ENABLING THE DIGITAL WORLD - MOBILE IDENTITY 2020 - GSMA
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
MOBILE IDENTITY ENABLING THE DIGITAL WORLD 2020
Mobile identity, enabling the digital world 3
ABOUT THE GSMA
CONTENTS
The GSMA represents the interests of mobile
operators worldwide, uniting nearly 800 operators
with almost 300 companies in the broader mobile Executive summary 4
ecosystem, including handset and device makers,
software companies, equipment providers and
internet companies, as well as organisations in Introduction 5
adjacent industry sectors. The GSMA also produces
industry-leading events such as Mobile World
Mobile operator identity – a timeline 6
Congress, Mobile World Congress Shanghai
and the Mobile 360 Series conferences.
Mobile operators’ evolving identity capabilities and services 9
For more information, please visit the GSMA
corporate website at www.gsma.com
Digital identity verification and authentication 13
Follow the GSMA on Twitter: @GSMA
Fraud detection and prevention 18
Financial identity and credit scoring 21
Optimising trust and scale for digital identity 23
Closing remarks 26
First edition January 2020
4 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 5
1 EXECUTIVE SUMMARY
BY RICHARD COCKLE, GLOBAL HEAD OF IDENTITY AT GSMA
DIGITAL IDENTITY SYSTEMS MOBILE OPERATORS GAINING
GROWING IN IMPORTANCE SIGNIFICANT TRACTION IN
In 2018 the average number of online accounts DIGITAL IDENTITY
requiring a password was estimated to be 23 per Worldwide, mobile operators are recognising and
user, however the average number of passwords commercially deploying their unique digital identity
was just 13.1 Some estimates even suggest users tools and resources. A conservative estimate of mobile
re-use passwords as many as five times across operator authentication services puts their monthly
different accounts – meaning that with just one active users at close to 1 billion. Mobile Connect, the
data breach, fraudsters could gain access to secure universal log-in solution developed by the
multiple sites via a single credential.2 Add to this GSMA and its members, has now been adopted by
the 4.5 billion records3 already exposed worldwide 70 operators in 40 countries. Furthermore, operators
in the first half of 2018, then the threat from are entering new markets beyond authentication
identity fraud becomes very real, and just part of including fraud detection & prevention and credit
the reason why secure digital identity is growing in scoring with growing numbers of businesses looking
importance for the digital economy – the challenge to adopt these operator services directly and through
will be to balance improved security with an operators’ channel partners.
improved user experience.
OPTIMISING TRUST AND SCALE
ARE PRIMARY FACTORS FOR
DIGITAL IDENTITY RELIANT ON OPERATORS’ MOBILE IDENTITY SUCCESS IN DIGITAL IDENTITY
MOBILE TECHNOLOGIES, DEVICES ‘TOOLKIT’ HELPS THE DIGITAL
Affirming businesses’ trust in their customers
AND NETWORKS WORLD GO ROUND and transactions is a primary purpose of digital
‘Mobile identity’ refers to the mobile technologies, Mobile operators have a unique set of tools and identity systems. To achieve this subscribers must
systems, devices and networks used to facilitate capabilities which provide critical value to the digital trust identity services if they are to share their
digital identity services – services which are often identity ecosystem helping the digital world go round. data, and identity services must be trusted by
reliant on the ubiquitous coverage of cellular These tools include: know-your-customer (KYC) businesses if they are to sell products derived from
networks that have over 5 billion mobile subscribers datasets, which operators are regulated to maintain, that data. Trust both ways is critical, but without
worldwide in 2020.4 Recent analysis from Juniper that can help with on-boarding and optimum scale that trust cannot be converted
Research estimates that growth in mobile digital identity verification; or changes in the pairing into commercially viable propositions. This paper
identity solutions could exceed 800% over the next between subscriber, device and network, that can considers three factors critical for trust, and three
five years, as emerging economies turn to mobile by indicate potential fraud. Tools such as these are critical for scale, which together can yield success in
default. This research also shows that unique mobile collectively referred to in this paper as the ‘mobile digital identity. For trust we will examine security by
identifier services could become the primary source identity toolkit’. This paper discusses mobile design, transparent trust endorsements, and control
of identification for over 3 billion people by 2024 – operators’ existing tools for mobile identity – and privacy for the user. For achieving scale, we will
providing significant potential for mobile operators and opportunities to develop new ones look at interoperability and federation, partnerships
to play a primary role in digital identity.5 leveraging big data, artificial intelligence and and collaboration, and compelling business value.
behavioural biometrics.
1 World Password Survey, McAfee, 2018
2 The 2019 State of Password and Authentication Security Behaviors Report, Ponemon Institute 2018
3 Gemalto’s Breach Level Index, 2018
4 GSMA Intelligence, 2020
5 Digital Identity: Technology Evolution, Regulatory Analysis & Forecasts, Juniper Research, 2019
6 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 7
2 INTRODUCTION
Digital identity is described by the GSMA, the World Bank, and the Secure
Identity Alliance as “a collection of electronically captured and stored identity
attributes that uniquely describe a [real] person within a given context and
are used for electronic transactions.” Having a digital identity proves that we
are who we say we are online – but having too many passwords to remember
often makes our registration and login experience inconvenient, meaning we
give up.
Essentially there are two approaches that reducing the estimated 1.1 billion ‘unidentified’ users
could make life easier for users. Firstly, a to zero by 2030 – and a wave of globally influential
unified or common digital login:6 a single set of new regulation from Europe and elsewhere
authentication credentials to remember and use (including GDPR, eIDAS, PSD2 and AML) is aimed
as a universal login across multiple websites would respectively at improving data protection, federating
go some way in solving the problem. Secondly, common digital IDs, strengthening customer
if the user had a single verified digital identity authentication, and addressing money laundering.
with a single set of credentials from the very Compliance pressures from these stringent new
beginning, entirely under their ownership and laws are directly driving online business spend
control, it could be used to log in directly or to set on identity services, data management, and
up a separate common digital login. Convenient cybersecurity systems, with the average cost of
and secure digital identity solutions such as these KYC and customer due diligence (CDD) compliance
are increasingly important to underpin the digital for a financial firm rising to $60 million.9
economy, where they can drive business revenues.
