You should have different passwords for different websites. You should never login to sensitive accounts (or any, for that matter) on public networks. If you do have different passwords, using a password manager can still put you at risk. There are just too many rules with the Internet today, aren’t there? You can’t really help but have a million accounts, and remembering so many passwords is basically impossible. Just ask Mr. Zuckerberg.
Well, a certain industry body, called GSMA is working on something that potentially solves the problem of remembering passwords, while being secure at the same time. It’s called Mobile Connect, and you may have heard of it. What you didn’t know is that major Indian operators are already testing it. Marie Austenaa, Head of Personal Data at GSMA, confirmed that Bharti Airtel is already testing the service on its network. But before we get into that, here’s what Mobile Connect does.
What is Mobile Connect?
Once deployed, Mobile Connect is an additional login method, that uses two-factor authentication, and will show up on partnering websites. It’s an interface between the service provider (like Flipkart, Amazon, Snapdeal etc.) and the operator, with you, the consumer, in the middle. Mobile Connect essentially makes you phone into a key that’ll open any locks you face on the Internet. The process of authentication is handled by Mobile Connect, and it is designed to replace all your passwords with your mobile phone number.
Selecting this option will prompt you for your mobile number. Enter this and you’ll get a text message, asking you whether you intend to login to a particular website. According to Jaikishan Rajaraman, Head of Technology, APAC, GSMA, the SMS will be replaced by USSD codes for India. Austenaa confirmed the same.
The use of USSD codes means you don’t need a working data connection to authenticate yourself. A message will flash on your phone, with options to confirm whether it is indeed you who’s logging into websites. Rajaraman and Austenaa both confirmed that the same can be used when you’re roaming within the country, or overseas.
Your operator can also allow for a pin to be set up, which is known only to you. This can be used for more secure logins, like in banks. Mobile Connect uses the MSISDN from your SIM (your mobile number) to directly talk to the operator and authenticate you.
The process depends on the operator, who has confirmed your identity when you bought the SIM, to tell the service provider that you’re authorised. The Mobile Connect APIs can even detect how long a SIM has been on a phone, making it difficult to simply clone your SIM and login. Essentially, anyone who wants to login to your accounts will need your phone. Even if they get the phone, they’ll never know your PIN, so your most sensitive accounts are still protected. Rajaraman said that the APIs can even be tweaked to use a smartphone fingerprint sensor for authentication.
The PIN itself may be stored encrypted on your phone, or on a server, but the operator and service provider don’t get it. When used, an encrypted version is sent to the respective authenticator in order to authenticate you.
Mobile Connect vs One Time Passwords
At this point, you’re probably wondering why Mobile Connect is any different from OTPs sent to your phone. The fundamental difference is in the definition of two-factor authentication, which depends on what you have (your phone) and what you know (your PIN). When OTPs are sent to your phone, it simply confirms that the person logging in, is in possession of the phone in question. Both the phone and OTP are what you have. The PIN replaces one of these steps with the PIN, which is what you know.
Mobile Connect in India
GSMA has begun efforts to spread the service in India. Idea has already implemented Mobile Connect on its app, while Austenaa confirmed that six operators are on board, but testing. Efforts are currently being put towards getting websites to sign up, and Austenaa said that operators would probably start with their own apps and services, which helps create examples of how Mobile Connect works and what it can do.
That said, there’s presumably a long line to pass. A revenue generation model is somewhat hard to see. For one, who will pay for the SMS/USSD that is being sent? According to Austenaa, there are examples where both service providers and consumers have been charged for the service. This is possibly going to be a tough sell in the price sensitive Indian market. To be clear, Austenaa said the simplest implementation of Mobile Connect, that using SMS or USSD, is difficult, if not impossible to monetise.
Rajaraman, though, said the USSD message, opens up an entirely new horizon for Mobile Connect, especially suited to India. With nearly 50% of the population still on feature phones, sending an USSD code means even your feature phone can be use for authentication. So, a rural resident, logging into any website on a PC, can use his or her feature phone to login to said website. If it’s their first time, they may not have to create another password in life.
What are the weak links?
Technically, you could still lose your phone, which may compromise most of your accounts. But then, that would happen even in the case of OTPs. Mobile Connect’s weakness could turn out to be the implementation of the PIN. While your operator and the service provider you’re logging into don’t know the PIN, it has to be stored somewhere. Encrypting it onto the SIM seems to be the safest route, since storing it on a server means if that server is compromised, then so are you. Also, you will have to treat this PIN the same way you do your ATM pass code. The more people you share it with, the more hackable you become.
Austenaa said that Mobile Connect allows for more than two layers of security. That is, a service provider may seek your number, fingerprint and PIN, or even more. Physical location checks of the phone are also possible. Given that Mobile Connect essentially makes logging into websites easier, it is important to strike the balance between convenience and compromise.