But the point is that these are the big trends that are now making trust, making privacy, making digital identity more important than we’ve ever seen before. The time is right to have this discussion, I think. 00:40 ▶
So what are the mobile operators are doing? I’m really here just to inform you about what we are doing around the world and of course I’m happy to take any questions and feedback in these kind of things as well, especially afterwards. Basically mobile operators are doing two things when it comes to digital identity. On one hand they are putting identity at the core of their own services so they can recognize the customers across everything that they are doing. Whether it’s their mobile services, but also the fixed services (some of them are doing financial services like insurance and banking and so forth), they need to have the same view of the customers across all of these services. Nice for an internal view.
The second thing they are doing, and this is where I’m going to be focusing most of today, is to offer authentication and authorization as a service to any relying parties, to any third parties through a common set of APIs. This is a part of the operators strategies for having what I will call ‘enablement services’ or ‘ingredient services’, above and beyond what they are doing for you know, subscription to private and business customers and sometimes have music offers in partnerships with Spotify, as an example. Or even their own music services but there is also this middle layer, some categories such as operator billing. Now we are looking into, and will be setting up, identity services as well from the operators. 03:47 ▶
I want to introduce Mobile Connect, which is the global identity solution from operators. This is not intended to be a product presentation in any way, but I just want to inform you about some major trends taking place and now could be relevant for what we’ve been talking about elsewhere in this conference. It’s basically four main capabilities. It’s about authenticating a user, it’s about authorizing digital transactions, payments as well. It’s about verifying the identity and it’s about providing attributes about whether the use or the device can be trusted - has this device been stolen, for example.
It’s probably useful to know if you’re going to run your banking app on that particular mobile device. We’ve got some pretty good user feedback on this in fact, and I will talk about that a little bit more. An important point is the strong position on privacy to ensure both regulatory compliance but also to demonstrate that it is possible to trust your operators with personal data. Operators are very regulated, they know how to handle personal data. In general, there are accidents of course that shouldn’t happen, but these things do happen, but they typically know how to handle personal data very well.
Mobile Connector is now available. We have about a 100 million users that have used it and 30 million of them are using it every month. It goes across the 30 markets, 57 operators. I’ll show you the coverage later. This is an example of an industry initiative where the operators are standing up trying to participate in digital transformation and with some success. And we only started back in 2014, with the idea and had the first beta launch as well in a particular market. In fact Sri Lanka was the first market that stood up mobile connect and since then the standardization has been maturing, and we’ve rolled it out a number of other countries as well now. 05:15 ▶
The product portfolio ranges from authentication, authentication with a pin, authentication to saying it’s ‘okay’ by just clicking okay, to typical use cases are to replace passwords. Second category is about authorizing requests, adding a context to a particular authentication, nice for IOT use cases. In fact if you want, do you want this smart meter to send the data to your electricity company, yes, no, enter a pin if you want to make it more secure. This is my IOT device, I’m claiming ownership, I am giving it permissions. Some nice IOT, of course in addition to payment. Identity is the other category, national ID.
So I’m from Norway and when I log into my bank account, I enter my PIN on my phone. I don’t have a username and password. It’s something that has been set up in collaboration between the banks and the operators, whereby the banks have seen my passport when I set my bank account, the operators is storing that on the sim on the phone, so I type in my date of birth and my mobile number and they know who I am. There is no username and password. The bank will tell on my behalf who I am for any relying participants, whether it’s an insurance company or whether it’s the government. Which is very nice, I like looking for this little sign that tells me that I don’t have to remember another username and password. So that’s the national ID.
The other one here is phone number, so instead of cases where it’s nice just to login with your phone number, that the relying party, the service part of the app developer they know, yes this is your phone, this belongs to this person and underneath that it’s a business relationship between the end user and the operator. And they know they can trust it. And it’s easier for me as an end user to remember, I know my phone number, I cannot remember my fiftieth username and password because they all change. I’m lucky if they are using my email address. So again, it’s a relief for the end users.
And the last one is quite exciting as well, it’s about confirming information about the user. We have some nice use cases where banks for instance need to validate information that they hold above their customers. The operators have already seen information about the users and they can then compare notes. If information which operators have is the same as what the banks hold, then it’s all good. And I think I can get back to that, but I think that is proven to reduce fraud significantly. We are working with some of the credit card companies and they are really demonstrating that this reduced fraud rates with about five times when they were able to confirm that match. Which is costs, this is huge.