Recent estimates from McKinsey Global Institute Digital identity systems are becoming a functional
across seven countries suggest that successful pillar of the internet, and mobile identity tools play
deployment of digital identity could enable a growing role in making them more accessible,
incremental economic growth in developing robust and secure.
markets – equivalent to as much as 13% of GDP by
2030 – and up to 3% in more developed markets.7
With fraud and cybercrime estimated to cost
organisations $5.2 trillion8 globally over the next
five years, business demand for trustworthy and
qualified customers is growing fast, catalysed by
the effects of international policy and regulation
on identity systems. The UN’s Sustainable
Development Goal no. 16.9 (‘Legal Identity for All’)
focuses global initiatives on
6 Common digital identity is used to represent alternative phrases including unified, reusable, universal or Federated Identity
7 Digital Identification: a key to inclusive growth, McKinsey Global Institute, 2019
8 https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
9 Thomson Reuters Know Your Customer Surveys, 20168 Mobile identity, enabling the digital world
3 MOBILE OPERATOR IDENTITY - A TIMELINE
For some years mobile operators have recognised the importance of taking
a role in digital identity and have deployed services and solutions in response.
Our timeline over the last 5 years illustrates significant landmarks and some
key successes that have been achieved by mobile operators by acting on the
commercial value of their unique identity assets and resources (figure 1):
FIGURE 1: MOBILE OPERATOR IDENTITY TIMELINE (LAST 5 YEARS)Mobile identity, enabling the digital world 9
KEY
Authentication Fraud prevention & detection Credit scoring Landmark statistics Regulation
Source: GSMA Intelligence10 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 11
Mobile operators, particularly those with a with the growing demand for identity solutions:
significant programme of value added services
have initiated their identity journey by launching
Mobile-ID is a secure digital ID in Estonia from
EMT, Elisa and Tele-2 for accessing e-services and 4 MOBILE OPERATORS’ EVOLVING
single-sign-on (SSO) authentication to enable digitally signing documents with over 200,000 IDENTITY CAPABILITIES AND SERVICES
convenient and qualified access to these services users; Swiss Mobile ID login and signature solution
as well as to their customer care portals, with the launched by Swisscom in 2013 has now been
purpose of driving their usage and reducing cost adopted by all operators there, and has 3 million Mobile operators are making considerable progress in the field of digital
in managing dozens of access points; for instance, SIM cards in circulation. identity by unlocking their under-utilised but valuable mobile identity assets
this is why Turkcell launched ‘Fast Login’ in 2016, and resources referred to here as ‘mobile identity tools’. The mobile identity
an authentication solution that now has 23 million Now dozens of mobile operators are developing
toolkit contains databases, services and resources based on mobile technologies,
registered users. their mobile identity ‘toolkits’ to create new identity
products, services and capabilities that are helping
devices, networks and BSS/OSS systems. It contains existing tools that many
But initiating authentication for their own services to enable the digital economy. More operators already offer to the digital identity ecosystem and potential ‘future’
has just been the start for operators, it wasn’t long announcements in 2019 have seen leading US tools for operators to develop. An indicative range of mobile operators’ digital
before online businesses recognised that adopting operators (AT&T; Sprint; T-Mobile and Verizon), identity tools is illustrated in figure 3 and explained in the following section:
operator authentication could attract operator launch ‘ZenKey’, a common digital login; and
FIGURE 3: OPERATORS’ MOBILE IDENTITY TOOLKIT
subscribers with easy login as well; for instance by Russian operators (Beeline, MegaFon, MTS and
2016 PASS, the authentication solution developed Tele2 ) launch Mobile Connect, the industry’s
by SKT and leading South Korean operators, had federated digital identity solution, to third party KEY
been opened up to third parties now numbering as service providers. Fraud Detection & Prevention Identity Verification & Authentication Financial ID & Credit Scoring
many as 32,000 partner companies.
The last 5 years have shown mobile operators
E-commerce is a global marketplace where achieve measurable traction in the digital identity
national borders can become barriers to expansion field. In 2019, it is estimated the industry has
unless a solution can be found to ease cross border reached nearly 1 billion Monthly Active Users
transactions. Something that was appreciated (MAU) of MSISDN-based authentication services
by the mobile industry 5 years ago leading to alone, with conservative estimates putting that
the genesis of Mobile Connect, developed by the figure at 2.2 billion by 2025, a growth rate of 17%
GSMA and its members, to federate operator CAGR (see figure 2).
authentication solutions to do just that. Launched
FIGURE 2: MOBILE OPERATOR
in 2014, Mobile Connect has now been deployed MSISDN-BASED AUTHENTICATION
by 70 operators across 40 countries. MAU ESTIMATES
2.2bn
However, other operators started their identity
journey from a different place, preferring to target 1.8bn
legitimate or consented data services to help 1.5bn
businesses trust and qualify their customers, 1.3bn
comply with regulation, and fight fraud. UK 1.1bn
Source: GSMA Intelligence
1.0bn
operators (O2; Vodafone UK, Three UK and EE) for 0.9bn
example launched Account Takeover Protection
(ATP) services in 2015 to provide businesses with
signals for detection and prevention of fraud.
2019 2020 2021 2022 2023 2024 2025
Mobile operators are realising the digital identity Source: GSMA Intelligence
opportunity by matching their unique assets12 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 13
FUTURE TOOL: FRAUD SIGNALS
4.1 MOBILE IDENTITY eIDV- IDENTITY AND DOCUMENT
VERIFICATION SERVICES
Mobile operators can monitor the pairing between
TOOLS FOR IDENTITY subscriber (IMSI), phone number (MSISDN) and
VERIFICATION AND Electronic identity verification (eIDV) verifies a device (IMEI) identifiers, any change being an
indicator of a potential ‘account takeover’ (ATO)
AUTHENTICATION person is who they claim to be by attempting to
match information gathered at registration or fraud. Combinations of dynamic network data such
login with a range of public and private databases as call forwarding and SIM swap information can
provide important fraud signals in real time.
