The Mobile Authentication Taskforce, a consortium of the USA’s four largest mobile carriers, released product details of their “next-generation mobile authentication platform” at MWC, observing that they will start internal trials within weeks. They announced that the solution would be released to the consumer market by the end of 2018. In the meantime, a new website will be launched during the year, allowing application developers to sign up.
There are obvious risks when consumers rely on usernames and passwords to pay for goods and services via their mobile phone. This authentication solution promises to address those problems:
This highly secure solution will deliver a cryptographically verified phone number and profile data for users of authorized applications with their consent. Authentication security is strengthened by processing unique attributes such as a network verified mobile number, IP address, SIM card attributes, phone number tenure, phone account type and more. In addition, advanced analytics and machine learning capabilities will be used to help assess risk and protect customers.
The potential is obvious. A common authentication solution backed by AT&T, Sprint, T-Mobile and Verizon could very quickly gain market share. Authentication is both a risk and an opportunity, allowing telcos to expand their reach whilst also defending their territory. To put the value of authentication into context, in October SAP paid USD350mn for Gigya, the social login experts. Social logins represent another alternative to passwords, though they seek to construct user profiles based upon participation in social networks. That also makes them potentially rich in information, threatening to limit the potential of telcos to monetize data unless they maintain a secure foothold in authentication.
Though it was news to learn of the timelines for delivery, progress has been expected since the four telcos announced the formation of their consortium in September 2017. Though this consortium is focused on the US market, their solution is meant to work with the international standard promoted by the GSMA, called Mobile Connect. They are following the lead of South Korean operator SKT. In 2016 SKT adapted their T-Auth authentication solution to make it compliant with Mobile Connect. SKT’s goal was to support interoperable authentication, making it more likely that international customers would use SKT apps and services, and making it easier for overseas telcos to work with SKT’s authentication service.
The emphasis is on enhanced security, but I am not clear how this authentication solution will address SIM swapping. Whilst it is good that these telcos intend to promote the use of a secure data channel to authenticate users, I cannot see how this might address the growing problem of phone accounts being taken over by criminals. Social engineering is used to persuade call center staff to associate an existing customer’s account with a SIM possessed by the criminal. No amount of cryptography will protect the customer if an authentication solution relies on the assumption that the person holding the telephone is who they claim to be, and if the telco has made a mistake in associating a genuine customer’s account with a SIM being used by a crook. Perhaps the promised “advanced analytics and machine learning capabilities” will help to identify aberrant behavior, indicating if the phone is actually in the hands of a criminal. However, if analytical techniques can be used to spot mismatches between a customer’s probable behavior and the transactions being attempted, then these techniques should also be used to minimize the chances of a SIM swap occurring.