I can’t take your protection, there are indicators on the phone that the operator will know that can give an indication of whether this phone is at risk from having been stolen. For example, if call forwards has been enabled on the phone permanently, maybe somebody is trying to take over the account. These things happen all the time, social engineering. You get a call center of the operators wanting to send out a new sim card, and then the fraudsters will then enable call forward on that particular account. So if call forward has been enabled permanently or for a long time or most recently, now maybe you should watch out. If the sim in that phone is new and there’s not a reason why that should be new, you know that the phone that the user has gotten a fancy new iPhone X, okay maybe you should watch out if the sim was recently swapped. There are good reason for it, but they could also be indications of fraud and of course if the device has been stolen, if it’s been reported stolen and this is a thing that the operators know and they share information about it, maybe you shouldn’t trust that phone with your banking app.
So these are information that can help assure the reliance on the mobile device for any particular app. And they are held uniquely by the operators and of course verifying the mobile number as well. The operators know the mobile number of the devices initiating a data call. That can be passed along in the call flow towards a relying party, securely, and this cannot be spoofed. This is the radio connection between the mobile phone and the operators. When passing this onto the app developer, knows that yes, this phone number actually belongs to the person or is actually being used by this person now accessing my app. Is this the same as my records is through a match. Maybe I can trust it, if it’s not a match I better watch out. So these are just a few examples of how operators know things about the device, about the account with the end user that can be used to rely on, to add security in mobile services. 07:22 ▶
How does it work? Each operator offers their own API gateway with identity capabilities, we have about 57 of them at the moment. Various levels of quality I should assure, but there are some pretty good ones as well. But that leads to a very fragmented or distributed system different identity gateways that all need to respond to the same APIs. What we are doing, we have a discovery mechanism the APIS exchange that allows this to look like the same service. So the user will choose or the service world will initiate a request for authenticating this user. It will query the API exchange which then asks your service provider for the to ask the end user for the mobile number unless they can get it from the radio network. The API extender and *reports team, the end point and the credentials to the developer who can then perform the authentication directly with the operators. So the API exchanges are kind of API routing mechanism if you like, including the credential management that allows the service provider on the fly to detect which or to know which operator can serve that particular user, which operator can then authenticate that user or provide information about that device. So that how we have solved the fragmentation problem that we would inherently have across the operators to avoid each app developer having to connect and to get different credentials for each operator. We have this API exchange that provides that seamlessly. It’s a bit like, you know, you re-routing a phone call as well. It works in the same, very similar way. 12:06 ▶
What does the end user say about this? We have feedback from end users about the user experience, it’s really good especially when we are using the mobile network to authenticate users automatically. Either just by going into the app or just clicking login on the app, they are in, no username or password. We have immature markets, there’s about ten to twelve transactions a month. This is primarily focused on very secure transactions. Of course any kind of digital services will be much more than that per month. In some markets, especially when we talk about security assurance services, there’s a willingness to pay as well. We’ve done some market research in Norway a few years ago, where the ability to use a mobile to authenticate and to login to banking services was the third most important reason to choose an operator. It was something that really resonated with the end user. And I think it goes for all of us. If I don’t have to remember a username and password, it would be fantastic and if, as an app developer, if I know that I can really trust this person maybe I can put in less friction to give them access to my services. 13:50 ▶
As I’ve mentioned these ones, we’ve been working extensively now with banks, with internet companies, service providers across the world to get Mobile Connect deployed in their services. But we have really started with internal services for the operators to begin educating the end users about what this new experience, that they can use their mobile phones access digital services now. Some of the benefits that we’ve seen are around the user experience, but also around innovations offering new business opportunities. I mentioned it with IoT, we have another one about giving permission to your children to login to the Lego website for instance, or to enter an educational website. By giving permission, you can expand your market as well. 15:00 ▶
I also wanted to briefly mention to cut some government activities we are doing. It’s turning out that the government in many many countries and this goes all the way from the US and Canada and Latin America, here in Europe, there is a number of countries of course in the EU. But also in Asia, in India, in Malaysia, also in China, there is a huge interest for E-government services. And in order to digitally transform government services they have to understand what the user is dealing with, what is the identity of the end user, their citizens, that are now they are trying to access their services. And they look towards the operators and they look towards the banks, to be able to provide both the security, the privacy capabilities but also information about the end users. They know their identity, and they can leverage a Government Issue identity like a passport or a national identity card, to present that in a digital transaction securely. So we’ve been working for the last few years in the US with the National Strategy for Trusted Identity in Cyberspace, NSTIC as part of NIST, the National Institute for Standards and Technology, where we've set up mobile connect for authentication. We’ve deployed for some health care services to get access to medical records.