OPERATOR SINGLE effectively creating a common unified login. including mobile operator information, credit bureau
FACTOR AUTHENTICATION Operators’ ability to drive scale for their data, social security, police, and vehicle history
authentication services is boosted when they are data. Personal ID documents including driver’s FUTURE TOOL: FRAUD
Many operators have rolled out their own SSO designed to be internationally federated, essential licenses, passports, birth certificates, social security AND AUTHENTICATION HUB
authentication for convenient access across their for the national and cross-border coverage cards and citizenship certificates can be used for Operators are already working to integrate
own value-added services, normally using SMS required to attract major third-party service verification when combined with digital proofing legacy data silos across cybersecurity, network
OTP, USSD or header enrichment authenticating providers. techniques. These proofing techniques utilise AI and management, customer service, service
technologies. The mobile operator does this by machine learning to confirm the co-presence of a assurance and separate vendor partners. Holistic
verifying that the user accessing the business is in
FUTURE TOOL: CONTINUOUS ‘liveness-proved12’ face shot or video with their ID consideration of big data from an engineering
control of the MSISDN associated with the account document, then authenticate the document, and if
holder. Authentication mechanisms can also be
ADAPTIVE AUTHENTICATION and data science perspective and the application
necessary add knowledge-based user attributes, of AI and machine learning to it could bring the
used when required to gain authorisation or consent In the last few years AI is being applied in a new and wallet-based factors to verify a person’s power of ‘optimised combinations’ to the mobile
from users for the sharing of their data. approach called the continuous adaptive risk & trust identity. Mobile operators are well placed to offer identity toolkit; that is the massive potential
approach (CARTA10). This approach considers both a service like this and enhance it with additional coming from so many different combinations
OPERATOR MULTI-FACTOR trust and risk as dynamic properties best assessed security factors that come from their ability to pair of under-utilised and diverse data sets will
AUTHENTICATION and responded to on a continuous contextual device, phone number and subscriber. strengthen operator’s identity products and
basis. Future mobile identity tools could utilise
Multi-factor authentication uses two or more services opening up new revenue opportunities.
continuous adaptive authentication as an ‘invisible’
factors, and sometimes SIM applet authenticating The combination of anti-fraud and authentication,
authentication service that reduces user friction and
technology to create a simple user experience. two closely related processes, through a single
This means a PIN is used as the second factor,
which is stored on the SIM card and never
allows businesses to adopt a contextual approach to
security. Continuous adaptive authentication works 4.2 MOBILE IDENTITY API could provide greater simplicity, flexibility and
cost efficiency for businesses combatting fraud.
continually or frequently in the background using TOOLS FOR FRAUD
transmitted. The authenticating technologies’ Fraud and authentication hubs that orchestrate
behavioural biometrics or other data sources to DETECTION AND
interactions and messages happen over an multiple identity services into a decision engine
encrypted channel, making man-in-the-
re-authenticate users multiple times depending PREVENTION
are expected to gain ground, with mobile
on the level of risk reflected in contextual or
middle (MiTM) attacks more difficult operators having considerable potential to take
behavioural signals. Abnormal behavioural patterns
during authentication. on such a role.
could trigger step-up authentication to a higher KYC DATA
assurance or even reverification of identity (e.g.
FEDERATED AUTHENTICATION Mobile operators are one of the key industries
by face ID). The financial services and technology
regulated by many governments to ‘know their
Mobile identity federation platforms such as industries are finding AI and advanced analytics
customers’. With the appropriate legal basis,
GSMA’s Mobile Connect or Telia’s Identification technologies are providing significant value in
which can include user consent, operators are in a
Broker Service (TIBS) can federate operators’ combatting fraud, according to a PwC survey, 40%
position to provide KYC data to identity services
authentication services making them inter- of businesses are claiming value from alternative
that corroborates or improves accuracy of those
operable across participating service providers strategies such as ‘continuous monitoring’.11
services’ own customer records potentially with
real-time availability.
10 CARTA – Continuous Adaptive Risk & Trust Approach (Gartner) 12 Liveness - proving image is of a real live human face without disguise
11 Global Economic Crime and Fraud Survey, PwC, 201814 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 15
4.3 MOBILE IDENTITY
TOOLS FOR FINANCIAL
IDENTITY AND 4.4 MOBILE OPERATOR
CREDIT SCORING IDENTITY RESOURCES
MOBILE MONEY & INTRODUCTION CHANNEL FOR BIG DATA, AI AND
PAYMENT RISK SCORE Certain mobile operator resources and capabilities CUSTOMER ENGAGEMENT MACHINE LEARNING
Last year’s GSMA report on the mobile money are included in the mobile identity toolkit as Operators control key consumer and business AI-powered big data analytics has been adopted
industry found 272 mobile money services, and they are often uniquely and fundamentally touchpoints, making ‘customer engagement’ an by mobile operators applying it to multiple
866 million registered mobile money accounts live supportive of the development and delivery of asset they bring to digital identity. Business and layers of their business across networks and
in 90 countries.13 With $1.3 billion transacted every mobile operators’ identity tools. This list may not operational support system (BSS/OSS) processes services. Virtualisation of the network and the
day, mobile money accounts can provide credible be exhaustive but reflects the capabilities that and direct to customer marketing and service fragmentation of the supply chain has required
financial data for use in developing alternative credit operators can bring to the digital provision can be used to both collate identity data AI to become a foundational technology for
scoring systems, something already being explored identity ecosystem. and deliver identity systems. Already governments the mobile industry. In future, such powerful AI
by mobile operators and their partners. in at least 147 countries (as of January 2018) make resources could also be leveraged by operators for
UBIQUITOUS it mandatory for mobile users to present proof- the mobile identity toolkit to generate predictive
FUTURE TOOL: MACHINE POPULATION COVERAGE of-ID when registering for a prepaid SIM card. risk management products, and behavioural
LEARNING FOR CREDIT SCORING By 2025 there will be 5.8 billion unique This enables operators to collect valuable digital authentication systems that can be delivered in
mobile network subscribers and mobile credentials, which could be made available for real-time.
