Serge Llorente, Director of the Mobile Connect project at Orange, takes stock of the state of the art in the area of authentication and identification of a customer or a user on a services platform. Complex passwords, two-factor identification, biometrics, physical keys, etc. Every technology has its strengths and weaknesses. The Mobile Connect solution, which combines the secrecy of the PIN code with the ownership of the “safe” that is the telephone’s SIM card, possesses all of the major assets in the race for the preferred method of authentication.
What are the challenges to be met in the area of identification of a service customer or user?
In a world that is now nearly completely digitalised, it is essential to find a totally reliable alternative to the face-to-face that formed the basis of the relationship between an organisation with a customer or a user. How to find the best way to be identified without seeing or hearing one another? To prove that we are the right person for the requested service. Trust is the Gordian knot of the harmonious development of exchanges, and to guarantee it, robustness of the digital identity is essential.
Where are the market players’ reflections up to on the means of authenticating oneself?
There are currently three means of authenticating oneself, i.e. proving that one is indeed the person authorised to access a service. By providing proof of what we know, who we are, or of what we have. “What I know”, is a secret known only by me, classically the password. But nowadays it is fairly easy to steal a password. It is possible to make such attacks more difficult by adding an extra authentication factor. For example “who we are”, this is biometrics. The final lever is “what we have”, it is a physical object in our possession, such as a smartphone, which can enable authentication.
Biometrics are presented as the ideal solution, combining simplicity and security. What do you think?
Orange is working on this solution, but it must be considered as a facility provided to certain customers – those already equipped with a biometric reader -, not as a universal solution. For two reasons: firstly, the identity of a fingerprint or of the iris can be hacked – we soon saw “false thumbs” opening the first biometric smartphones -, and secondly, biometrics assumes that the user invests in a specific reader. Smooth flow of identification is essential. People are not willing to carry an extra device with them, such as a biometrics reader or a specific USB key. Another problematic aspect of biometrics is identity theft. This is costly for the hacker, but if the stakes are high, the biometric fingerprint will be stolen and the consequences will be disastrous for the person who will be deprived of their identity.
The Mobile Connect solution, developed by Orange, plays on two factors: “what we know” and “what we have”. In what way is it the best compromise?
The two-factor authentication of payment solutions combines a password and a unique number sent to the telephone, it is not cryptic therefore it is hackable. With Mobile Connect, authentication doesn’t come through a text message. The customer, who is making a purchase or who must identify themselves to a public authority, will be invited, by the website on which they are, to click on the Mobile Connect icon. Then a pop-up window will open on their telephone for them to enter a secret code that they have defined once and for all and that is stored and encrypted in their SIM card. The operator sends the authentication result to the merchant in order for them to enable access to the service. As opposed to passwords, even very elaborate ones, that are stored in a database on a platform, the Mobile Connect code is only stored in the SIM card, in a safe with the same level of security as that of a credit card. The SIM card will block after several unsuccessful attempts in the case of theft of the device.
To be taken up by the public, this solution must also be accepted by the market.
Currently, Orange staff are using Mobile Connect to authenticate on their mobile store. At the end of October, all Orange customers will be able to use it to authenticate on orange.fr. But since November 2017, Mobile Connect is also an identification system (no longer just authentication) in its own right. We are going from authentication to identification, checking the customer’s identity in the strongest sense possible, namely from the scan (once and only once) of an identity document and from a selfie. This identification system is already being offered to the users of the 378 administrations that are taking part in the FranceConnect government programme. The FranceConnect digital platform, which puts users/citizens through to public services, enables them to be identified using the method of their choice, including Mobile Connect et moi. Decree published since November 15, 2018now allows stakeholders such as banks, insurances, and service providers to offer identification via FranceConnect. And finally, talks are well underway with other operators so that they too can offer the Mobile Connect technology. It is the key condition in order for this solution to become a standard.