Dialog Connect: a Case Study 2 Mobile Identity Mobile Identity 3 Dialog Connect: a Case Study

Dialog Connect: A Case Study 2 Mobile Identity Mobile Identity 3 Dialog Connect: A Case Study

Contents

I Introduction 4 Operator Profile 5

II Telecommunications in Sri Lanka 6 A. High mobile penetration 6 B. Growing internet penetration 6

III Identity in Sri Lanka 7 C Identity cards 7 D. National identity registry 7 E. Innovative identity solutions 7

IV Dialog Connect: Dialog’s Mobile Identity Service 9 A. Vision, Principle and Benefi ts 9 B. How it works – registration 10 C. How it works – technology 11 D. How it works – the user experience 12

V Uptake and Scale 15

VI Challenges 16

VII Economics 17

VIII Key Success Factors 17 A. Growing internet penetration and a need for trusted identity management 17 B. Trust in mobile operators for identity management 17 C. Dedication to innovation 17

Written by the Mobile Identity Team 4 Mobile Identity Mobile Identity 5 Dialog Connect: A Case Study

I Introduction Operator Profile

Identity in Today’s Growing Digital With this in mind, Dialog’s Connect As a result, the benefits to participating Dialog: Leading Innovation in the Sri Lankan Mobile Telecommunications Sector Economy service is designed to deliver a strong service providers are similarly clear. Dialog, part of the Axiata Group, is Sri Lanka’s leading mobile operator by authentication process in support of Since only a minority of the population As the global market for online subscriber numbers, and also one of the leading operators in the region in these and other use cases. Leveraging of Sri Lanka use credit cards (just commerce, social media, gaming and terms of innovation. Since its launch in 1995, Dialog has moved from being the same registration process that is over 50% of the population have bank other activity continues to expand the fourth licensed operator to being market leader, with a market share of required to take a mobile subscription accounts, while approximately 600,000 rapidly, the need to accurately 38% (equivalent to over 7.5 million subscribers). With a strong drive towards in the first place, Dialog subscribers people have active credit cards), the authenticate the identity of individuals the innovative use of mobile technologies, carefully contextualised to the Sri are required to attend one of the capacity to add purchases to a mobile and organisations for access and use of Lankan market, the company has achieved considerable success. The company company’s retail stores, and present phone bill is of material value (not these services has grown significantly. operates GSM, GPRS, EDGE, W-CDMA and 4G LTE communications networks, their identity card and a contemporary least because the vast majority of Whereas in the real world, identity can and was the first company to launch commercial 3G and HSPA+ operations in utility bill or bank statement (proof the Sri Lankan adult population are be verified through the use of physical South Asia. When Dialog announced that it had switched on its 4G network in of address), in order to verify their mobile subscribers). Importantly, the tokens, such as ID cards, passports and Colombo, it became the first LTE network in South Asia. identity. Once appropriate checks Dialog Connect service is available to other documents – supplemented by have been made, Dialog can then subscribers of other mobile networks, face-to-face interaction – in the digital In addition to its core business of mobile telephony, Dialog operates a portfolio create a digital identity, bound to that meaning that participating third party world, the process of establishing that of services including Dialog TV, the country’s leading direct-to-home satellite registration process, which suffers service providers can address, in an individual is who he or she claims TV service, and Dialog Global which provides international telecommunication none of the risks that arise in online essence, the entire adult population to be is materially more complex. services. Dialog Broadband offers fixed-line broadband internet services, whilst self-registration. A PIN code is sent to of the country via a single, integrated Dialog Tele-Infrastructure is the company’s national infrastructure arm. In In the realm of ecommerce, in which the subscriber’s mobile, and that PIN platform. March 2013, the company announced the launch of its own Dialog Branded nearly $1 trillion of business is is introduced to Dialog’s online portal, Smartphone series at an entry price point of less than Rs. 10,000. The Dialog to finalise the process of establishing Leveraging the SIM: A New Role for transacted globally, the vast majority of Mobile Operators i-Series Android 2.3 Smartphones come preloaded with a range of Dialog buyers and