‘Financial identity’ and existing credit scoring
14
internet penetration will have reached 86%.16 digital identity services with the appropriate legal
products from operators can be based on
Both connectivity and internet penetration drive basis and permission. MOBILE OPERATOR
subscriber information that comes from; KYC data,
mobile money transactions, prepaid airtime top demand for, and support delivery of, digital API PLATFORMS
identity services, increasingly making mobile
COMPLIANCE, STANDARDS
ups and loans, device financing, card payments, In software supporting mobile networks, operator
risk management services and operators’ own paid identity tools a primary resource for AND PRINCIPLES APIs (application programming interfaces) make it
for VAS. Machine learning, however, is expected to digital identity. Mobile operators work to stringent possible for third parties to use certain mobile
unlock new ways of generating alternative credit regulations and national laws, and the economic network functions within their applications. API
scores when applied appropriately. ‘Branch’15, for importance of their networks engages them platforms are of growing importance to the mobile
instance, is a start-up that generates alternative regularly with government policymakers. The industry with overall global telecom API related
credit scores based entirely on smartphone mobile industry also leverages global standards revenue estimated to reach nearly $320bn by
data, which are claimed to be regardless of credit to develop a consistent and standardised set of 202317 This emphasises operator commitment to
history. Mobile data that is fed, with user services for managing digital identity. Adding to increasing the value of their subscriber, network
permission, into Branch’s ML algorithm includes this the privacy principles associated with operator and BSS/OSS systems that they expose to
handset details, SMS texts, GPS data, contact identity services, puts mobile at the heart of the external developers via APIs with the appropriate
lists and billing and repayment history. Mobile digital identity ecosystem. The local government permissions. If the industry’s mobile identity tools
operators could do the same by applying specialist and institutional relationships that operators work are to become more accessible, operator API
vendor ML analytics software residing on their to maintain often encourage the public sector to platforms will be an essential resource.
servers, to alternative data and traditional credit involve them in national digital identity initiatives
histories from billing and mobile money use, in through public private partnerships, as seen in
order to roll out new services. Finland with the launch of ‘Mobiilivarmenne’.
13 State of the Industry Report on Mobile Money, GSMA, 2018 16 GSMA Intelligence, 2020
14 Financial Identity as a Service (FiDAAS). Juvo, 2019 17 https://www.researchandmarkets.com/research/rxq3vq/carrier_b2b_data?w=12
15 https://branch.co/16 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 17
5 DIGITAL IDENTITY VERIFICATION
AND AUTHENTICATION
5.1 INTRODUCTION 5.2 MARKET TRENDS
AND DRIVERS
The following chapters explore the application of Two forms of authentication are designed to USER AUTHENTICATION DEMAND FOR TRUSTED
mobile identity tools to use cases organised into reduce the number of credentials that users EXPERIENCE STILL INSTITUTIONAL SUPERVISION
three different identity sectors: ‘digital identity need to remember and reduce the time taken to
HIGHLY FRICTIONAL In the GSMA Intelligence Consumer Survey, the
verification & authentication’, ‘fraud detection & login when accessing multiple service providers.
prevention’ and ‘financial identity & credit scoring’. The first, digital single sign-on (SSO), is used Research by email specialist Dashlane estimates top answers to the question ‘what steps could
by enterprises and uses a single authentication that we could have as many as 200 login accounts companies take to make you feel more confident
Identity verification and authentication are not the credential for accessing multiple systems within each by 2020,19 but people’s ability to remember about the safety and security of your personal
same thing but both are essential to provide the same organisation. A few examples of digital passwords for even half of those is untenable. data’ suggest that involvement of public institutions
simple, secure and qualified access to online SSO solutions come from Okta, SecurID, Azure Dropped logins where users admit to having given or central authorities could still be important for
services that require them. Identity verification AD. The second, federated or common digital up logging in or registering is already as high as building trust with consumers:
links a real individual to the validated identity authentication18 uses a single unified authentication 87%. 20 For e-commerce the situation is not much
information they provide on enrolment. credential for accessing multiple businesses. better with nearly 70% abandoning shopping carts • 44% said ‘demonstrate adherence to globally
Authentication, on the other hand, is the matching Examples of common digital ID include Mobile because of registration or payment completion recognised cybersecurity standards’;
of the identity presented by the user to that Connect, Facebook Login, Google Sign-In, and difficulties. 21 Moreover, the average time before • 39% said ‘face heavy penalties for misuse or
recorded on the system, to a certain level of Sign-in with Apple. Both approaches are set to a user gives up on an application altogether was negligence in the use of my data’; and
assurance. This is done using different factors of spread further as businesses look to improve and found to be 14.3 minutes, but nearly one in three • 33% said ’show an endorsement from a
assurance to prove you are who you say you are. secure their customers’ user flow. (29%) applications take more than 20 minutes to government regulator’.
For example secure customer authentication may complete making better automation and security
include two or more of the following factors; of on-boarding a key use case for digital identity. 22 These answers demonstrate that transparent
‘something you have’ (e.g. mobile device), institutional endorsements still carry weight with
‘something you know’ (e.g. password, mother’s consumers when evaluating the trustworthiness of
maiden name etc) ‘something you are’ (e.g. a company or service.
fingerprint, face, iris) and increasingly something
you habitually do (e.g. your mobility, typing style
or behavioural profile).
18 Common digital identity is used to represent alternative phrases including unified, reusable, universal or Federated Identity 19
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/
20 https://www.gsma.com/identity/wp-content/uploads/2015/06/mc_factsheet_web_06_15.pdf
21 https://baymard.com/lists/cart-abandonment-rate
22 Battle to Onboard III, Signicat, 201918 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 19
Turkcell example: Fast Login
As part of a strategy to drive growth of their consumer
PUBLIC PRIVATE proposition, Turkcell rolled out an array of apps and
SERVICEABLE MARKET VALUE
PARTNERSHIPS WITH
FEDERAL GOVERNMENTS
ESTIMATED TO HIT $2.5 BILLION 5.3 USE CASES FOR
services including the TV+ streaming platform, Dergilik
magazine media app, and Fizy music platform. It was
IN 2019 THE MOBILE recognised early on that these new services
Public national eID schemes are often born out of IDENTITY TOOLKIT would benefit from easier SSO authentication
Serviceable market value for MSISDN-based
a government’s wish for their services to be more for registration and login, leading to the launch of
authentication services is expected to approach
easily and frequently accessed, but can fail to Turkcell’s Fast Login solution in 2016. The solution verifies
$13 billion by 2025 showing growth of over 30%
gain traction when government services are used MOBILE IDENTITY TOOL: SINGLE a service user is in control of their mobile phone through
CAGR (see figure 4).
