Google - we need mobile OAuth and we want better voice


Google security expert Eric Sachs's presentation at the Telco 2.0 Best Practice Live! virtual event throws a lot of light on some key Telco 2.0 issues, notably the ones we encountered in the World Economic Forum project our consultants have recently supported. We'll be discussing this further at our Personal Data 2.0 event in Palo Alto on the 6th-7th April. This graphic, taken from the WEF project, shows something of the complexity of the issue - it illustrates Facebook's privacy controls. This is when they're trying to be less complicated...

Facebook's attempts to do better here may not be helping

Sachs demonstrates that Google had a very good reason to start using mobile phones as an identification tool - quite simply, the numbers of people who used their GMail (or wider Google Account) password on other, poorly secured or malicious, Web sites meant that Google operations staff were constantly dealing with the consequences of account hijacking. This could involve fraud, the disclosure of embarrassing private information, and worse - after all, if you have a Google account you can use Google App Engine, which gives you the power to cause all sorts of trouble.

Although successful recovery of an account usually resulted in customer delight, it wasn't always possible to fix the damage, and occasionally the wrong account would be recovered. Alternatively, hijackers might request recovery of an account, posing as its owner. People affected were angry, to the extent of involving U.S. Senators. Also, the whole exercise is costly, and easily wipes out several years' ARPU for each case.

So they were absolutely delighted to be able to use mobile numbers and SMS as a form of two-factor authentication - increasingly, Google records mobile numbers when a new account is created. To recover an account, they could now send a message to the number with a one-time secret code and ask the user to log in entering this message. Simple - as simple as age verification could be for Betfair!

In the past, we've highlighted companies like Valimo and Turkcell, who are innovating in this field. Given that Valimo's software is available off the shelf, you'd be a fool not to deploy the service while you can - surely?

Identity is an important platform service; once you get it in place, other things can be built on it. Sachs described Google's contributions to the OAuth 2.0 standardisation and how their Google Health products are essentially built on OAuth. (Kaliya Hamlin's presentation on OAuth and other identity technologies is here.) But, of course, online authentication of some user name or other is only as good as the original verification of that identity - this is why we need things like the certification chain in SSL or key-signing in OpenPGP. Operators can provide this, so why aren't more of them doing it?

In fact, Sachs's presentation was highly Telco 2.0 all the way through - he also touched on the possibilities of new forms of voice and messaging. "Social Caller ID", he suggested would allow you to see which company was behind the phone number on an incoming call. It might also allow you to see what they were referring to - for example, a past service ticket or a conversation on a social network.

Google is very interested in this field - as well as the Google Voice app, they recently acquired a text-to-speech and web-voice integration company, SayNow. This might have passed unnoticed outside the tiny cult of voice hackers had it not been for the Egyptian revolution coincidentially breaking out last week. SayNow delivered a quick turn-around app that allowed people to leave voice messages that were then injected into Twitter, thus taking advantage of the fact that the Egyptian secret police had left the international voice gateways operating when they forced the ISPs off the net.

(Vodafone managers, whose network was shut down by force majeure and then used by the secret police to send threatening messages that appeared, due to the Cell Broadcast spec, to come from "Vodafone", must be spitting tacks.)

Telco 2.0 CEO Simon Torrance, meanwhile, gave a presentation in which he showed results from our survey of Telco 2.0 delegates. Fascinatingly, the delegates saw identity, subscriber data, and better voice and messaging as promising fields for the future - but when asked where they were investing, they were putting remarkably little actual money into them. Unfortunately for them, Google is.