This document discusses securing services in a mobile-first world. It outlines Gemalto's role as a leader in authentication solutions and the shift to increased mobile usage. The document proposes the GSMA Mobile Connect solution, where mobile operators act as identity providers. Mobile Connect aims to fulfill service providers' identity management needs through single sign-on and authentication on mobile devices using the SIM card. A Trusted Service Manager is needed to support the complex ecosystem of service providers, mobile operators, and users. The key challenges of any deployment are security, convenience, and reach across different technical platforms and regions.
Securing Services in a Mobile First World with GSMA Mobile Connect
1. SECURING SERVICES IN A
MOBILE FIRST WORLD
JF Rubon, Strategy & Innovation
05/11/2014
2. Mobile Corporate Badge
AGENDA
1 – GEMALTO : WHO WE ARE
2 – THE SHIFT TO MOBILE
3 – MOBILE CONNECT
2 Mobile Corporate Badge
3. GEMALTO KEY FIGURES
OUR COMPANY
OUR CLIENTS
OUR INNOVATION
450 OPERATORS
10/11/2014
€2.4BN
(2013)
INVESTED IN R&D
€177M
(2012)
NATIONALITIES
190
12,000
REVENUES
MOBILE NETWORK
PATENTS & PATENT
APPLICATIONS
FINANCIAL
INSTITUTIONS
3,000+
4,300
EMPLOYEES
80 eGOVERNMENT
PROGRAMS
110
DIGITAL
1,700 ENGINEERS
NEW INNOVATIONS
FILED IN 2012
3
4. Gemalto as a leader of Authentication
4 10.11.14
GARTNER’S MAGIC QUADRANT
ON USER AUTHENTICATION
(eBanking / Enterprise)
Gemalto
AUTHENTICATION SOLUTION
95%
of the authentication
market covered
by these players
Safenet
5. +100M people using our Authentication solutions
200CUSTOMERS
CORPORATE
5 LinqUs Mobile ID 10.11.14
NATIONAL
DEPLOYMENTS
OF MobileID
MNO
+20
Service Providers
already connected
our platform
500
on going deployments
for 2014
+5
MOBILE eBANKING
users protected by
EZIO SOLUTIONS
+90M
WW
MANY CUSTOMERS FROM
FORTUNE 500
employees WW use
our eID solutions
+7M
7. 2.7 Bn people* frustrated by their digital journey…
(source: ICT, number of Internet users in 2013)
Username management nightmare
Password fatigue and weaknesses
Registration fatality
Trust and privacy failure
They need: Convenient online authentication,
secure environment and mobility
* Source: Fireclick – NorSIS Institute - Microsoft
7 LinqUs Mobile ID 10.11.14
8. … impacting online service providers activities
WEB AND E-MERCHANT SERVICES:
Security breaches, impacting brand image
Low conversion / transformation rate
BANKS:
Customer service costs
Clients growing mobility vs inconvenience to access ebanking
ENTERPRISES:
Securing cloud services access to enhance employees’ mobility
Security breaches multiplying
GOVERNMENTS:
Reduce long time-frame and administrative costs
Dematerialization regulation pressure
They need: Trusted ecosystem and customer attraction
Revenue and/or Costs
8 LinqUs Mobile ID 10.11.14
9. Service providers need scalable authentication
levels of assurance
9 LinqUs Mobile ID 10.11.14
10. THE BIG
SHIFT TO MOBILE
50 BN
1.36BN
10 Gemalto Mobile 10.11.14
SMARTPHONE
SALES
SOURCES:
GEMALTO, GATNER, INFORMA, PUBLIC SUBSCRIBER DATA
58.5BN
(2012)
CONNECTED
DEVICES BY
2020
LTE SUBSCRIPTIONS
BY 2018
203BN
(2020)
OTT MESSAGES
NFC- ENABLED
SMARTPHONES
USERS COVERED BY TSMs
1 BN
(2013)
~25%
300 M
(2010)
1.5BN
11. Existing hardware solutions for the PC world
Smart Cards
May include user picture
Company logo
Physical access (badge)
11 LinqUs Mobile ID 10.11.14
Tokens
long battery lifetime
Optional USB interface
Company logo
Can they still be used in the mobile world ?