infrequently. In the UK only 3% have registered FACTOR AUTHENTICATION a single-factor or two factor authentication process. Fast
with the government’s digital ID scheme,23 and Login also utilises Mobile Connect, allowing operators to
FIGURE 4: MOBILE OPERATOR MSISDN-BASED Use case: convenient, simple login operators’ single
in Germany only 18% have done so. 24 A problem federate their authentications solutions by matching an
AUTHENTICATION MARKET VALUE ESTIMATES factor authentication enables service providers to
thought to stem from a lack of data sharing and individual to their phone number and operatorr.29
offer users a more convenient login experience,
interoperability with the private sector resulting Expansion of Fast Login to external businesses followed
by entering their phone number on the company’s
in a low perceived value with users. Governments in 2018 and by the end of 2019, it had more than 23
login page and clicking yes to an instant notification
are finding the answer to this problem is wider million registered customers in Turkey – 16 million
$12.9bn that is returned to their screen. This method makes
public private partnerships and collaboration with of these were Turkcell SIM customers and seven million
no request for additional credentials making it a
existing digital identity services. Partnering with were non-Turkcell mobile users – and was used more
lower level of assurance (LoA2), which can be used
mobile operators or forming wider consortia, $9.8bn than 32 million times across 86 integrated services in that
as a secondary factor for authentication, when
including banks and major national corporations month alone.30
combined with a username and password..
to launch eID, benefits from their existing scale, $7.3bn
trusted relationships and technical knowhow. $6.0bn
Estonia has demonstrated the success of its public $4.1bn
private partnership for ‘id-card’ where 98% have $3.2bn
$2.5bn
the card with 67% using it regularly. 25
China Mobile example: MSISDN Verify “One-click
DIGITAL ON-BOARDING 2019 2020 2021 2022 2023 2024 2025
quick login” is China Mobile’s common digital identity
SHOWS COST REDUCTIONS Source: GSMA Intelligence solution powered by Mobile Connect. Launched in 2017,
the solution now has over 650 million monthly active
Identity verification and authentication services
users (as the end of 2019) logging into over 5,000
are expected to grow as businesses recognise that
external service provider apps. The one-click
managing their own on-boarding and login can be
authentication and login scheme refers to the provision of
costly and behind the curve in terms of compliance,
corresponding services for the user by entering the local
development and security. In India, it is estimated the
number or the gateway's automatic authentication
Aadhaar identity system could reduce on-boarding
number (instead of the username and password) and
costs of the average firm from $23 to just $0.15.26
being verified by the operator's network. Complementing
In Norway, it is estimated BankID reduced the time
the SMS verification code authentication, the solution can
associated with applying for university housing from
optimize the application login security scheme. This
10–14 days to 1–3 days.27 It is thought enterprises
solution relies on the operator's five core resources
requiring high levels of assurance for customer
"number, SIM card, text message, phone call, and Internet
registration could save as much as 90% of costs with
access", and combines the Internet business scenario to
times to register reduced from weeks to minutes.28
achieve the upgrade of communication capabilities to IT
capabilities. It provides a neutral and open identity system
surrounding mobile phone number for Internet services,
and facilitates the interconnection and interconnection of
services, users and data.31 32
23 https://resources.signicat.com/hubfs/Downloads/the-battle-to-onboard-3-signicat.pdf 29 Developed by the GSMA and its member operators- ‘Mobile Connect Turbocharges New Services’ (April 2019)
24 https://www.signicat.com/resources/federated-electronic-identities-what-are-they-what-are-the-benefits-and-do-they-work 30 https://www.gsma.com/identity/wp-content/uploads/2019/05/mc_turkcell_cs_11_04-FINAL.pdf
25 https://e-estonia.com/solutions/e-identity/mobile-id/ 31 For service providers being accessed over a mobile network only
26 Private Sector Economic Impacts from Identification Systems. Word Bank, 2018 32 https://mobileconnect.io/wp-content/uploads/2019/02/MC-Verified-MSISDN-functional-datasheet-FINAL.pdf
27 Norwegian Mobile BankID: Reaching scale through collaboration, GSMA, 2014
28 Digital Identification: a key to inclusive growth, McKinsey Global Institute, 201920 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 21
MOBILE IDENTITY TOOL: MOBILE IDENTITY TOOL:
MULTI-FACTOR AUTHENTICATION FEDERATED AUTHENTICATION
Use case: Strong secure login SMS-OTP solutions and more convenient than legacy Use case: Convenient and secure placed to take their identity role further by adding
Multi-factor authentication, otherwise termed strong authentication methods such as hardware tokens. cross-border authentication new enhanced mobile identity tools for on-
customer authentication (SCA) by the EU’s PSD2 More recently a consortium-based approach has seen In the global digital economy users and businesses boarding and authentication or even by becoming
regulation, uses two or more factors to authenticate mobile operators partner with national banks and need to transact across country borders, but if an Identity provider themselves. Operators’ strong
a user at login. The objective is to present a layered federal government in a public private partnership to authentication systems are not interoperable users subscriber and business engagement could
defence to fraudsters with multiple barriers if one factor achieve the scale, operational resources and levels of still have to maintain too many sets of credentials enable them to move downstream in the identity
is compromised. Secure multi-factor authentication trust needed for successful national ID deployments. to do this conveniently. However, a federated login ecosystem to offer identity provision.
has wide application (e.g. VPN login, banking login, or Mobile operators recognise that mutual cooperation lets subscribers use the same credentials to access
gaming accounts), is more secure than existing and collaboration in mobile identity helps to drive scale. any service provider that is participating in the Future mobile identity tools could include
federated login platform: enhanced solutions for behavioural biometrics,
document authentication and liveness testing,
Mobile operators already address the identity technologies that are already being explored
verification and authentication market through within the industry.
