13 November 2020
What is Mobile Identity?
It’s said that more people today own a mobile device than a toothbrush. Whether you find this horrifying or a simple fun fact is up to you, but you can’t deny the reality: the world is moving away from desktop and laptop computing to mobile, and the challenges of identification and authorization are changing as well. There is a different kind of identity at play here: mobile identity.
In the olden times, if you wanted to log in to a website or a service, all it took was a password. It was a simpler time, but security was simple as well. Fast forward to today, in a mobile-dominated world, there are numerous ways of verifying and authenticating a user, the unique mobile phone number being the key identifier.
In short, Mobile Identity is the utilization of a mobile device to verify a user’s identity, leveraging the user’s attributes to enable the end-user to access services across a mobile network. In other words, it ties you to your mobile device.
Why is it crucial for the mobile-based economy?
The problems we face are cybersecurity, multiple digital identities per person, and the demand for convenience.
- Cybersecurity: According to GSMA, more than 75% of users across Asia have experienced some form of online theft, and businesses lost over $171 billion to data breaches in the APAC region. This is a serious privacy and user trust concern: if a business can’t ensure the security of their user data, consumer confidence will eventually tank.
- False digital identities: According to GSMA figures, 50% of users in the UK falsified their account details when they were signing up for the website/service. This is understandable as users want their privacy intact, and giving out false information pretty much guarantees that their data is safe – because if they don’t give it out, it can’t be breached.
- The demand for convenience: Users generally dislike friction and tend to stop using the app/service if the authentication routines prove to be overburdening. However, they also demand the highest security when it comes to the services they use, and they’re right on the money: apps that handle very sensitive data, such as banking apps, need to implement the necessary security measures.
The three factors of authentication
There are several ways to verify a user, and they vary in their reliability. Most apps combine two of these factor categories, forming a two-factor authentication (2FA).
- Knowledge-based factors: these include the usernames, passwords, security questions, or personal identification numbers (PIN). These are considered weak in security terms, because users might recycle their usernames and passwords, and security questions are ridiculously easy to guess most of the time. For more information on this, please read our blog about Passwordless Authentication.
- Possession-based factors: These factors focus on what a user “has”, like a hardware-based one-time-password token (OTP) or a software solution like an OTP app. Possession-based factors are often combined with the traditional password to harden the security by adding another dynamic credential. One-time-passwords used to be generated on hardware specifically designed for the use case, but today, they are generated, delivered by SMS, and displayed on the device, making it easier for the user to enter the necessary verification code. The key point of OTP is that every phone number is unique to the user.
- Inherence factors: These are closely linked to who users “are”. These factors include biometrics such as fingerprint readers, facial recognition, and voice recognition. This factor is considered the most reliable way of authentication, as they rely on the inherent attributes of an individual. The widespread adoption of fingerprint readers on smartphones allows apps to utilize this factor as a part of their authentication routine, hardening their security even further.
OTP is the most commonly used authentication factor in the world
OTP offers the perfect balance of security and convenience. It leverages the fact that every user’s phone number is unique to that individual, and it renders the use of passwords obsolete. The only hindrance to OTP is the delivery costs incurred by sending a huge number of texts to every user upon log-in. To combat this, VerifyKit offers alternative OTP delivery channel WhatsApp alongside the traditional SMS, significantly reducing delivery costs while enhancing user experience.