sellers have never met, and a Connect identity. Once created, that Apps like MyTV, Dapp, Traveloid and represent a strategic push to drive mass never will. Yet the identity assertion identity can be used to access content From the perspective of Dialog itself, adoption of Smartphones across the country. processes used in the online world and services, and even undertake and the other mobile operators in are often remarkably weak: in most transactions, via a wide range of third Sri Lanka, the list of benefits is also Dialog was the first mobile operator to cover the Jaffna Peninsula in Northern cases, the individual creates their own party partners. substantial. At a strategic level, the Sri Lanka, within 90 days of the ceasefire agreement in 2002 and, in 2009, was identity credentials – a username and Connect service positions the SIM the first mobile operator to extend its network to the areas in the North and East Dialog Connect is effectively a form password – and the service provider card at the heart of authentication Province where the war was fought. It presently has 80% market share in these of federated identity: the identity can do little to verify the identity of the spanning use cases way beyond those regions, and has contributed materially to their recovery from hostilities. of any given individual can be used individual to which they pertain. normally associated with mobile to access to the goods, services and Identity sits at the heart of Dialog’s strategy, and digital identity forms an phone usage; in short, it establishes the content and of any and all federated increasingly substantial part of the company’s operations. The company’s As a result, the digital identity that SIM card and the mobile medium as a third parties (service providers). The newly created Dialog Connect service is designed to bind each individual each individual creates is inherently frontline identity management service benefits to subscribers are many. subscriber to a unique, secure persona – which can be applied across multiple insecure (because the only credentials provider. More materially, the service The most important is security; the platforms and in relation to a wide and growing range of service providers. are a username and password that allows mobile operators – Dialog Connect identity is created on the basis the individual self-selects) and need most particularly – to participate in of a robust and rigorous registration Dialog’s vision is to create a unified identity solution that individual users can not relate to a real human being the critically important e-commerce process, and creates a unique and trust as a means of securely verifying their identity across multiple networks, (individuals, and indeed criminals market, from which operators have secure digital identity, which can only platforms and service providers. or computers, can create artificial historically been excluded (or at be accessed by the subscriber. identities, often for the purposes of least marginalised). perpetrating fraud). Consequently, Additionally, this federated approach these identities typically fall short In time, operators will be able to relieves subscribers of login fatigue, of the requirements of higher-risk, derive substantial revenues from their by allowing a single identity to access higher-value use cases such as presence in this critical, and fast- multiple third parties (as opposed Website 1 Website 2 Website 3 online shopping or accessing growing market. More broadly, and as to the subscriber having to create a e-government services. illustrated below, the Connect service username and password for each one). helps to extend the reach and presence Dialog Connect: Resolving the Identity The single-sign-on capability further of operators’ brands, such that their Challenge in the Emerging Market reduces this common frustration by profile is raised, levels of awareness Context removing the need for the user to re- are increased, and ultimately, loyalty authenticate on partner sites. Future is manifest. These challenges pertain just as much linkages will allow the solution to to emerging markets, where internet also make payments easier: rather penetration is growing at a rapid than having to provide bank or credit pace, as they do to markets where card details to each service provider, online activity is part of daily life. In Dialog Connect will soon allow the Sri Lanka, as elsewhere in the world, cost of purchases to be added to the there are many internet-based identity subscriber’s mobile phone bill using providers. However, all of these Dialog’sAdd2Bill service which is entities lack the ability to resolve a already in operation. digital identity to an actual person. 6 Mobile Identity Mobile Identity 7 Dialog Connect: A Case Study