a range of authentication products but are well
itsme example: Mobile identity verification The the operators federated their separate solutions,
‘Belgian Mobile ID’ consortium was set up to now jointly branded PASS, using the PASS cloud
develop a digital identity for users to prove their platform and relaunched as an app-based solution
identity online. The idea was to enable Belgians to replacing the old SMS based one. Once registered
conveniently access a whole range of online on the PASS app, a user is only required to enter their
applications such as banking, government services, PIN or biometric (fingerprint, iris etc) or use a QR
insurances, e-health as well as create online accounts, code to enable easy and secure access to a number
confirm payments and sign official documents (QES). The of services under one app that includes mobile Telia example: Cross-border
combined efforts from the consortium’s mobile operators payments. PASS reaches over 50 million people and authentication service
(Orange Belgium, Proximus, Telenet) and Belgian banks, is now used to access over 32,000 external service Telia, the mobile carrier and Ubisecure, the identity
resulted in the launch and adoption of the ‘itsme’ app, a providers as well as operator services, with SKT alone specialist, initiated the Telia Identification Broker
digital ID of level of assurance high recognised by the posting 7 million monthly active users in May 2019.33 Service (TIBS), a Nordic and Baltic cross-border
Belgian government and EU Commission. To use itsme,
authentication platform offering several strong
users have to be over 18 years old with a Belgian eID and
authentication methods under one service
a smartphone. itsme only works through the right
agreement and integration. TIBS removes the need
combination of a user’s mobile and its SIM, the itsme app ZenKey example:
to maintain several independent authentication
and 5-digit passcode. Service providers Multi-factor identity authentication
platforms with various identity providers. It
adopting itsme are committed to only ask for user ZenKey is a secure multi-factor identity
supports multiple federated protocols and
data if strictly necessary, which is not shared without authentication platform provided through the
brokering enabling both compliance and scale
the explicit consent of the user. As of the end of collaboration of leading US carriers: AT&T, Sprint,
across the region. The Finnish Population Register
April 2020, itsme had 1.7 million registered Belgians T-Mobile and Verizon. With a potential reach that
Centre deployed the service in early 2019 enabling
with 5 million transactions per month. itsme was covers most of the US population, ZenKey can enable
Finnish citizen access to national services across
launched in Luxembourg in February 202034 users to log into participating third party apps and
tax administration and health records.36
websites securely and easily without the need for
passwords. ZenKey applies encryption technologies
to a user’s phone and mobile network when a user
SK Telecom example: logs in either through their smartphone, personal
PASS authentication app computer or other smart device. Multi-factor
Having separately experienced limited uptake of authentication is carried out using unique mobile
their authentication solutions, in 2015 SKT, KT and identity data during authentication including phone
LG Uplus agreed to work together to improve their number, phone account type, user credentials,
joint coverage and appeal to businesses. In 2016, account tenure and SIM card details.35
33 https://www.gsma.com/identity/wp-content/uploads/2018/10/SKT-Turkey-presentation-final.pdf 36 https://www.ubisecure.com/news-events/telia-best-consumer-identity-project-award/
34 https://www.itsme.be/
35 https://myzenkey.com/22 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 23
TOTAL AVAILABLE MARKET
6 FRAUD DETECTION VALUE NEARS $20 BILLION 6.3 USE CASES FOR THE
AND PREVENTION IN 2019 MOBILE IDENTITY
The total available market value for fraud TOOLKIT
detection and prevention includes the following
to double recording 680,000 in 2018 compared to services: fraud analytics (big data, predictive and
6.1 INTRODUCTION
the previous year.38 The growing quantity of stolen
user data from breaches, sold on the darknet, can
behavioural), authentication (risk based single and
multi-factor) and GRC solutions (governance, risk
Financial services including banking, payments
and insurance are faced with escalating volumes
be exploited by ‘adversarial’ AI, leading to ATOs management and compliance). Overall the total of transactions and a growing diversity of threat
via credential stuffing attacks,39 as well as being available market value for fraud detection and vectors that can be mitigated by operators
Fraud detection and prevention systems –
‘productised’ for financial, industrial and geo- prevention solutions is estimated to be close to bringing the following tools to bear:
designed to spot patterns which represent
political gain. The sheer variety of data available on $20 billion in 2019 (see figure 5).43
fraudulent behaviour, ideally in real time –
the darknet and from users’ digital ‘exhaust’ is also
are of fundamental importance to the digital MOBILE IDENTITY TOOL:
driving synthetic identity fraud, where fraudsters FIGURE 5: TOTAL AVAILABLE MARKET VALUE
economy. Identity fraud, in particular, is a
create artificial identities that cost US lenders alone – FRAUD DETECTION AND PREVENTION
FRAUD SIGNALS
growing concern for online businesses and
$6 billion in 2016.40 Use case: Assuring a new mobile device
users alike. Examples include Account Take
or password reset
Over (ATO) attacks, where a legitimate
COMPLIANCE PRESSURES Banks and financial companies, especially,
user’s details are stolen to take over their $63.5bn
online account and profit from its value; or
CREATING FRICTION FOR need to protect their customers from ATO attacks.
BUSINESS Fortunately, operators can offer insights that
card not present (CNP) fraud, where the
indicate when there has been a change that could
customer is not physically present with the A roster of anti-fraud regulation is putting heavy $41.6bn
indicate a fraudulent activity, when for example
merchant during a fraudulent transaction Know Your Customer (KYC) compliance pressures $34.6bn associating a new mobile device with a bank
(often carried out online); or even the on business, on financial services in particular, to $28.8bn
account. Attributes such as last SIM change, device
creation of a synthetic identity, where a the point banks recently warned that ‘EU rules $24.0bn
change, account tenure, or unconditional call
fraudster combines real and fake could scupper a quarter of online payments’.41
$19.5bn
diverts that can represent fraud signals are among
information to create a synthetic identity In Europe this is mainly driven by AMLD4/5 and those that have been found useful for the financial
used to open fraudulent accounts and make PSD2 regulation, which are ramping up demand services industry:
purchases. for KYC automation technologies.
