I still think that mobile identity is a real opportunity for mobile operators to provide a valuable service and occupy a key position in the future value network.
At the Mobile Identity event in London last November, where I was the chair for the second day, I was challenging the speakers to identify barriers to the large-scale deployment of identity services that use the mobile phone to provide practical and convenient identity management tools. After all, I’ve been going to conferences where the opportunities for mobile operators in the identity space have been discussed for at least a decade – and the first Consult Hyperion project on mobile identity that I can remember was in the late 1990s – yet when my card issuer suspected fraud recently they still had to call me (despite their having an app on my smart phone). Why not use the obvious characteristics of the phone to make, in this instance, card payments more secure. Actually, there are folks out there working on this sort of thing.
FICO, a leading predictive analytics and decision management software company, announced the availability of a new proximity correlation service for credit and debit card issuers which is aimed at improving the safety of payment card transactions. The new FICO service which several UK banks are planning to deploy has been developed in partnership with ValidSoft.[From FICO adoption of ValidSoft Technology brings Safety of Payment Card Transactions to UK Banks – MarketWatch]
This is only one use case. Christophe Enzinger from the GSMA Mobile Identity Program made the point that mobile identity is infrastructural and has applications across communications, commerce, health and other sectors. I agree (strongly) with this infrastructural view. So how, in practice, can the mobile operators take advantage of this potential? Christophe’s very good suggestions included making upfront customer propositions around security and previously, making these essential components of the offer from operators to consumers, and Philippe Clement (the Head of Group Identity Marketing at Orange) develop edsome ideas around the practical deployment of such’s services by talking about identity APIs and their use in apps.
The Icelandic case study presented by Haraldur Bjarnson (the CEO of Audkenni) showed one approach. Their bank-owned consortium, which has been delivering identity services using the Icelandic debit card system (the debit cards have a digital ID certificate on them and about 40% of consumers have activated it), is shifting to a mobile electronic identity solution instead. This includes swapping consumers’s SIMs for SIMs with a PKI application on board. This, I think, is an interesting decision. It costs money to send out new SIMs and it’s a hassle for the users, so the operators must be pretty sure that the consumers will want and will use these services.
Rupert Hill from EE extended the discussion beyond personal by talking about the machine-to-machine (M2M) opportunities. As I had only just written something about the missing identity layer in the “Internet of things” I was very interested to see him attaching such a high priority to the Internet of things in the context of identity services.Some of the issues that need to addressed here are really rather complex. How can I delegate authority to my car? How will you know that it is my car? How will my car know that you are really a policeman? Solving these problems could be a huge business for the mobile operators is they could a) solve them and b) turn the solutions into a business.
What business, though? There are, as we have discussed before, different roles for mobile operators in the identity value network. Sergio Cozzolino from Telecom Italia talked about the difference between providing identity infrastructure and providing identity services, and explored the really useful distinction between mobile operators as identity providers and mobile operators and identity brokers. As Sergio noted, these different roles have different liability models and can allow stakeholders to develop the best business solutions choosing the appropriate liabilities. He talked through the use of SIM-based Secure Element (SE) and PKI applications as the mobile operators preferred solution. (He also, to be fair, explained the obstacles to success with this architecture).
I found the day really useful as it was an opportunity to chat with practitioners in order to get an accurate picture of the state of the sector, but afterwards I remember thinking that I was not sure that my initial challenge had been met. I still don’t really understand why the operators don’t get together and do something in this space. It seems completely ridiculous that with a smartphone running my card issuer’s app in front of me, I still have to phone them up, punch in a PAN and try to remember the answer to “security” questions to get anything done. And it’s even more ridiculous that they have to phone me up, and ask me yet more “security” questions when they want to interact with me, despite the phone company knowing perfectly who I am and where I am. Nevertheless, if you look around, you can see signals for change and mobile operators beginning to exploit potential around identity and authentication, so I think that my continued optimism about the potential for mobile operators to provide mobile identity services remains justified.
Payfone will use an AT&T application programming interface (API) toolkit to access network data that adds to Payfone’s existing service. Using the API toolkit, Payfone’s service will allow businesses to confirm that the device being used during a transaction is authenticated on AT&T’s mobile network.[From Payfone Strikes Deal with AT&T to Verify Mobile Identity | AT&T]
As I have long been enthusiastic about this more infrastructural approach and the use of APIs to “cement” mobile operators into that infrastructure, I’m very keen to learn more about the latest developments in this areas. So the very good news is that I’m going to get the chance to discuss these issues with the operators themselves — and a great many other people — at the Mobile World Congress in Barcelona. The GSMA have very kindly invited me to chair a session on “Service Opportunities for Mobile Identity” on Thursday 27th February from 11.30 to 13.00 and I’m genuinely looking forward to it. We’ll be in Hall 4, Auditorium 5 and I will have the honour and pleasure of charing Bjørn Hansen (Chief Scientist, Telenor Research), Siim Sikkut (National ICT Policy Advisor, Government Office of Estonia), Robert Blumenthal (EVP Business Development at SecureKey Technologies) and Steve Shoaff (CEO of Unbound ID). I look forward to seeing you all there and joining in the debate.