II Telecommunications in Sri Lanka III Identity in Sri Lanka

A. High mobile penetration: that individuals and enterprises can comparatively low level of household C. Identity cards A critically important side-effect of the By dialling the #132# USSD short-code, take greater advantage of the global, PC penetration (around 10%), the government’s programmes has been to any Dialog subscriber could pull their Though Sri Lanka is considered a It is a legal requirement for all citizens digital economy. comparatively lower cost of mobile place mobile operators – and Dialog in personal information –collected at the developing nation, it has nonetheless of Sri Lanka over the age of 16 to smartphones, the ubiquitous nature particular (as the largest operator in the point of sale and stored in a secure emerged rapidly as a forward-looking possess a National Identity Card (NIC). Though fixed-line penetration is higher of mobile coverage, and the growing country, with over 38% market share) – server – onto their mobile device. With economy in which the power of ID cards are issued by the Registration than much of the developing world (at increment between fixed broadband at the forefront of identity management, a 3rd step, customers could notify technology is leveraged to its fullest of Persons Department, which sits around 20%), fixed broadband services and mobile broadband connection a position which has helped operators the company of incorrect information extent by both public and private sector under the Ministry of the Interior. Each rarely extend beyond main urban speeds (4G mobile networks in Sri to earn considerable trust amongst and come in person to update their institutions. With mobile subscription NIC has a unique 9-digit number, in the centres, whereas mobile broadband Lanka are already offering download consumers, government and the personal information with supporting penetration nudging 50% and format 000000000A (where 0 is a digit coverage extends to much of the speeds of approaching 50mbps, broader enterprise market. documents. Dialog issued its own penetration rates increasing rapidly1, and A is a letter). The first two digits country’s landmass. Nonetheless, whereas fixed broadband suppliers electronic certificates for the #132# with many mobile subscribers having represent the citizen’s year of birth online commerce, internet banking offer considerably slower speeds, to E. Innovative identity solutions code, which are stored in a server and two SIM cards, mobile has already and access to e-government services (88xxxxxxxx for someone born in 1988). a small fraction of the population). A In 2009, at the end of Sri Lanka’s decade- pushed to the user when they dialled established itself as the single most remain the preserve of a small full third of mobile subscribers already By law, all citizens are required to carry long civil war, a government-mandated the USSD code. important medium for communications minority of the population. have a 3G mobile subscription. their identity card on their person at all initiative required each citizen to carry a and connectivity in the country. In this way, customers had a way to times, as proof of identity. Over time, physical copy of their mobile connection Recognising the potential of mobile, For the most part, this is because Mobile operators, Dialog in particular, link the physical ID they carried the need to carry a physical identity registration to prove that they were the government is helping to drive internet access remains a relatively new have therefore adopted an aggressively already with the phone ID without card proved problematic: the stock of the owner of the SIM card. This would adoption, and amongst other things, phenomenon for the majority of the forward-looking stance in relation to needing to register for a second cards currently in use are laminated require each mobile operator to call in hopes to raise smartphone penetration population. This is partly as a result broadband connectivity, internet access identification document. paper, and therefore comparatively subscribers to re-register their SIM cards to 80% of active mobile subscribers of the country’s recent history, and and associated issues. Since 2012, simple in nature, easily tampered with, in-store. With over 5 million subscribers within 2 years. perhaps equally importantly, partly Dialog has offered its customers the Within the first six months of 2009, and readily lost or damaged. at the time, Dialog knew that it would because very few websites are available capacity to pay for goods and services Dialog recorded 18.5 million #132# B. Growing internet penetration: be impossible to physically re-register in Sri Lanka’s two most dominant in the real world using their mobile D. National identity registry dials as people used their mobile to all of its subscribers within the short The government’s desire to increase languages, Singhalese and Tamil. phone. The company’s eZCash service prove who they were . Even though time frame. The company developed its smartphone penetration is informed, is today used by over 930,000 people, The state also initiated a project to the government mandate is over, they As a result, though there is considerable #132# solution as a means of resolving at least in part, by relatively low to pay for utility bills including Dialog create and maintain a consolidated still have 700 to 800,000 hits per year interest in and enthusiasm for the this mandate: Dialog already held internet penetration. Less than 10% bills as well as to send money home. database comprising a ’Population as customers check up on their data. internet and the digital economy at soft copies of the national identity of the population of Sri Lanka makes Transitioning to the online world, Register’, containing the unique This service was amongst the first in large, there remain material practical documentation used by each customer regular use of the internet, although and providing identity verification ID numbers and basic information the world to bind government-issued barriers to adoption. As is the case to subscribe to their mobile service (birth mobile broadband penetration has / authentication services in support of all citizens. This formed part of identity credentials to a mobile- in many other emerging economies, certificate, passport, billing proof, etc.). already exceeded fixed line broadband of a wider, deeper range of services, wide-ranging government efforts to operator deployed service. 2 the mobile medium is expected to penetration . Both the government products and content, was a logical, modernise social infrastructure, partly dominate the broadband and internet and the country’s mobile operators are sequential step for the company. in response to the end of civil unrest, access markets. This is due to the keen to see this figure rise rapidly, so and partly in order to accommodate the challenging characteristics of the country (for example, over 85% of the population of Sri Lanka is rural, and World Bank Social Indicators, Sri Lanka, 2010 Population 21 Million it has historically been difficult for the Landmass 65,610 square kilometres government to serve citizens in remote Population Density 329 people per square kilometre areas). The government’s population GDP USD 59 billion register database was designed to create a contemporary, accurate and dynamic GDP per Capita USD 2,864 database of the entire population, Mobile Subscriptions 9 million which was sufficiently flexible to IMAGE SIMs per Subscriber 2 capture and reflect changes (such as TO GO HERE births, deaths, marriages, changes of Mobile Coverage Circa 95% 3 Colombo address) in near real time. Network Technologies 2G, 3G (W-CDMA), 4G (LTE) Fixed Line Penetration Circa 20% These and other activities have led to a steady transformation of the Sri Internet Penetration Circa 12% Lankan state, as technology has been Number of ISPs 50+ used to address the ‘generic’ challenges PC Penetration < 10% of households associated with emerging economies, and the specific challenges relating Rural population (% of total) 85% to Sri Lanka’s geography, population structure, state infrastructure and so on.

