Iain McCallum, mobile industry veteran and MEF Advisor is joined by MEF and PD&I Working Group Members Boku, Boloro and xConnect to discuss online identity and the practical steps enterprises can take to optimise the balance between security and a streamlined UX.
I was fortunate enough to be joined by PD&I Working Group luminaries Stuart Neal, the Chief Business Officer of Boku, Karl Kilb the CEO of Boloro and Lee Suker, the Market Development Director of xConnect to discuss for the MEF Member webinar audience the current status of online identity and authentication and just what practical steps enterprises can take today to optimise the balance between the need for security – both for the Enterprise and their Customer – against the need for a UX that is as light as possible for the Customer.
Watch the Personal data & Identity webinar in full
As a precursor to the upcoming MEF White Paper on identity and authentication, I wanted to identify and then challenge some of the assumptions that many of us in the industry share and to learn first-hand how the different viewpoints and product sets of companies that are out in the market today are making a difference to Enterprises and can help us to better understand some of the challenges that face us all in the IAM market today.
What Enterprises want is to feel secure that to a high degree of surety they are transacting with the Customer who is who they say they are! ..Authentication from a trusted third-party such as an MNO or Bank would suffice in most cases and relieve the Enterprise of the risk and cost of administering real-time IAM systems“
Starting with some (relatively) innocuous statements to get the discussion moving, I posited the following for our guests to expound upon;
- The future development of The Digital Economy is predicated upon both Consumer Citizens and Business being able to easily and securely transact with one another.
- MEF believes that this requires a robust, secure, interoperable and regulated identity/authentication framework(s) to succeed in todays digital marketplace
- Consensus on what constitutes a ‘fair value exchange’ must be a priority for the industry if trust in digital services is to be achieved – see MEF’s 6th Annual Consumer Trust Report for more.
- Ecosystem complexity might arguably serve individual solution providers, but not the industry as a whole. The industry must take stock and simplify.
- Regulators unable to match the pace of the industry, MEF and others must actively engage with government bodies to deliver an ecosystem that works.
The issue of Consumer Trust also loomed quite large in the subsequent discussion as did it’s importance in ensuring that The Digital Economy continues to grow into the future.
After several weeks in COVID-19 lockdown, the importance of this has, I hope, concentrated the minds of many in the realisation that there is perhaps much to be gained from a return to first principles and a simplification of the ecosystem and its regulatory landscape as it stands today.
What is the problem? – it’s important to define the ACTUAL issue that we are trying to
Answers from the panel ranged from the very definition of digital identity and the digital attributes used to support that identity, through privacy and regulation, the historical reliance on the web as the channel for authentication and the feeling that SMS OTP might have had its day through to the clearly outdated and inadequate status quo as defined by user name and password – 5 million people globally who had their accounts hacked and suffered a financial loss in 2018 had the password 123456, a further 3 million had the password 123456789! – and the requirement for such passwords to be both complex and unique for each service used.
What is the impact? – exactly how are Enterprises and Customers negatively affected?
Enterprises are affected in three major ways;
- Firstly, fraud perpetrated on them by criminals using hijacked identities and/or authentication attributes.
- Enterprises must constantly guard their data storage of customer personal data and attributes.
- If the transactional UX deployed by the Enterprise is too cumbersome, then they suffer from abandoned shopping carts.
Likewise, Citizens experience similar problems in a more micro-context;
- Phishing attacks can leave Customers vulnerable to financial loss if they share their personal data with the wrong people, usually this happens without them even being aware of it for a time.
- If they use complex passwords and other high-security data to protect themselves online, the management and storage of these can be very problematic due to their very complexity.
- The lack of standardisation in digital on-boarding means that this process can be perceived by Customers as onerous and time-consuming.
Should we separate Identity & Authentication? – should we and, if so, why?
A resounding yes here, but it’s not necessarily as easy as it sounds. What Enterprises want is to feel secure that to a high degree of surety they are transacting with the Customer who is who they say they are! This doesn’t necessarily mean that the Enterprise needs to have communicated to it a number of the Customer’s Identity Attributes, for low-to-mid value transactions, a binary – yes/no – authentication from a trusted third-party such as an MNO, a Bank would suffice in most cases and relieve the Enterprise of the risk and cost of administering real-time IAM systems and processes which divert them from their core activities.
What steps can businesses take TODAY to optimise their processes?
Multi-Factor Authentication (MFA) via a separate channel or channels seemed to be the consensus of our guests and they all have their own product suites to help Enterprises with this, finding real traction in a number of major markets globally. If you would like more information on their products and services please reach out to them directly or ask me for an introduction.
What needs to happen in the future? – what is the role governmental regulation to play in determining the shape of the future IAM ecosystem?
What is clear is that both industry and governmental regulatory bodies need to work together to create a workable ecosystem that recognises the different models that are evolving to solve the Identity and Authentication riddle and that MEF needs to be at the centre of that debate, driving that conversation forward.
Iain is a MEF Advisor and has, since 2012, worked extensively with mobile network operators across Europe and the Russian Federation to drive adoption and uptake of the GSMA’s Mobile Connect identity, RCS and Smart Cities initiatives. Prior to this, he ran third-party Messaging at Telefonica O2 UK from 2002 until 2010, working with Aggregators and Brands (Lloyds, ITV, C4, et al), driving the uptake of premium and bulk services and managing the issues of self regulation (PayForIT, a UK joint-MNO initiative), and subscriber protection.