Governments hold a unique position in the establishment of new authentication schemes and must therefore take the lead in building out new mobile-based identity platforms to securely enable the delivery of a range of key services to their citizens, the Secure Identity Alliance has argued in a new white paper.
The paper, called Mobile Identity: Unlocking the Potential of the Digital Economy, was co-authored with mobile industry group GSMA and highlights the combination of regulatory and technological efforts that need to be co-ordinated to help governments match the ubiquity of mobile devices with the need for stronger online identities.
One result of this push is Mobile Connect, a GSMA-backed initiative supported by a range of mobile operators that will, as the paper puts it, “simplify consumers' lives, offering a single, trusted, mobile phone based authentication solution that respects their online privacy.”
Based on the OpenID Connect protocol, GSMA Mobile Connect is designed to engage mobile providers in the process of providing a single, portable, non-repudiable form of mobile identity that is intrinsically tied to the authentication capabilities built into consumers' SIM cards.
“In over 30 years of live operation the SIM card has been, and continues to be, continuously monitored and updated with advanced security and the latest encryption algorithms,” the paper notes, arguing in favour of the SIM card's role in any portable mobile identity solution.
“Security is a central consideration and the SIM card is arguably the most secure technology on which to store identity credentials.”
Recognising that consumers are quite concerned about sharing too much information via their mobile services – a recent GSMA survey found that 83 percent of respondents had concerns about sharing their personal information when accessing the Internet or apps from their mobile , while 81 percent think it's important to have to give permission before third parties use their data.
The industry response also allows for additional privacy measures, such as the definition of Pseudo Anonymous Customer Reference that is shared with called parties instead of the originator's mobile phone number. This sort of accommodation allows citizens to retain control over when, where and how their personal information is shared.
While the industry is providing technical standards to secure user identities, it's up to governments to capitalise on their primacy “in creating the trust frameworks and the mobile identity solutions that will breed confidence among users,” the GSMA report advises.
This imperative includes helping create a trusted environment for public and commercial service providers operate, based on a trusted digital identity approach that includes user-controlled 'privacy by design' controls; transparency that holds organisations fully accountable for a trusted flow of data; responsibility for safeguarding data relating to digital identity; and communicating the benefits of secure identification solutions to users.
Just how these frameworks are implemented varies from country to country, with some countries favouring government-controlled national digital identities while others combine private-sector agents working with governments to administer identity schemes.
Other countries are turning to a “more open identity framework” in which governments play an enabling role by creating an environment in which other organisations manage identities for citizens, businesses and consumers.
“Mobile identity should be seen as a way for users to get access to a wide variety of digital rights and for more general online transactions and activities,” the report advises. “Legal and regulatory clarity and certainty within the mobile identity ecosystem are crucial to avoid hindering industry's willingness to invest.”
“Policy makers should ensure that pro-investment policies are sustained, and harmonization and compatibility between regulation and self-regulatory models encouraged.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- Google to government: we encrypt because you hacked us
- Old and potentially devastating hole in Drupal affects one million websites
- Ad-hoc cloud security failing cloud needs but solution over a year away
- The week in security: Cybersecurity strategy enlists private sector; AI to complement human security intelligence