1. Sri Lanka’s mobile penetration rate increased by a factor of over 1.5x between 2008 and 2010. GSMA Asia Mobile Observatory 2011. 3. ePopulation Register (http://www.icta.lk/en/programmes/re-engineering-government/131-main-projects/251-epopulation-registry-.html) 2. GSMA Asia Mobile Observatory 2011. 8 Mobile Identity Mobile Identity 9 Dialog Connect: A Case Study

IV Dialog Connect: Dialog’s Mobile Identity Service

eZ Cash: In adopting a more proportionate approach to customer due As was the case with the #132# service, A. Vision, Principle and Beneﬁ ts Based on the OAuth standard, which Veriﬁ ed customer data for mobile money diligence in the KYC (Know Your Customer) requirements, the eZCash service placed Dialog is widely used by online service i. Dialog Connect is an easy-to-use this regulatory change had signifi cant positive implications in a strong strategic position – and providers, the Connect service creates Amongst Dialog’s most innovative services identity authentication solution through for Dialog. Customers can sign up for a “Basic Account” on indeed in a position of considerable a federated digital identity for the is their eZCash, mobile money service which use rs can verify their identity their mobile phone using the ID already stored in Dialog trust – within the realm of identity subscriber, which can be used as an (formerly eZ Pay). Mobile money has been across multiple platforms, use cases and SIM card registration database. Basic Accounts are self- and its management. This caused the authentication token to log in to all a particularly important service as Sri third party service providers. The service registered which means you do not need to attend a mobile company’s management to examine the participating third parties. In other Lanka transitions socially and economically. Bank account is designed to further leverage Dialog’s money agent. The maximum transaction allowed with this notion of identity management – as an words, the subscriber creates a single penetration is around 57%, but remains low in rural areas. As strong registration process and deliver account is 10,000 rupees (US$80), but customers can make enabler and as a service in its own right Dialog Connect ID, which can be used a result, mobile money services have become an important event-based authentication for third party more transactions by upgrading to a “Power Account”; they – in greater depth. A process of research, within the context of a wide range of lifeline for citizens. service providers, along with profi ling simply need to reconfi rm their identity at a mobile money planning and customer research led service providers, and their respective data with a high level of assurance. Dialog’s eZCash service, in and of itself, has an important agent. By June 2012, more than 370,000 customers had signed Dialog to a clear conclusion. Sri Lankan products and services. identity component. Following Dialog’s launch of eZ Pay in up to eZ Cash (up from 15,000 only a few months earlier), citizens needed a means to prove or partnership with the National Development Bank in 2007, the reaching 810,000 by early 2013. 4,000 of these customers have authenticate their identity for a wide Central Bank began to develop a regulatory framework for already signed up for a “Power Account”. range of purposes, spanning existing mobile money that allowed both banks and MNOs to operate services (such as eZCash) through to In essence, Dialog leveraged its strong, existing customer mobile money services. In April 2012, Dialog was awarded entirely new arenas (such as buying registration process – as well as its large retail and dealership a license from the Central Bank and, two months later, goods and services online). The result of presence – to outstanding eff ect. There are around 12,000 launched eZ Cash as a fully telco-led mobile money service. this strategic vision was Dialog Connect, registered eZCash points across the country for money-in an identity authentication solution that and money-out services. Whereas retail banks and credit works across a variety of platforms, use card companies had not managed to extend their reach much cases and service providers. beyond major urban centres, Dialog deployed its mobile money service across its entire footprint, which covers over 95% of the population, and has brought fi nancial services to many citizens for the fi rst time ever. Web Sites Mobile Internet Mobile Apps Unverified Site

Verified by Dialog Connect

mCert Dialog Connect can be used as an offline authentication certificate of the customer mCert is a verified certificate of the customer

