Telco 2.0 Case Study: Mobile Signature

We first encountered Mobile Signature at this year's Mobile World Congres with Telefonica, but the system's big success has been with Turkcell. And we think it sums up a lot of the possibilities and challenges posed by Telco 2.0.


So what is it? Well, it's an implementation of out-of-band two-factor authentication with digital signatures generated through public-key encryption. Right. More usefully, it's a service which permits essentially anyone to get strong verification of the identity of people they deal with, instantly - you just call a Web service API. Looking at it the other way around, it permits its users to prove their identity with a very high degree of confidence, strong cryptographic security, whilst protecting their underlying canonical identity.

It works like this: at setup, a Java application is configured over-the-air onto the user's SIM card (which means it doesn't matter what kind of device the user has, or even if the device is itself trustworthy). This app asks the user to provide a secret, which is used to generate a set of public and private keys. The user name is registered with the user's telephone number, thus verifying them against the telco billing records.

When someone wants to check identity, a challenge is sent from the telco to that number, using the public key. The application verifies the challenge, then asks the user to enter the secret, stating details of the request. If the keys match, the digital signature is returned. Because the challenge and response take place independently of the transaction - it's not the same web page, merchant terminal or whatever - you can't present a fake identity service or phish for IDs. If someone is trying to impersonate you, you'll know about it at once because you'll get the ID request, which you can then deny - and even if they steal the phone, they'll need to know the secret, which is never transmitted over the network or stored on the device.

It is genuine two-factor out-of-band identification, it's independent of devices, and although the digital signature is supported by the telco billing record, you don't have to sign with the name on the record, so it can provide secure anonymous (or rather pseudonymous) transactions.

Each identity request costs about the price of an SMS message. And Turkcell reckons Mobile Signature users send an extra 21 messages on average a month - a Chinese user, for example, sends 95 messages a month on average, so that would be north of a 20% uplift in messaging revenue.

But, of course, it's not just the user side and the operator. That wouldn't be two-sided, would it? It was crucial to the success of Mobile Signature in Turkey that the banks also got aboard. 12 Turkish banks formed a partnership with Turkcell; not only did this ensure there would be a base of institutions using the service on day one, avoiding the first fax problem, but they also invested in promoting it in advance of the launch. From their point of view, it offered significant savings on fraud, as well as the reputation benefits of offering the latest technology and investing in security.

Identity is a crucial enabler for the whole spectrum of Telco 2.0 B2B VAS, as this slide ought to make clear.


You can read much more about the system in this document from the developers, Valimo (pdf).