May 17, 2019
The Time is Now: We Need a Better Way to Secure Online Identities
It’s long been recognized that passwords are problematic. If a password is too simple, it can be easily guessed. If it is too complex, a user is more likely to write it down and store it insecurely or will forget it. Add to that the fact that hundreds of millions of login credentials are now available to hackers, and that scripts allow use of these passwords in “credential stuffing” attacks.
As one expert technologist so succinctly put it, “The Internet was built without a way to know who and what you are connecting to.” From the beginning, services have used passwords to establish identity and the rights that a given identity should have. Conversely, mobile networks were built with the ability to know who is connecting to the network, and what rights that connecting device should have. Because wireless networks combined with a customer’s device attributes allow us to validate who is connecting to the network, wireless providers are uniquely qualified to offer ways to more effectively authenticate users for digital transactions.
Because user privacy and, indeed, the digital economy are closely linked to the issue of online security and authentication, the four major U.S. wireless providers, through the Mobile Authentication Taskforce, are developing a solution for online identity in three common online scenarios: registering with a service, logging in to an existing service, and authorizing digital transactions. The solution is, in turn, guided by three beliefs. First, an identity solution should be purpose-built for security. Second, it should be rooted in the belief that effective security doesn’t have to be complicated for the user. And third, it should observe core principles regarding data privacy and user control. Each of these are discussed below.
Studies show that consumers tend to reuse passwords, which increases the risk of account compromise. To be purpose-built for security, an identity solution shouldn’t rely entirely on passwords. Our solution will create freedom from multiple passwords by using an array of unique network and data attributes to validate a consumer’s identity.
Our approach is to enable our wireless customers to create a highly-secure online identity using their personal mobile device. Unlike a password, these attributes can’t be phished, and it would take immense time and computing power for a hacker to decrypt and string together these unique attributes.
Effective security doesn’t have to be complicated for the user. In fact, as experts have noted, ease-of-use is a key component of security. All the calculations happen in the background. And it works with any participating online service, from any capable device, with any of the participating carriers. It even works when consumers opt to change devices or carriers. This approach is governed by core principles regarding data privacy and user control. Our solution will take a revolutionary, purely user-centric approach to securing digital identities. It will be a tool for consumers to authenticate, or to verify their digital identities, when they want to and for purposes that are clearly defined and communicated.
The solution will be guided by three core privacy principles:
- Empower users with control over their data : No personal data will ever be shared unless the consumer directs their wireless provider to do so.
- Minimal disclosure for a defined use : Data will not be shared except for a specific purpose directed by the consumer. Functions that don’t require personally identifiable information (PII) will not use it.
- Trustworthy design : The solution will be architected with a trust framework that sets expectations for consumers, the services they want to use, and for the carriers entrusted with validating identity.
I’ve been involved in efforts to improve online identity and have navigated the associated legal and privacy challenges for more than 25 years. This approach represents a monumental opportunity to bring the digital community authentication technology that is more secure, easier to use, and takes a user-directed approach to privacy. We know wireless providers need to earn the trust of both our consumer and business customers for this effort to succeed. So, keep an eye on this blog for more information about the security challenges we’re trying to solve, our trust framework and our solution’s milestones.
Chuck Cosson is a Director of Legal Affairs on T-Mobile’s Privacy Team and has more than 25 years of experience in telecommunications, privacy, and data security law and policy, including work on the Liberty Alliance identity specifications, Microsoft’s Information Cards, and online age verification. This article represents the point-of-view of The Mobile Authentication Taskforce, comprised of AT&T, Sprint, T-Mobile and Verizon.