Behavior Tracking Dialog Connect will track the bahavioral patterns of the User users whilst guaranteeing their anonymity 10 Mobile Identity Mobile Identity 11 Dialog Connect: A Case Study

trusted brands with strong customer via a PC, in store). This step verifies The token becomes invalid and ii. The benefits to subscribers iii. Similarly, for service providers, The OAuth schematic above care processes and wide-spread local that the user is in possession of the unusable as soon as it has been used are manifold: the benefits are considerable: describes the following steps: distribution networks – can play a MSISDN associated with the Dialog in a single authentication process, thus significant role in the development of Connect account at the point of none of the website owner’s servers (1) The subscriber does not need (1) The service provider gains 1. The end user goes to the URL of a convenient and dependable solution registration. Subsequently, once this retains data that could compromise the to create a unique username and access to Sri Lanka’s single largest the company. The company’s for online access. Dialog Connect verification is complete, the Dialog identity of the end-user. password for each service provider integrated customer base. servers request authorisation from creates both the identity platform and Connect account and the user profile that he or she uses; there is therefore the user. The authorisation request a corresponding secure authentication in the Dialog billing system are joined Dialog has added a number of features reduced “login fatigue”. can be made directly to the user (2) The service provider is offered mechanism which allows Sri Lankan and synchronised: creating a single, on top of the underlying OAuth (as shown in the schematic), or profiling data so that they can citizens to participate more fully in the secure identity. code, so as to further secure both the indirectly via an authorisation (2) The subscriber’s identity data refine and customise their offerings digital economy, and the internet at large. identity of their Connect service users is protected and managed by the to individual consumers or C. How it works – technology server (which would be owned/ and the integrity of any transactions Connect service; so for example, groups thereof. Dialog of course deployed the service operated by Dialog). taking place over the system. So for Dialog connect uses an OAuth-based if a service provider requests on the basis of commercial, not example, the Connect service also architecture to securely expose user 2. The company’s server receives personal information (name, age, charitable, objectives. Mr Anthony offers the ability to provide a second (3) The service provider enjoys a information to verified clients. OAuth an authorisation grant, which is a gender) from the subscriber during Rodrigo, Group Chief Information authentication factor, for use cases that high level of assurance in relation is an open standard for authorisation credential representing the user’s the login process, the subscriber is Officer at Dialog summed up the require infer a higher level of risk or to subscribers’ personal profile online. In overview, the OAuth authorisation, and is connected to specifically asked if he or she wishes benefits of the service to the company in which a higher value transaction is data/attributes. framework enables a third-party an authorisation server. to comply and continue using the as follows: being undertaken (both of which are application to obtain limited access service or whether he or whether typically characteristics of ecommerce). to a resource (i.e. user information), 3. The company’s server requests he or she prefers to keep the (4) The service provider attains “Dialog Connect is a key component Under this second factor solution, a on behalf of an end-user (the Connect an access token by authenticating information confidential and thus a higher level of security in of our platform strategy. By tightly one-time password (a PIN code) is service subscriber, the resource with the authorisation server and avoid using the service. preventing fraud due to the strong coupling our payment tools and other sent to the mobile number registered owner) by executing an approval presenting the authorisation grant. authentication via two factor service offerings, we can drive usage under the Dialog Connect account. authentication. In future, the of these direct revenue-generating interaction between the user and the (3) The service minimises the 4. The authorisation server The user is required to enter that PIN smartphone identity component services. In addition, utilising the service provider. registration effort by prepopulating authenticates the client and code in order to complete a transaction. will be tightly coupled to the SIM. Dialog identity across multiple third many fields by using data shared by In short, what this means is the OAuth validates the authorisation grant, This minimizes the risk of stolen user party sites will contribute significantly Dialog Connect. provides a standardized framework and if valid, issues an access token. credentials, and fraudulent use of a to churn reduction.” (5) The service provider gains easy for the exchange of user information stolen device. Under the auspices of this approach, integration to additional Dialog B. How it works – registration between a resource owner (Connect (4) The service is symmetric – not the user (the Dialog Connect Further, so as to avoid improper or services (e.g. SMS notifications, subscriber) and service provider only does it authenticate the subscriber) can gain authenticated unauthorised use of the service, the Click2Call etc) which can also be For Dialog’s own customers, access (Web sites, Mobile Apps, etc.) without subscriber, but it also verifies each access to a website, without (a) Dialog Connect account is configured authenticated using Dialog Connect. to the Connect service is granted sharing the user’s credentials. This service provider, at each usage creating an identity on that site or to automatically issue an SMS to the after successful completion of a avoids the storage of user credentials attempt (so the user’s exposure (b) sharing personal information MSISDN of the account holder every strong registration process (the same on multiple services, which of to phishing attacks and the like is or attributes with the owner of the time a login attempt is made. process employed when an individual course represents a security risk. The minimised). website. All that is passed to the In short, the Dialog Connect service wishes to subscribe to Dialog’s mobile credentials and information will only be owner of the site is an authentication is designed to help bridge the digital network). When subscribing to stored within Dialog Connect. (5) Identity tokens used for each divide. In Sri Lanka, as in much of the Dialog’s network, each customer is token – in many instances, the session last only one session developing world, the digital divide is required to present: Instead, the OAuth standard never website owner will never know – therefore any token stored less about access to connectivity – mobile shares users’ credentials across the any element of the identity of the (accidentally or deliberately) after a coverage is almost ubiquitous and mobile – National Identity Card or internet or on corporations’ servers: individual to which the token refers. log in is useless for future sessions SIM/device penetration extends to the a valid passport rather, it relies on a trusted third (meaning that even if the device is majority of the population. Instead, the – Proof of address (if different to the party (in this case Dialog) to issue an stolen, the token is useless). digital divide derives from the relative address stored on the ID card) authentication token to the service lack of identity mechanisms, and provider, which allows the subscriber to specifically, lack of verified financial/ At the point of registration to Dialog gain access without creating or sharing banking identity, which is required to Connect, the user is required to a username or password with that buy and sell online. provide their mobile number. A service provider. As mentioned earlier, validation PIN (generated as a one- each authentication token expires Additionally, lack of trust on the part of time password) is subsequently sent immediately after use and is therefore both consumers and service providers in to the subscriber, which the subscriber of no value to a criminal (whereas a existing banking and payment processes is required to use in order to activate username and password are). has created a natural space into which their account (via the Dialog Connect mobile operators – as ubiquitous and web portal, which can be accessed 12 Mobile Identity Mobile Identity 13 Dialog Connect: A Case Study