12. Shift to mobile : 2 possible axis
Keep a separate token
Alongside the mobile devices
12 Mobile Corporate Badge
Use Mobile Device
Hardware capabilities
&
Transfer the secure application &
credentials into the device
Use Built-in NFC capability
Use an attached reader
Sleeve
USB readers
Use a detached reader
Bluetooth
Bluetooth Smart (BLE)
UICC
μSD
eSE
TEE
13. MOBILE COMPATIBILITY
13 Mobile Corporate Badge
Secure
Element
Family
Badge & NFC / BLE
Connectivity Needed
Large compatibility
UICC
Through MNOs
Large compatibility
microSD
Slot Needed
Fair compatibility
Attached Reader
Low user convenience
Devices with external port
eSE
Fragmented market
Soldered to the device
TEE
Selected devices only
Major mobile makers
14. Compatibility with devices
Without a reader
Detached readers
Attached readers
14
Dual Interface Card
Bluetooth reader
Standard or proprietary port
( only)
15. UICC
The most universal secure element
Highly secure & certified
Fully standardized
Each Service Provider has dedicated secure
‘space’ on SIM
Remotely manageable
Service platform (Java Card™)
Existing deployment processes
Issued by the MNOs
SHIPMENTS OF SIM CARDS
IN 2013 4.2BN
15 Gemalto Mobile 10.11.14
Memory
MNO BANK
1
BANK
2
SP
Global Platform compliant OS
Certified Secured Hardware &
Software
16. EMBEDDED SECURE ELEMENT
A second highly secure chip in the handset
Inherits security from the UICC
Easy to integrate into any device
in multiple form factors
Remotely manageable
Enabling innovative secure use cases
Also suitable for new consumer devices
(wearables, tablets, consoles)
16 Gemalto Mobile 10.11.14
17. TRUSTED EXECUTION ENVIRONMENT
Relies on hardware processor features
Remotely manageable
Secure interaction between user,
services & peripherals (screen, touch..)
Secure storage of code & data
Integrated into the main processor
17 Gemalto Mobile 10.11.14
Application Processor
LOGO COLOR VERSIONS
OPERATING SYSTEM
(e.g Android)
TEE OS
LOGO
LOGO IN BLACK
TRUSTZONE™
SYSTEM-ON-CHIP
LOGO ON BLACK
19. GSMA Mobile Connect
“Develop an innovative new service that will allow
consumers to securely access a wide range of
digital services using their mobile phone number
for authentication.” Source: GSMA Mobile Connect press release – 24/02/2014
19 LinqUs Mobile ID 10.11.14
$5B
revenue per year
when mobile ID
market is mature
Source: Greenwich Consulting
for GSMA
20. The goal is to fulfill service providers’
ID management needs…
MOBILE OPERATORS
to provide all service providers with a common identity
solution leveraging convenient, strong SIM-based
Mobile Connect service
Light
Authentication
Medium to Strong
Authentication
20 LinqUs Mobile ID 10.11.14
Strong
Authentication
Medium to Strong
Authentication
Improving end-user
journey for more
transactions
Adding customer
channels without
security breach
Reducing
administration costs
and time-frame
Leveraging cloud
services and making
their workforce mobile
21. …bringing a diversity of services
Entry-level ID,
similar to Facebook
Connect, low level
of security
Use mobile as
second factor
overlay
21 LinqUs Mobile ID 10.11.14
Use mobile as
a replacement
for legally binding
‘wet’ signature
MNO becomes
ID custodian:
certifies users’
details to SPs
FEDERATED
IDENTITY
2ND FACTOR
AUTHENTICATION
MOBILE DIGITAL
SIGNATURE
IDENTITY
BROKERAGE
Single Sign On
Solutions
OTP, PKI, NFC,
biometrics…
solutions
Mobile PKI
Solutions IdM Solutions
Web access
granted!
24. 3 key deployment challenges
SECURITY
No “one fits all” solution
24 LinqUs Mobile ID 10.11.14
Secure access
Secured communication
Corporate data protection
Fraud Management
CONVENIENCE
No convenience, no adoption
Enrolment and usage
Need to stick to smartphone user
experience
REACH
Address fragmented
technical platforms:
multiple devices,
multiple SE
In different countries :
Legal, regulation, …
To consumers,
civil servants,
employees,
citizens
CHALLENGE
REACH
CONVENIENCE
SECURITY
We can split the offer in 2 distinct categories:
1- Some customers which already have a corporate badge wants to reuse it on mobility use case
- The first option is to directly use the NFC corporate badge on a NFC mobile device
- The second possibility is to use a sleeve or a USB reader to connect the smartcard to the mobile
- The last option is to use a detached reader (standard Bluetooth or Bluetooth Smart (low energy / BLE))
2- Some customers wants the same level of security without the need to carry the badge. For this purpose we are able to deploy the same applet use on our corporate badge in others secure elements:
- eSE (Embedded secure element)
- UICC
- uSD
- TEE (Roadmap)
This slide represents all the possible hardware secure elements where the solution can run:
- badges: readerless / attached reader / detached reader (Compatible with NFC use cases)
- eSE (Embedded secure element): it’s a SE managed by the device manufacturer (Compatible with NFC use cases)
- UICC: SE managed by the MNO (Compatible with NFC use cases)
- uSD: SE managed by the enterprise
- TEE (Roadmap): SE managed by the TEE provider. This SE is not heavily deployed yet.
On smartphone, the NFC option is definitely the best one. Please take note that the user experience of a NFC badge on a tablet is not so great.
On the reader side: detached readers are more appealing today compared to attached reader.
Gemalto is only doing buy & resell on connected readers
The detached reader strategy is not comparable: a standard Bluetooth reader has been added to the catalogue (from Feitan) to propose a product but 3 new products will be directly produced by Gemalto:
- A Bluetooth Smart Badge Holder / reader
- A Bluetooth Smart reader with integrated PIN pad (the PIN don’t have to transit over the Bluetooth connection)
- A Bluetooth Smart Token