If security experts agree on anything, it’s that they’d like to do away with password- based security. A number of organizations, including the FIDO consortium (Fast IDentity Online), are exploring ways to authenticate users without requiring usernames and passwords.
In late February, the GSMA unveiled a plan to use mobile phone number–based authentication to protect consumers’ online privacy. The system will use information stored on the phone’s SIM card along with a PIN to allow users to login to any participating service. Dubbed “Mobile Connect,” the GSMA offering would be a major step forward in data protection and authentication solutions because it would mitigate the effects of social engineering attacks. No employee would be able to compromise a company or public sector computer system by giving away a password or clicking a link in a phishing email.
How Would Mobile Connect Work?
GSMA Mobile Connect would use the OpenID Connect protocol. The OpenID Connect protocol allows organizations to outsource authentication services, which means no more keeping vulnerable databases of user credentials. The ID Token is built on top of OAuth 2.0, and it works with multiple identity providers. In other words, although OAuth 2.0 grants access through a secure connection and secure data exchange, the added identity layer provides information about who’s requesting access, where the request comes from, when the user was authenticated and what attributes the user can provide.
Mobile Connect uses data stored on a mobile device’s SIM card. By eliminating multiple usernames and passwords for different accounts, Mobile Connect can simplify operations for carriers and prevent identity theft for users. In addition, many types of digital service providers can take advantage of Mobile Connect. For example, Deezer, a digital music provider, has taken an active role in the Mobile Connect initiative.
When Would Mobile Connect Be Deployed?
So far, two companies, European carrier Orange and Southeast Asian carrier Ooredoo, have announced plans to launch Mobile Connect next year. In addition, Orange will pilot Mobile Connect with Catalan Personal Health Record customers to test Mobile Connect’s effectiveness at letting customers access their accounts.
Other carriers like China Mobile, China Telecom, KDDI, Telstra and Telefonica have expressed support for Mobile Connect, but the U.S. has largely stayed away from the effort. GSM technology has limited use in the U.S. since Verizon, Sprint and U.S. Cellular all use CDMA radios. In fact, CDMA is part of the reason that many Americans can’t switch mobile devices without carrier permission, and it’s also the reason most American cell phones don’t work overseas.
Instead of using SIM cards for authentication, CDMA networks verify subscribers using whitelists. Even though 4G LTE utilizes SIM cards, companies like Verizon still use CDMA for authentication. Because Verizon and Sprint have enough market heft to get phones built according to their specifications, they don’t yet have incentive to switch to GSM. In the same way that the U.S. is virtually the only country not to use the metric system, America stands virtually alone in its resistance to GSM.
How Is Mobile Connect Better Than Current Authentication Systems?
Passwords make the authentication process extremely vulnerable to human weakness. For example, attackers can gain a person’s bank account username and password, through phishing or some other type of attack, and use the information to drain away the person’s cash. Additionally, many people use the same passwords for multiple accounts, so an attacker who steals one password might gain access to multiple accounts. With Mobile Connect, an attacker would actually need to possess the phone or the SIM card to gain access to someone’s digital services. Combining stored SIM card information with a PIN that the user knows adds an additional barrier to keep attackers at bay.
Sometimes, attackers use attacks like SQL injection to steal data from organizations, including not only authentication information but also other identifiers, like Social Security numbers. Because many attackers sell these password and sensitive lists online, would-be thieves can purchase user data and then use the credentials to steal money and intellectual property. Eliminating passwords may protect customers’ and employees’ information because thieves could no longer obtain lists of usernames and passwords. It’s an initiative that could provide significant data protection for organizations, which is why so many organizations support the program.
Smartphone on desk image by Thom Weerd from Unsplash.com
Padlock on computer chip image by Thufir from BigStockPhoto.com
Password thief image by Carlos A. Oliveras from BigStockPhoto.com