D. How it works – the user experience The user enters their username and password, and is then guided to a From the perspective of the end consent page, shown opposite. The user, the Dialog Connect experience purpose of this page is to specifi cally is straightforward. The registration request user consent for the sharing process is necessary in order to of personal information, requested underpin the trust implied by the by the third party service provider. OAuth standard (if the third party The majority of end-users are quite website operator does not trust the happy to share basic, minimum token issued by the operator, or does information about themselves, not believe that the token pertains to a particularly in return for discounts, real human being, the system cannot deals and other benefi ts. But the Dialog work). Strong and strictly monitored Connect service, importantly, gives registration is therefore critical. them the choice not to share if they Once registered, use of the service is have specifi c privacy concerns. straightforward. The user goes to a participating website (a website that has become a Dialog Connect partner), as illustrated right.

The user clicks the Dialog Connect button on the site, and is presented with the following – As soon as the user clicks submit, their identity has been authenticated, a token passed, and they are registered on the website. Should they wish to make a purchase, they will be required to follow the second factor authentication process, which (as set out earlier), requires the user to enter a one-time password (PIN code) to authenticate a transaction.

In this instance, the PIN is sent to the phone – whereas the transaction is occurring on a separate device (typically a personal computer). The provision of a correct PIN code gives the service provider comfort that the end user is a legitimate and legal person, and that the transaction is genuine, and gives the end-user comfort that the transaction is being executed securely, with full non- repudiation should something go amiss (for example, if a purchased product is faulty, incomplete or not delivered). 14 Mobile Identity Mobile Identity 15 Dialog Connect: A Case Study