2018 2019 2020 2021 2022 2023
Source: MarketsandMarkets/Statista
DIGITAL IDENTITY SOLUTIONS
6.2 MARKET TRENDS CAN REDUCE KYC COSTS BY UP
TO 70%
AND DRIVERS
Banks’ KYC and Anti Money Laundering (AML)
processes alone can cost $2.50 for a basic check
VOLUME OF DATA BREACHES and with staff costs added costs rise to between
ARE DRIVING ACCOUNT $10 to $150 per check. Digital identity solutions
TAKE OVERS can offer significant improvements to screening
processes potentially reducing the cost of KYC
In H1 2019 alone, over 3,800 breaches were
and AML processes by up to 70% – and improving
reported exposing over 4.1 billion records up 54%
the speed of these checks by 80%.42
on 2018.37 In the US alone, this has caused ATOs
37 https://pages.riskbasedsecurity.com/2019-midyear-data-breach-quickview-report 43 MarketsandMarkets/Statista
38 US Identity Fraud Study 2019, Javelin Strategy & Research
39 ‘Credential stuffing’ - Automated login attempts using thousands of stolen pairs of credentials e.g. Sentry MBA
40 Synthetic Identity Fraud in the U.S. Payment System, Federal Reserve, 2019
41 Banks warn EU rules will scupper a quarter of online payments, FT, 2019
42 European Digital Lenders: Operating efficiency helping digital lenders attack a $150 billion annual origination market, Autonomous NEXT24 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 25
for legally restricted purchases (e.g. alcohol,
restricted content, gambling etc) or changes to
bank accounts where a match between user ID
UK operators’ example: TeleSign example: KYC
and phone number would be carried out to detect
Phone lost or stolen A partnership between Proximus, Belgium’s
fraudulent account changes without impacting
In 2015, UK operators O2, Vodafone UK, EE and leading mobile operator, and TeleSign was
the user experience. In 2015 the UK mobile
Three UK defined a set of “Account Takeover designed to provide businesses with KYC services
operators launched a KYC match service: Mobile
Protection” (ATP) services based on the same to help them comply with the new EU Payment
operators already address the fraud opportunity
Mobile Connect/OIDC technical architecture as the Services Directive, and PSD2. Jeroen Degadt,
through their fraud signal, KYC and MSISDN tools
KYC Match service. Whereas KYC Match compares Director Carrier and Wholesale at Proximus said
but could investigate a potential role as a fraud
only semi-static user information, the ATP service “Partnering with TeleSign, a global neutral
and authentication hub that combines their own
provides dynamic device information as well. aggregator, was the clear choice. With access to
growing set of tools with AI-enhanced fraud
Moreover, several signals are available in various TeleSign’s fraud risk product portfolio, we will be
solutions. Operators could also move downstream
bundles serving different security use-cases. For able to provide increased security and assurance
in the identity ecosystem to productise their rich
example, mobile operators can provide indications for our customers across the country.” TeleSign
data sets and distribute them direct to business.
of whether a phone has been reported lost or believe partnerships like this highlight “the
stolen, the SIM/phone pairing has recently changed, increasing importance of Mobile Identity and the
a call divert has been set up on the number, or the key role played by mobile operators in digital
number is recycled – all of which could be indicators transformation. It represents a new opportunity to
UK operators’ example: mobile operators worldwide to participate in a
of an ATO. Using these indicators, a bank, for
Anti-fraud for registration Global Mobile Identity ecosystem and improve the
example, can make a better-informed decision on
UK operators O2, Vodafone UK, EE and Three UK security of their end users online”.47
whether transactions or accounts could
have launched a KYC Match product46 for
be fraudulent.44
businesses looking to enhance their registration
processes and to meet anti-fraud use cases. It
6.3.2 MOBILE IDENTITY TOOL: validates a customer’s identity by verifying identity
KYC ‘MATCHING’ attributes paired with the mobile phone number.
Use case: Fraud check matching Standardisation has been an important element to
KYC data and phone number the development of the KYC Match product, and
KYC procedures exist to protect organisations and was carried out in accordance with the GSMA’s
their customers from fraud and losses resulting Mobile Connect. Technical cooperation between
from illegal financial transactions. operators has been a key element in development
allowing UK’s leading operators to offer businesses
near total coverage of UK subscribers.
For this reason operators are regulated to know
their customers and have assembled a sizeable
registry of user identity data as a result.45 This
data supports KYC matching products that can
be applied for use cases such as age verification
44 https://mobileconnect.io/wp-content/uploads/2019/02/mc-Mobile-Identification-goes-Live-UK.pdf
45 EU regulations: AML, PSD2
46 the MNO product is an unregulated KYC Match product26 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 27
7 FINANCIAL IDENTITY
AND CREDIT SCORING
FALSE POSITIVES AN
7.1 INTRODUCTION 7.2 MARKET TRENDS EXPENSIVE PROBLEM FOR THE
BANKING INDUSTRY
AND DRIVERS
Online shoppers face three times the risk
of mistakenly having their card declined.53
Lack of access to formal financial services remains OPEN BANKING UNLOCKS In the US, Aite Group predicted 30% of card MOBILE IDENTITY TOOL: CREDIT
a global problem. The World Bank estimates ALTERNATIVE CREDIT SCORING transactions in 2018 were false positives,50 where SCORE BASED ON MOBILE
that there are 1.7 billion people excluded from
PSD2, the EU’s Revised Payment Services Directive legitimate credit-worthy users are falsely declined, OPERATOR DATA
traditional financial services as well as from an inefficiency in business estimated to have cost
mobile money services. Fortunately, the banking has helped to usher in a new era Use case: Creation of alternative
of open banking worldwide. Additionally, the US card issuers $331 billion.54 The mitigation of
sector has recognised the aggregate potential credit score
Financial Data Exchange (FDX) was founded to ‘false positives’ relies on easily accessible,
of the nearly 4 billion ‘low value’ customers Models built on MNO data are demonstrating
unify the financial industry around a common accurate and queriable identity
(68% of adults)48 mostly in developing countries. an impressive capability and are well regarded
interoperable standard for secure and efficient attribute systems.
Unfortunately, finance companies in many parts of by businesses as they add value to their risk
the world are challenged by the lack of appropriate transfer of consumer-permissioned financial assessment strategies. Identity data from mobile
credit history for the world’s 1.7 billion unbanked data.50 Riding this open banking trend, fintechs are money accounts, airtime top-up habits and
users.47 In fact, coverage by credit agencies in taking on the traditional credit bureaus to provide other account information can be modelled to
developing regions such as (sub-Saharan Africa) new techniques for credit scoring.