And we have now set up a pilot for polling. Next one could be voting, that could be really exciting. But we started with something much simpler, just polling. And it’s a great way for local councils, for local municipalities to get feedback from their citizens. What you think about this particular activity we are now or we will like your views on whatever. Nice in terms of citizen engagement. That’s just one example. The IRS was quite interested as well, they have users across the world and they have fraud when it comes to your tax returns. So making sure they knew exactly who they were dealing with, that it was a valid submission, again good value. Very good value. We have another nice one as well in the US also in Spain. It’s about age verification for a vending machine. Imagine being able to buy beer out of a vending machine. You can’t do it now, because I need to prove your age, but the operators know your age, they can confirm yes this person is more than nineteen. You could imagine giving your phone away to somebody minor, but you could do it in a shop as well so. But it was a nice use case. So in EU, we are now working with the European Commission and operators and governments in three or four different countries now across Europe, to facilitate this interoperatability of electronic identities. So that you can go to one country and you can prove your identity for instance, medical purposes in another country.
And that is also working really well, I hope by the time we go to Barcelona in February at MWC we will be able to demonstrate that such as mentioned earlier, opening a bank account. In the UK, the operators are supporting the government, a government’s identity providers, to confirm the information about the users to login to establish a digital identity, to login to digital services as well here in the UK. In Spain we have also launched with the local municipalities, again accessing government services. And in France there’s a very exciting pilot, that if you’re lucky you’ll get to see it live. It goes live on and off, they are just doing the testing at the moment to use Mobile Connect to authenticate for access to government services. To check how many points you have on your driving license. That’s the word I was looking for. And the way that they do it is, you take your national identity card, you take a picture of it, you take a selfie, and they combine the two, there is some technology that goes behind it. They combined the identity card and your face, do some background checks and then they establish your identity. Then they know, yes we’ve seen this person we think this is good enough for the government services and that’s facilitated by our range and also by our user mobile connect. It’s a nice one. They don’t have to go anywhere to connect and know your customer is satisfied.
So those were a few examples of how we are working with the governments, and I hope that has triggered some ideas as well. There’s one problem that I’ve mentioned on the technology side in order to make these fifty-seven operators, at least a subset of them, look like one entity. You know, you go to Facebook, you go to any API big platform and you have one contract, you got one price, you got one set of services and you know who to call if you’re lucky. With so many operators, it is quite difficult to get the same level of seamlessness. And this has been one of the weaknesses that I’ve been really struggling to work with now for the last two years. Because it’s difficult to get your parts to look like one identity, they are quite different. So on the technology side, I think we’ve got it solved pretty much, what I call the API exchange. 15:53 ▶
Now what we are doing is the same thing on the commercial side as well. GSMA has now set up a small veneer of contracting capabilities, it has the intention of simplifying contracts, building the support and service monitoring. So that it looks like one service across the operators but giving plenty of space to anybody else who wants to build on it. This is not about innovation, this is about simplifying the basics to create a platform out of the mobile users that can be much more easily accessed and what we’ve ever seen in the past. Each operator had their individual API strategies. So we’ve been starting now with Mobile Connect because it’s simple and it needs to be an ingredient into anybody’s services that covers the whole user base within a particular country. So I just wanted to mention this as well because innovation is not just happening around the technology, about the capabilities the APIs to date and so forth. Denervation is also happening on the business model side. So this might look simple but it’s all about the contract negotiations with the operators. 21:10 ▶
I am going to tell you a little bit about what the operators are doing, some of the nice use cases that we’ve deployed in some of the markets and what the effects have been in. It’s always nice to see if this has any benefits. So these are the logos of some of the operators that we’ve been working with. I mentioned the US carriers as well earlier, I could add the Canadians as well to this one which is also quite advanced, and of course I should have all the Indian operators as well over here on this chart, but I kind of ran out of space. I only got the Airtel.
So the strategy the operators have to get the mobile connecting to market and to take a position within the digital services what they can offer around identity and attributes is starting with their own services. So the first thing they do is they say, well you got a voice, you got data, you got SMS messaging and you got mobile connect from us, so it’s a standard service that everyone’s being enabled for and included as part of the basic contracts with the operators.
The second thing they do is to offer this for their own services, looking into self-care, whatever value added services they had like video streaming, or music or whatever. They don’t have that many, but they have some and it’s all about educating the users and also getting them enabled. In some cases these authentication capabilities are delivered using a sim applet so it’s pretty secure but it needs to be distributed and that takes a little bit of time so let’s start with their own services. The second is that they do, is some have these capabilities in the market for quite some time. We have some take, the Korean operators for instance they’ve been offering age verification, you know I mentioned the vending machine? They are doing that for games. They’ve been doing it for years.
