Logging in by username and password is considered cumbersome and outdated. With Mobile Connect, the world’s largest mobile communications organization, the GSM Association (GSMA), has developed an alternative that uses the cell phone as proof of identity. In Germany, the major mobile network operators have already announced that they will introduce the procedure in the course of the year, but how does Mobile Connect work and how secure is it really?
IT is a history of groundbreaking developments. Apparently unaffected by this has been the way users log on to an IT service: User name and password have been the access key of choice for most services from the very beginning until today. With Mobile Connect, the GSMA promises to make the access procedure not only simpler, but also more secure.
The added security comes from the fact that knowledge of a specific piece of (access) information alone is no longer sufficient to gain access. Rather, it is now necessary to be physically in possession of something, namely the cell phone. But let’s take it one step at a time.
How Mobile Connect works
Mobile Connect is based on OpenID Connect, a widely used standard from the open source world. OpenID Connect is used to exchange an authentication token between the service provider and the mobile network operator. The mobile device is only one of several security components.
Another (optional) component is the PIN query. If required, the service provider or network operator as a third component can also be used to integrate context information into the process, which, for example, makes it possible to evaluate atypical behavior as an attack and trigger further security questions. Such contextual information, which the mobile operator can use to enhance the security of the entire mobile ecosystem, includes:
- Is the device (represented by the SIM card) in its usual location?
- Has the SIM been changed frequently (abnormal behavior)?
- Has the device been changed frequently (misbehavior)?
- Is the user a contract customer (increases trust)?
- How long has the user been a mobile network customer (increases trust)?
- Is the device roaming (represented by the SIM card) at the moment?
Mobile Connect from the user’s perspective
In Germany, the major mobile network operators Deutsche Telekom, Vodafone and Telefónica have already announced that they will be introducing the procedure in the course of the year. They are supported in this by industry and media alliances in which relevant groups have joined forces.
Anyone wishing to use Mobile Connect must first register with a Mobile Connect platform operator (for example, Verimi in Germany). During this step, the mobile number is linked to a specific identity. Those who want to can also store additional information, such as a billing address and a shipping address. Different security levels can also be defined here, depending on the sensitivity of a service, for example to provide special protection for online banking.
In practice, Mobile Connect is simply an additional option for logging in to the corresponding services (in addition to user name and password). If you choose “Log in with Mobile Connect”, a pop-up window appears asking you to enter your phone number. Mobile Connect then sends a link to this number via SMS or USSD (Unstructured Supplementary Service Data).
Depending on the security level previously set, the link must be confirmed simply by clicking on it or activated by entering a PIN. As an alternative to the PIN, biometric methods supported on the cell phone, such as fingerprint or eye iris, can be selected as the activation method. In this way, Mobile Connect implements secure two-factor authentication. For less sensitive applications, the simplified form is a good choice, eliminating the need to enter a PIN.
The GSMA attaches importance to the fact that the phone number is not requested by the service called (web page or even app), but by the Mobile Connect API (Application Programming Interface) Exchange, which uses the phone number to locate the user’s network operator. The operator also sends the link, the phone number is not shared with the web page or the app.
Mobile Connect does not store sensitive data (such as PIN, token, etc.) on the cell phone, according to GSMA. The hash of the PIN is stored in the SIM applet, and in the case of USSD, the hash of the PIN is stored on the secure servers of mobile operators. None of the secure credentials would ever be shared with the service provider, who instead receives a specific pseudonymous token. Users would therefore have nothing to worry about in terms of privacy.
In theory at least, Mobile Connect provides a good basis for modern and simplified authentication. However, what exactly is achieved in daily practice depends not least on the implementation by all parties involved. If one assumes that it is fundamentally much easier to crack a password than to steal a cell phone, Mobile Connect does indeed offer a significant security plus.
However, the loss (or theft) of the cell phone remains a clear risk – at least the finder or thief has immediate access to the accounts and apps that are not PIN-secured. Similar to a credit card, the only option in this case is to block the Mobile Connect service with the platform provider as early as possible. Entering the phone number and PIN is very reminiscent of a username/password, but at least you only have to remember it once for all the services involved. And the PIN can certainly often be omitted.
According to GSMA, Mobile Connect is already in use in a good 30 countries. In Germany, the service is still in the starting blocks. Groups such as Allianz, Axel Springer, Daimler, Deutsche Bank with Postbank and the map service Here have founded a cross-industry mobile access alliance in the form of Verimi, as have RTL Deutschland, ProSiebenSat.1 Media and United Internet AG with Web.de and GMX in the form of the Log-in Alliance.
We can only hope that such platform alliances do not proliferate, because if users first have to find out which alliance their desired service belongs to and register with umpteen different platforms, “simplification” will soon be a thing of the past.