V Uptake and Scale

It is instructive to look at the end user In summary, in its present form, Since its launch in 2012, Dialog A base of 400,000 Connect subscribers From the perspective of consumers/ experience from the perspective of the Dialog Connect service off ers Connect has already managed to amass is still enticing to service providers, end-users, the service has gained early information fl ows and exchanges, a convenient and secure means of a base of over 400,000 subscribers. and by integrating with the Dialog popularity, but the company recognises as this illustrates the logic of the allowing users to create and apply a The achievement is all the more Connect service, access to those that further investment in awareness underlying OAuth standard, and the digital identity, rooted in their mobile remarkable given the relative shortage customers is available from day one and usage are required. Of the 400,000 lengths to which it goes to ensure that account, that can be used as a means of native Sri Lankan ecommerce of live operation. Perhaps equally subscribers already using the service, the integrity of an individual’s identity of logging in to a growing range of service providers (which is problematic importantly, the inherent security of around 3,000 use the Connect service is respected and protected online. These third party websites. because of the specifi city of Sri Lanka’s the Connect platform is attractive to each day. On average, each of those information fl ows are illustrated in the two main indigenous languages, service providers, particularly because users accesses 10 diff erent services. diagram below. Tamil and Singhalese). However, of the integration of eZCash. For many Clearly, the company wishes to grow Dialog is working with a number of service providers, the ability to transact the total number of registered users, local companies, and is targeting the securely via the end users mobile wallet and the frequency of use of the service. launch of a native language music site, is an extremely appealing proposition, 3rd Party Part of the process of doing so is being App/Website User Dialog Connect and an ebook store. particularly given the low level of bank account and credit/debit addressed by recent eff orts to better Dialog therefore faces challenges that card penetration. localise the service. As mentioned User tries to login are common to most of the existing earlier, there are comparatively few to 3rd party site/app 1 providers of this type of service. There There is also considerable service (international) service providers that is almost always a “chicken and egg” provider interest in the (anonymous) have adapted their off ering to local 2 problem: users are loath to sign up for customer profi ling capabilities of the Sri Lankan languages, and indeed, Dialog Connect DialogConnect opens 3 a federated identity service that is not service, at the back end. Connect is there are similarly few devices that PlugIn Login Request the login page is initiated supported by a wide range of service able to tell service providers about are capable of presenting a Tamil or providers, and service providers tend the attributes or characteristics of the Singhalese user interface. Dialog is 4 to adopt a “wait and see” approach subscribers that visit their sites, and working with service providers, app until there is a large installed base of service providers, in turn are able to developers and device manufacturers User enter credentials and submit 5 active users. The circumstances are adapt everything from the products to overcome this important issue; and is slightly diff erent in Sri Lanka, as Dialog and services that they prioritise online focusing on a hybrid approach in which 6 SMS OTP is of suffi cient size and importance through to the way those propositions both languages are presented in roman that it has been able to (a) create its are presented (visually) and the characters (the alphabets of which are own ecommerce platform as a means messaging around them. extensive and relatively complex). Temporary access to User enters OTP of enticing users to adopt the service user details granted 7 Verify to 3rd party site/app and (b) work with local companies to transition their propositions online. 8 Dialog Connect PlugIn User is logged in to 9 3rd party site/app User Accounts are stored within Dialog Connect

Going Forward: Future mobile identity services for the fi rst time. This will enable Dialog to link the user’s OpenID social network profi le to their existing subscriber profi le and also enable Social network integration (enabling Going forward Dialog Connect will be enhanced to include posting of comments and likes etc) of the participating site. the OpenID web standard. Adopting OpenID will allow the service to function with a wider range of participating Authentication for other Dialog Platforms websites, who already use OpenID. Interestingly, the OpenID Once Dialog Connect authenticates a user, the company standard is also used by a variety of social media websites, plans to use the underlying token to automatically and incorporation of OpenID within Dialog Connect will authenticate the user into other Dialog services such as provide easy integration and enable interworking with Add2Bill, Click2Call, SMS alerts and LBS. This will allow a larger number of sites. service providers to use multiple Dialog services with Social Network login simpler integration and provide a richer user experience. In essence, it should have the eff ect of making Dialog In addition to login and registration directly via Connect, Connect a one-stop shop for companies in Sri Lanka and Social network login such as Facebook Connect could be used elsewhere wanting to sell goods and services to Dialog to authenticate the user when registering to Dialog Connect customers online. 16 Mobile Identity Mobile Identity 17 Dialog Connect: A Case Study

