Digital Identification Using Mobile Connect (GSMA)

Challenge

How we can drive a digital identification service that can be used in the public and private sector, and that strengthens the security of one-time codes sent by SMS.

Current issue

The use of so-called two-factor authentication systems (something you know and something you have) that send disposable codes via SMS is widespread in the private sector (banking, social media, etc.) and also in the public sector. (idCAT Mobile. Cl @ ve PIN).

Citizens value mobile-based digital identification services very positively, as is the case with idCAT. This is confirmed by the more than 400.000 citizens who already use it, more than a million actions carried out and the excellent results of satisfaction surveys regarding its use.

However, the use of these services poses some problems:

1. SMS is not considered a sufficiently secure channel in accordance with the recommendations of the United States National Institute of Standards and Technology (a world-leading public body on security issues) and the recommendations of the European Commission for the financial sector. These bodies recommend looking for alternatives to SMS that are more robust and secure.
2. 80% of citizens are regular internet users but only 35% of actions with the administration are done by electronic means due to the lack of an easy, secure, usable and useful digital identity that can be used globally in the public sector and private
3. For the administration, this is a serious drawback because citizens do only 3 procedures a year with all the administrations and do not have the habit or need to have a public digital identity. Instead, citizens take dozens of actions every day with the private sector.
4. On average, a user has 70 digital identities with different public or private providers. For the private sector, this is a serious problem because it is very expensive to manage and secure the security of so many identities.

Proposed solution

Promote a pilot with the Mobile Connect digital identification solution, developed by GSMA (association of the world's largest telecommunications operators) and supported by Mobile World Capital.

This service, as described in Mobile Connect session in local governments of Catalonia, from the Mobile World Congress 2018, raised the following advantages:

1. Replaces SMS messages with push notifications in apps saved on mobile SIMs, which are encrypted and more secure.
2. It has the support of the main telecommunications operators to make its deployment in the private sector. In Spain it is being promoted by Movistar, Vodafone and Orange.
3. It proposes synergies in digital identification in the private and public sector, very interesting for the Administration.
4. Each push notification has a reduced cost.

Development of a pilot with councils

In September 2017 we started a digital identification pilot project with the Mobile Connect solution, developed in the town councils of Manlleu, Esparraguera and Castellar del Vallès. The results of security, usability and satisfaction for citizens have been positive. Its use is currently low because it does not currently add any substantial value to SMS messages and because Mobile Connect is little used in the private sector: only by the operators themselves.

On the other hand the harsh initial recommendations of the NIST and of the European Commission on finding alternatives to SMS messages, they have been softened and there is no urgent need to look for other solutions.

In Europe, there is the experience of France that is working quite well. It is called Mobile Connect and Me, and is powered by Orange. It can be used in many public services as well as in private services.

Continuity of the project in Catalonia is being considered due to the low implementation in the private sector which means that the service does not add differential value to the current SMS messages. On the other hand, the operators have not completed their improvement plan and the current solution has shortcomings that do not recommend its deployment throughout Catalonia.

Status of the project

discontinued GSMA informs us that they have decided to discontinue the integration platform that allowed us to provide this service and, therefore, we are forced to discontinue it. According to the information provided, the Mobile Connect service has not met expectations for deployment in the private sector. Consequently, we are deactivating the digital identification option with the Mobile Connect solution of the VALID service for the councils collaborating in the pilot.

Innovating involves risks and not all initiatives are successful. However, we believe that learning from experience has been enriching for future collaborative initiatives with companies.