The same thing as some of the Nordic operators as well, they have secure authentication and identity verification. And what they are doing, or what they have done is to join this global ecosystem now, or they join the other operators with their identity service, so they ought to be growing the total base of the solution. And of course then they start promotion to their own partners, some of them have strategies regarding third parties and they are also getting together to establish joint market offer and I talked about a commercial federation on the previous slide. 21:19 ▶
I mentioned already that we have quite a few operators that have launched in Europe now, in France and Spain, the UK and Italy and Switzerland and Finland. The most active market we have in Asia is probably India. I find that has been quite exciting. Three Chinese operations have launched as well and I’m building on their existing authentication capabilities. Taiwan just launched a month ago, now all five together working closely with the City Council in Taipei to start offering payment authorizing for parking. So nice use case to start with. And Brazil as well is getting very close to ready across all the operators. And primarily the telephonic and America mobile footprint in as well is pretty well covered. There are quite a lot of activities going on around the world. It is still early days, it still requires a lot of improvements, but we are gaining traction. 24:37 ▶
I thought that I should just mention a few case studies that we had, where the service has been deployed and some of the effects and if there’s time, then I’m sure that I’m more than happy to take questions at least. 25:42 ▶
So the first one I wanted to highlight, I mentioned that Dialog was one of the first ones to launch mobile connect as a beta service back in 2014. It takes time to improve it, but they’re doing they’re doing really well. One thing they did, which was quite exciting, is that they used it for their call centers because it saves time when they are calling in and they can authenticate using mobile connect. But the biggest saving that they found is that the recent calls that are coming in, is because they lost their password. So being able to reset their passwords by not calling into the call center, but automatically doing it himself using mobile connection to the phone number really helped him to save money on the call center and they also got a lot of less frustrated customers. 25:55 ▶
That’s one example. We have SK Telecom, as I mentioned already, they launched something called T authentication. It’s been in the market for quite some time. They are, what they recently did now is to use it for one of the largest banks in Korea to authenticate access to their mobile app. And they took a lot less time. The user flow to get access on this app was quite cumbersome. You know, lots of forms you need to fill in and so forth. So with this, by the use of their mobile connect service they could, it took them a lot shorter because they already get their information, authenticate the information, backing from the operators who own information, own the data set, and they also got more transactions because it was easier.
What I haven’t included here, but another one that was quite exciting is the attrition rate for gaming. So at one hand they have an age verification for games that I need to do, that we’re now looking to expand into other countries. It’s not just Koreans that play games. But they need to verify the age of the gamer. That’s something that you can do, so that’s a new business model in effect. Otherwise it becomes quite difficult to confirm, truly confirm their age, there was regulatory requirement. But the second thing that they had was also their attrition rate of signing up for a new game. That fell from about 20, 24 percent down to 4 percent for vendors then they used for social logins, login mechanism, they had twenty plus efficient rates. They used their own authentication capabilities, it was down to 4 percent, because it was so much simpler, and it was much more reliable. And users who were concerned about sharing their gaming preferences on social media as well, you never know where it might be ending up. So it was something about privacy that really appealed to the end users. 26:48 ▶
An example just in terms of take up, we have now about half of all the logins to a web portal. It’s happening using mobile connect, they found the users find it much simpler and that happened quite quickly in the span of a month or two. 28:31 ▶
m-pesa, that is a payment, a mobile financial service in India. Mobile wallets basically, where they really increase the number of transactions because they had simplify the authentication of the users. It was no longer an SMS one time password, but it was more seamless. 28:46 ▶
And I think the last one to highlight again is its moving style, what they have done in Spain. And they really reduced the drop outs on the registration that they had for the self-care portal by the use of the mobile login mechanism like mobile connect. And they kept growing their number of registered users. 29:09 ▶
These were just some of the examples I wanted to mention. I wanted to inform you about what the mobile industry is doing when it comes to taking a role, and being a supportive player in digital transformations, and particular when it comes to identity. I will be staying behind afterwards if there’s anyone who wants to talk about this further. Thank you for listening, and hope it was interesting. 29:30 ▶
Marie leads the GSMA’s business development activities in identity globally. The aim of these activities is to drive forward a global mobile identity solution that protects the privacy of end users while leveraging the network assets and inherent security of mobile operators with the purpose of making digital services more secure and convenient. Marie has many years experience working in strategy and business development including start-ups for Vodafone and Telenor. Prior to joining Vodafone, she was a telecom analyst in Commerzbank in London and a consultant for Analysis Mason.