VI Challenges VII Economics

Awareness is arguably the greatest Those service providers that are more It will likely take time for service The business model for the Connect Customer profi ling and market insight Furthermore, Dialog Connect generates challenge that Dialog faces in aware of ecommerce opportunities providers to fully understand the service has multiple layers. Whereas data generation is a further benefi t of value through intangible brand commercialising its Connect service. tend to default to the large, global extent to which Dialog Connect is consumers pay nothing to subscribe to connect. This data can be shared with enhancement via the placement of the Consumers are still at a relatively early names in the online world, such as diff erentiated from Facebook Login and the service, revenue is generated from service providers in anonymous fashion Dialog brand across multiple third party stage on the learning curve relating Facebook, Google and others. In such similar off erings. Whereas Facebook the incremental increase in use to provide detail customer insight websites. As Dialog Connect becomes to the digital economy, and do not yet companies they see quick access to a does indeed have a massive customer of complimentary services off ered around their entire user base or around more widely adopted and becomes a recognise the potential that mobile global audience; often forgetting that base spanning almost all countries by Dialog. individual customers through sharing more habitual part of a user’s online identity can off er, within the context the registration process behind each on the planet, its registration process both demographic and usage data on behaviour, the company will contribute of ecommerce. Indeed, ecommerce identity carried by these and other is self-administered, and there is a clusters they belong too. This provides to churn reduction. in itself is still comparatively companies is cursory, and unable to comparatively low level of assurance the capability for Service providers to underdeveloped, and only a minority provide the same level of assurance and that any given identity is real, or launch targeted campaigns. of the population is fully aware of relevance as Dialog’s Connect service. relates to a real human being. Whereas its importance and potential. Circumstantially, Dialog has found it Dialog cannot match Facebook in comparatively hard to persuade service terms of scale, it can certainly off er far Service providers are similarly not fully providers that already use Facebook higher assurance on the identity of the aware of ecommerce opportunities, Login, for example, as to the value of individual, because of the strength of its nor the role of mobile identity (and its Dialog Connect. In contrast, service registration process. Ultimately, service importance) within that context. providers that do not make use of providers will have to recognise that global federated identity platforms are both solutions have relative merits (one more understanding of the value of scale, one assurance and relevance), Dialog Connect’s service. and both (along with many others) will have to coexist. VIII Key Success Factors

Dialog IdeaMart A. Growing internet penetration and a B. Trust in mobile operators for C. Dedication to innovation need for trusted identity management identity management Application development, particularly Dialog’s commitment to innovation – in local indigenous languages, is As elsewhere around the world, Having set a precedent for obtaining and willingness to dedicate signifi cant gaining substantial ground in Sri mobile and internet usage will only and managing customer information in time, eff ort and resources to building a Lanka. Dialog’s developer community continue to grow rapidly in Sri Lanka. a secure and user-friendly fashion with service which falls traditionally outside (called IdeaMart) alone has deployed With government and other private the #132# solution and eZCash, Dialog the realm of the mobile operator – was over 1,000 applications, most of them sector entities committed to increasing has built a reputation for reliable and a key factor in the early success of the designed to work on feature phones, broadband and smartphone access trustworthy service when it comes to Dialog Connect service. The service which predominate in Sri Lanka at across the country, mobile operators identity management. Taking this to represents a culmination of many years present. As the installed base of devices are well-placed to bridge the link for the next level with a simple, federated dedicated to new service that push the changes, it is expected that a growing their customers between mobile and online access service was, on the one boundaries of mobile services, while range of smartphone apps will be online services. hand, a logical extension from the recognising and keeping the ever- developed and deployed. traditional realm of the mobile operator. changing needs of the customer While exposure to identity-based fraud At the same time, the service represents closely in mind. IdeaMart developers currently use and theft are only beginning to bring a strategically progressive approach by Dialog Connect to subscribe to the to light the inherent weaknesses in a mobile operator in fi rmly asserting company’s application programming traditional methods for online login their role in the m-commerce space, interfaces (APIs). Going forward, to and access, users across the socio- an arena from which operators have promote wider use and integration economic spectrum in Sri Lanka have historically been excluded. of Connect, API access also will be need for a service that enables easy, bound to Dialog Connect, with apps secure and convenient access to a In this way, the Connect service using OAuth compliant access tokens broad array of online content. The represents an important step in provided by Dialog (so use of the combination of these factors created an defi ning new positions for mobile applications will require the subscriber ideal scenario for Dialog’s launch of the operators in the online and e-commerce to have a Dialog Connect account). Connect service. market as the trusted third-party for secure, convenient identity An Android application authentication management that sits directly in module for Connect is also being the hands of the consumer. developed, which will be tightly coupled to the SIM, adding a higher degree of security and also simplifying the login process. 18 Mobile Identity For further information, please visit www.gsma.com/mobileidentity or contact the GSMA Mobile Identity team at [email protected]