7.3 USE CASES FOR create an alternative credit score for a subscriber
enabling, for example, an airtime loan to initiate a
can be as low as 9%. However, while a user THE MOBILE
may not have a bank account or credit history ALTERNATIVE CREDIT subscriber’s credit history.
IDENTITY TOOLKIT
they are highly likely to have a mobile phone SCORING GROWS HOUSEHOLD
and mobile payment history. Leveraging over 5 CREDIT WORLDWIDE Mobile operators have the opportunity to move
billion subscribers, mobile operators can help the downstream in the credit scoring ecosystem by
Digital Identity helps to bring the unbanked into Mobile operators’ ability to connect unbanked and
finance industry resolve this problem by providing enhancing and productising their alternative credit
the formal economy – digital transformation unidentified populations to the mobile ecosystem
alternative credit scoring products, consistent with data. This can be done by combining more diverse
of the financial sector, including the extension and help enable the provision of a financial identity
relevant regulation and user permissions, that can data and applying AI analytics technologies
of alternative credit scoring through mobile for them is critical if these populations are to
also bring them significant new revenue streams.49 and marketing these services direct to business
operators, could grow household credit effectively engage with e-commerce, government
The market for alternative and hybrid solutions for customers. That said, partnering with specialist
worldwide by $408 billion and give 1.7 billion services, regional benefits and global aid.
credit scoring and establishing financial identity is channel partners (e.g. Juvo, Branch) is also an
unbanked customers access to financial services.51 Alternative credit scoring and the maintenance and
expected to grow considerably over the next option to offer financial Identity services that
Worldwide, such transformations could also bring user control of financial identity are key use cases
3 years. monetise operator data without the potential
95 million new jobs, and as much as $4.2 trillion in to which mobile operator identity tools
investment required to go direct.
new deposits by 2025.52 can contribute.
47 https://www.businesswire.com/news/home/20191022005356/en/TeleSign-Expands-Global-Services-Partnership-Proximus 53 False Positives: The Undetected Threat to Your Revenue, Vesta Corporation, 2018
48 World Bank, Findex, 2018 54 Aite Group, 2018
49 GSMA Intelligence, 2019
50 https://financialdataexchange.org/
51 ‘The YES Economy: Giving the World Financial Identity’ , Juvo/Oxford Economics, October 2019
52 “Digital finance for all: Powering inclusive growth in emerging economies.” McKinsey Global Institute, September 2016.28 Mobile identity, enabling the digital world Mobile identity, enabling the digital world 29
M-PESA example:
Alternative credit scoring
8 OPTIMISING TRUST AND
One of the first alternative credit scoring
SCALE FOR DIGITAL IDENTITY
operations in Africa was launched in 2012.
M-Shwari is a credit and savings product for
Trust is an important dimension for identity
M-PESA customers launched by Safaricom and the
services. Businesses need to trust their consumers
Commercial Bank of Africa (NCBA). To qualify for
and often use identity services to achieve that, FIGURE 6: OPTIMISING TRUST AND SCALE IS CRITICAL
an M-Shwari loan, a customer must be an M-PESA
while consumers need to trust both the business FOR SUCCESS IN IDENTITY MARKETS
subscriber for at least 6 months. The alternative
and identity service to ensure the sharing of their
credit score is constructed from an algorithm
data is legally compliant. Likewise, identity services
applied to mobile operator data, in this case
need to reach optimum scale in coverage, either Optimisation
past use of Safaricom service’s M-PESA, Bonga
locally or internationally to attract businesses’
points, voice, and data services. The resulting
interest and in order to become commercially
score determines the initial eligible loan limit with
viable. Our analysis has identified six critical
subsequent loan limits based on levels of “regular
success factors for digital identity services Trust Scale
savings” and loan repayments with M-Shwari.
arranged into two primary dimensions of trust
Both loan disbursements and repayments are 1. Security by design 1. Ensuring interoperability
& federation
and scale. These factors can be used as a set 2. Communicating
made through Safaricom’s M-PESA mobile money transparent 2. Leveraging partnership
of recommendations or check list for mobile trust endorsements collaboration
service. In less than a year from launch, the
operators developing digital identity services 3. Enabling user control 3. Providing critical
product increased the number of deposit accounts & privacy business value
(figure 6).
at NCBA from under 35,000 to over 5 million.55
Juvo example:
Financial Identity-as-a-service (FIDaaS)
Mobile network transactions can provide 8.1 STRATEGIES FOR DEVELOPING
the basis for defining a financial identity for billions TRUSTED IDENTITY SERVICES
of people who have no formal financial history, but
do have a mobile phone. A mobile network account
top-up is recorded in a centrally-located database, SECURITY BY DESIGN rate of mitigation measures may need to be raised
in a digital format and associated with a unique to protect the security of their identity-
Security is a major pillar of trust, and in a world of
person, which Juvo believes can form the basis of a enabling toolkit.
growing cybercrime and new technologies used as
financial identity and credit score. Mobile operators much by fraudsters as the good guys, protecting How can the mobile identity toolkit help?
could use this financial data to provide a low-risk the user’s data and digital rights will require Multi-factor authentication incorporates additional
airtime loan to be built on over time potentially ever more skill and effort. Security by design is a factors (e.g. biometrics, pin number) of assurance
leading to partnerships with financial institutions to software engineering approach that is increasingly to increase the level of security. For example, China
offer subscribers a wider range of financial services. becoming mainstream for the security and privacy Mobile’s SIM Shield is a two-factor authentication
Additionally, with the right mechanisms for legal of software systems. But where mobile operators’ tool which secures online remittance and money
consent from end-users there is an opportunity to legacy systems have not yet benefited from the transfers using the SIM and replaces the need for
make financial identity data available to third party security by design approach the implementation a token device.
service providers to open a new monetisation
opportunity for operators.56
55 https://www.gsma.com/mobilefordevelopment/country/kenya/m-shwari-mobile-money-savings-loans/
56 https://juvo.com/fidaas/
Source: GSMA IntelligenceYou can also read
