Governments must tap mobiles to support online identity schemes: GSMA

Governments hold a unique position in the establishment of new authentication schemes and must therefore take the lead in building out new mobile-based identity platforms to securely enable the delivery of a range of key services to their citizens, the Secure Identity Alliance has argued in a new white paper.

The paper, called Mobile Identity: Unlocking the Potential of the Digital Economy, was co-authored with mobile industry group GSMA and highlights the combination of regulatory and technological efforts that need to be co-ordinated to help governments match the ubiquity of mobile devices with the need for stronger online identities.

One result of this push is Mobile Connect, a GSMA-backed initiative supported by a range of mobile operators that will, as the paper puts it, “simplify consumers' lives, offering a single, trusted, mobile phone based authentication solution that respects their online privacy.”

Based on the OpenID Connect protocol, GSMA Mobile Connect is designed to engage mobile providers in the process of providing a single, portable, non-repudiable form of mobile identity that is intrinsically tied to the authentication capabilities built into consumers' SIM cards.

“In over 30 years of live operation the SIM card has been, and continues to be, continuously monitored and updated with advanced security and the latest encryption algorithms,” the paper notes, arguing in favour of the SIM card's role in any portable mobile identity solution.

“Security is a central consideration and the SIM card is arguably the most secure technology on which to store identity credentials.”

Recognising that consumers are quite concerned about sharing too much information via their mobile services – a recent GSMA survey found that 83 percent of respondents had concerns about sharing their personal information when accessing the Internet or apps from their mobile , while 81 percent think it's important to have to give permission before third parties use their data.

The industry response also allows for additional privacy measures, such as the definition of Pseudo Anonymous Customer Reference that is shared with called parties instead of the originator's mobile phone number. This sort of accommodation allows citizens to retain control over when, where and how their personal information is shared.

While the industry is providing technical standards to secure user identities, it's up to governments to capitalise on their primacy “in creating the trust frameworks and the mobile identity solutions that will breed confidence among users,” the GSMA report advises.

This imperative includes helping create a trusted environment for public and commercial service providers operate, based on a trusted digital identity approach that includes user-controlled 'privacy by design' controls; transparency that holds organisations fully accountable for a trusted flow of data; responsibility for safeguarding data relating to digital identity; and communicating the benefits of secure identification solutions to users.

Just how these frameworks are implemented varies from country to country, with some countries favouring government-controlled national digital identities while others combine private-sector agents working with governments to administer identity schemes.

Other countries are turning to a “more open identity framework” in which governments play an enabling role by creating an environment in which other organisations manage identities for citizens, businesses and consumers.

“Mobile identity should be seen as a way for users to get access to a wide variety of digital rights and for more general online transactions and activities,” the report advises. “Legal and regulatory clarity and certainty within the mobile identity ecosystem are crucial to avoid hindering industry's willingness to invest.”

Read more: Oracle to pour 155 fixes on top of Microsoft and Flash Patch Tuesday

“Policy makers should ensure that pro-investment policies are sustained, and harmonization and compatibility between regulation and self-regulatory models encouraged.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Pseudo Anonymousdirectors for CSO Australiaprivate-sectoronline identity schemesOpenID Connect protocolSecure Identity AllianceCSOMobile identityCSO AustraliamobilesEnex TestLabGovernment tapGSMA

More about CSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts