Digital Identity – challenges and threats

Dario Betti, CEO, Mobile Ecosystem Forum examines digital identity trends, and the gap between the public’s expectations versus their experience

Posted 26 April 2022 by Christine Horton

You would need to work quite hard to live an analogue life. We live in a digital dependent world – and it is much more than just online shopping. Yes, business activities have created a huge digital economy, but the digital world also includes and involves huge parts of the public sector. Hospitals trialing indoor wayfinding applications (basically a Sat-Nav for indoors), remote teaching now being a thing, and technology policing congestion zones are just a few examples of the digital mycelium.

Because of digital’s ubiquity, it is vital that the public can trust the applications and systems they encounter. But the public has concerns. Each year, the Mobile Ecosystem Forum (MEF) surveys the level of trust in the digital ecosystem. From the 2021 MEF Survey, the top user concerns are:

  • Being defrauded / losing money – 49 percent
  • Cybercriminals gaining access to my data – 49 percent
  • Someone gaining access to my mobile – 47 percent
  • My online activity being monitored – 43 percent
  • Losing data from my device – 41 percent
  • Companies sharing or selling my data – 39 percent
  • Spam / junk email – 37 percent
  • Companies experiencing a data breach – 33 percent

Interestingly, ‘None of the above’ scores just six percent.

Some of the major issues we are currently seeing include:

  • Device compromisation – where a hostile party can take control of a device remotely
  • Smishing – when fraudsters attempt to elicit sensitive personal data, passwords, or banking details through SMS (the most common ways to authenticate globally)
  • SIM (Subscriber Identity Modules) swapping: where a mobile phone identity is swapped with the intention of taking over an account in order to impersonate the user (e.g. making calls, receiving authorisation codes etc.)

The 2021 data revealed a clear gap between the level of expectations from the public versus real experience. The gap for mobile apps and services keeping data secure (versus the expectation) is 27 percentage points; the gap for privacy is 28 percentage points. This size of gap usually indicates a breaking point in the level of trust between users and a product.

‘Concerns over Personal Data Security and Privacy’ is now a reason to delete an app (37 percent), avoid installing one (33 percent) or stop using a service altogether (29 percent). The level of authentication/security is an element with clear impact to people’s preferences.

Restoring trust

The key to restoring trust lies with the systems in place to establish identity. The challenge is that we are used to an internet where nobody really knows who we are. Digital identity has been an afterthought.

The building blocks of personal data are:

  • Identification: the process of identifying an individual
  • Authentication: the methods used to re-identify and validate individual identities either by what they have (e.g. SIM, phone, cookie), what they know (e.g. password or pin) or who they are (e.g. biometrics)
  • Verification: the steps taken to corroborate information provided by the individual by accessing trusted data sources and services (e.g. data brokers, aggregators, telcos)

Globally, we are seeing a pronounced move towards an increasing reliance on digital identity and a clear move away from a distinctly unexceptional user experience and inadequate underlying security. New solutions must meet the evolving needs of the user experience and work to mitigate the threats, but any solution must ensure that it does not discriminate. We need to be conscious of any regulatory developments or industry solutions that might result in digital exclusion by only focusing on solutions for certain groups of individuals – whether age, social status, digital sophistication, or age of their device. We need to be sure certain groups—for example those with disabilities, or those with infrequent or difficult online access—are not excluded.

Additionally, there are issues around maintaining an individual’s privacy and how authentication fits into the process. There is also the issue of regulation, how liability is distributed in a model of verifiable credentials, and how data is controlled and handled under regulatory requirements such as GDPR.

Looking forward

There is a pronounced move towards device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints; and secondly, the role that the mobile operator can play by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. Solutions like this could be asking users to confirm a PIN code via their phone SIM.

We are seeing significant growth in approaches that are independent of either mobile device or mobile operator. These can be used when a device may be unavailable, for example, when it is lost or you are out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.

The ecosystem is fighting back from the threats of cyberattacks and we will see more of these innovative solutions emerge. Upcoming technologies must replace or enhance inadequate access control and authentication. There might not be an overall winner, but the co-existence of alternative approaches is now expected.