From buying goods and services to corresponding by email to managing bank accounts to accessing government services, consumers in the US are now using their digital identities for a multitude of different activities with increasing frequency. Historically, passwords were the only form of secure authorization, but now alternative methods are emerging.
On average, a person has 19 passwords to remember for the digital services they use. Consumers don’t have the patience or time to come up with and remember completely random usernames and passwords and normal words like “office” or even “passwords” – even when accompanied by other letters, numbers and special characters, are by their nature, – insecure. Individuals tend to pick simple words or combinations and repeat the same password across multiple websites and devices, making them vulnerable to hackers and data breaches. Everyone wants authentication that is memorable, quick, easy and secure, but passwords have clear limits and the required numbers of characters or symbols to transact securely has grown significantly due to advances in hacking methodology and automated hacking tools available freely online. This has led to increased pain and friction even as security via passwords has degraded significantly.
The most secure way to allow access to personal information is through-multi-factor authentication, whereby several pieces of information are used to gain access. Typically, this includes knowledge (specific information we know) and possession (something we physically have). Think of it as a home – the house belongs to its owner, but in order for the owner to access the property, they must have access to the right key for the front door. The owner must then choose the right key from their overcrowded keyring, which, like remembering multiple passwords, can be time consuming and frustrating. Imagine, though, a world where you had a master key that was always in your possession, which you could use to access not just your home, but also your scooter, motorcycle, RV, boat, bike and gym locks. Imagine if the convenience of the single key also increased the innate security of all the locks, simultaneously.
Today, consumers and their online service providers are increasingly using mobile phones for authentication – some using more robust security protocols and others using protocols, such as SMS (text-messages) authentication codes in combination with usernames and passwords. However, these can be breached as SMS was never designed to be a secure authentication method.
There is an obvious, market-driven need for a sophisticated yet simple, secure yet easy-to-use means of creating, managing and authenticating digital identities. An example of a global effort to innovate that is gaining momentum in this critical area of identity management is Mobile Connect. A joint effort between telecommunications operators, global service providers and the GSMA to deliver mobile authentication services, Mobile Connect is a convenient and secure universal login solution with privacy protection built in.
The possibilities are virtually limitless in terms of combining additional known facts about a user’s identity – from biometrics such as a user’s fingerprint, facial recognition, voice recognition and even the iris of the human eye in combination with other known variables such as the geographic location of the user’s mobile phone – to verify a user’s identity. Biometrics as a means for identity verification is nothing new. In fact, the US Defense and Homeland Security departments have long been using biometrics to allow access to physical and digital assets. However, combining additional elements and data sources can further improve confidence levels and deter identity theft.
Biometrics are already tolling the death knell of the password, but how is it possible to implement such futuristic technology into our daily lives? The answer is already in our pocket: our mobile phone. Smartphones already contain much of the technology that is required to make biometric authentication possible: touch screens, cameras and microphones for voice analysis. Mobile handsets also offer much higher levels of security because, like the front door, only the user can access the authentication key. In addition, mobile phones contain a virtually tamper-proof core element: the physical SIM card which, in turn, is matched to the IMEI (serial number) of the device it is associated with.
Authentication using biometrics is already being used to great effect by some of the world’s largest mobile manufacturers. Apple has seen a large increase in the number of users choosing to encrypt their devices once fingerprint access became available. What consumers want is security and ease of use, which is exactly what mobile authentication provides.
As with any emerging technology, there are bound to be growing pains and biometrics is no exception. Unlike passwords or PINs, facial and voice recognition require a well-lit space that is free of motion, vibration, or white noise. This challenge needs solving for a world where people are constantly on the move and environmental factors vary.
Another challenge is interoperability, standardization and the way biometric data is used. Mobile identity management services are useless unless service providers, like third party website operators or app developers, want to actively deploy them within their services. The key to success lies with encouraging companies throughout the mobile value chain to continue to innovate, embrace new technologies and participate in standardization efforts.
The possibilities for biometric authentication in the US, and in the rest of the world, is huge. The days of the password are numbered and biometrics are destined to play a key role in mobile authentication going forwards. Given that smartphone connections are forecast to reach 2bn by 2022 in the US alone, consumers increasingly have the power to protect their digital identities safely and instantly in the palm of their hand. Mobile operators now need to make sure they are continuing to work closely with the rest of the mobile ecosystem to speed-up the rollout of safe and instant authentication. Only then can the North American mobile market reach its fullest potential.
By Ana Tavares – Head of North America Identity at GSMA