Can your phone number become the world’s best ID document?
How do I know who you really are?
It’s just about the biggest question facing the digital economy right now. After all, for a scammer to succeed he or she only has to do one thing: pretend to be you. Solve this digital identity problem and all (OK, most) of the big problems of fraud and criminality go away. It sounds so easy. If only. As we all know, the default ID system at the moment is email and password. You could hardly invent a worse one.
For a password to be good, it has to be long and complicated. Which makes it very hard to remember. And anyway criminals can increasingly use ’brute force’ attacks to crack them. or they can just phish you until you simply tell them what your password is.
Another digital identity option is the social media log-in. Facebook estimates that 350 million people log in to an app or site with their Facebook credentials every month.
This is clearly better for the user (they have fewer individual credentials to remember), but only if they’re happy for Facebook to know which sites they’ve been logging into and how often. Of course, criminals can also phish for these details too. All of which explains why the world’s operators (and their trade body GSMA) think the phone can do digital identity better.
The phone adds an element of ‘something you have’ to the ‘something you know’ (a password). This means a criminal armed with your credentials also needs your device if he or she wants to ‘be’ you.
Now, this kind of phone authentication is nothing new. Probably everyone reading will have signed in to a service with a one time password sent by text. But what the telcos have done is created a single global digital identity scheme to let any site/app identify a user by their phone number. It’s called Mobile Connect.
Essentially it’s a ‘sign in with mobile’ that (should) work whatever operator the customer uses.
Here’s how it works. The service asks the users to sign in with their mobile number. They enter it and get a text back with a passcode. They enter the passcode into the site/app and they’re in.
Why is this good?
Well, imagine a fraudster wants to pass himself off as a user. He asks to change his number or address. The merchant pings Mobile Connect and the network can verify that the user has not changed his/her details. The request is declined.
Needless to say, Mobile Connect is taking a while to get going. That always seems to be the way when the world’s operators try to collaborate in something. So although it launched in 2014 and over 40 operators in 22 countries have signed up, only a handful of mainstream websites support it.
That said, India has started to make Mobile Connect a sign-in option for key banks and government services. Whether Mobile Connect succeeds or not is open for question. But the telcos have good reason to be in the race. After all, the potential of digital identity is vast. To repeat, trust and identity is the foundation of all online activity.
It’s also cheaper than analogue. Compare the cost of processing copies of driver’s licences and passports with simply pinging a trusted third-party for digital authentication. And digital identity can be great for users too – because it’s flexible. Let’s say a service wants to ensure you are over 18. With analogue systems, it would ask for ID that also disclose your name, address and many other intimate (and irrelevant) details. A digital identity provider would just give a reliable ‘yes’ or ‘no’ answer. Clearly any third party that can provide robust digital ID will guarantee its future for decades. This explains why telcos, social networks, banks and countries are all looking closely at it.
Yes, Estonia has been working hard to be the place where you can safely store your digital identity and have it authenticated whenever you wish.
Since April 2015, Estonia has made it possible for anyone in the world to become an e-citizen. Just pay a small sum, get some background checks done to get e-residency card, reader and PIN. Estonia says being a digital citizen speeds everything up. For example, it claims it takes 18 minutes to register a new company using the system. The Estonian government seems to have recognised the strategic importance of virtual identity. It wants to do a kind of ‘verified by Estonia’ for the world’s digital businesses.
With some Baltic humour, it admits it has little else to offer. Taavi Kotka, Estonia’s deputy secretary-general for communications, said of his country: “It’s small, it’s cold. Nobody wants to come here.”