Swisscom Mobile ID: Enabling an Ecosystem for Secure Mobile Authentication The GSMA represents the interests of mobile operators worldwide. Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators with more than 230 companies in the broader mobile ecosystem, Contents including handset makers, software companies, equipment providers and Internet companies, as well as organisations in industry sectors such as financial services, healthcare, media, transport and utilities. The GSMA also produces industry-leading events such as the Mobile World Congress and Mobile Asia Expo. For more information, please visit the GSMA corporate website at www.gsma.com or Mobile World Live, the online portal for the mobile INTRODUCTION 02 communications industry, at www.mobileworldlive.com WHAT IS MOBILE ID? 04 AUTHENTICATION, NOT IDENTIFICATION 06 Author: Alix Murphy PRODUCT SIMPLIFICATION 08 With special thanks to: IMPLIFIED USER JOURNEY 12 Adrian Humbel, Swisscom HP Waldegger, Swisscom CUSTOMER CARE 16 & the Swisscom Mobile ID Team SIMPLE PRICING 17 Daniel Gasche, PostFinance Bank Claudio Lombardi, PostFinance Bank Martin Moser, PostFinance Bank DEVELOPING THE ECOSYSTEM 19 Joachim Vetter, Abacus FUTURE SERVICES 23 Introduction In early 2013, Switzerland’s leading operator, Swisscom, Guiding principles introduced Mobile ID, a fully managed strong authentication solution and a complete service package for enterprise and OUR PROMISE As a trustworthy companion in the digital world, business, as well as individual users. Using a PKI- based, we help our customers… “mobile signature” secure encryption technology on the • feel secure and at ease SIM card, Mobile ID has been recognised highly within the • find what they’re looking for quickly and simply • experience and achieve extraordinary things. security community for combining smartcard level security • Swisscom – we open up new possibilities. with a sophisticated ease of use for customers wanting to transact across a wide range of industries, including online and mobile banking, insurance, pensions and HR processes, secure enterprise access, as well as government and public services (such as tax, social security, housing, healthcare). Within only a few months since launch, Mobile This case study follows the story of Mobile ID and ID has now reached a user-base of 25,000, with explores the key “success factors” that allowed steadily increasing adoption rates of around 10% Swisscom to further solidify its position as a each month. Much of this success may be attributed trusted brand among customers and partners. to simplified processes for customers in obtaining Beginning with the operator’s pioneering strategy and using the authentication solution. However, a and rationale for a new identity product, the large degree of the success is due to Swisscom’s study explores the deliberate decisions taken by determination to develop a broader ecosystem the Swisscom product team to ensure smooth of partners and relying parties to ensure a strong integration, deployment and delivery of a product market for the uptake of Mobile ID. that has maintained a persistent level of uptake and satisfaction among users to date. Swisscom’s unique approach to the positioning of Mobile ID within Switzerland’s high security- In December and January 2013-14, the GSMA’s conscious business community provides important Personal Data team met with Swisscom to collect lessons for the telecoms industry as it adopts and and expose these insights out to the broader mobile explores new trusted roles within the evolving operator community. digital economy. Equally, Swisscom’s success in gaining rapid traction among users and business customers reveals key insights into the effective operationalisation and deployment of a managed secure authentication service as part of its core product offering. 2 Swisscom Mobile ID Swisscom Mobile ID 3 What is Mobile ID? MOBILE ID USERS Using security features and functions integrated directly into Employees the SIM card, Mobile ID combines Partners Mobile ID is a PKI-based secure authentication service that Customers smartcard level security with a enables users of business applications to access secure Consumers user-friendliness that has been Citizens recognised in numerous security accounts, platforms, applications and cloud services in a and consumer awards, including single, unified mechanism. The service both simplifies the the Mobile Security category of user experience and protects the individual’s identity as they LOGIN WITH MOBILE ID the European Identity Awards in April 2013. interact in the digital world. Using a different login solution for each portal is a thing of the past. With Mobile ID on the SIM card, every mobile phone becomes an authentication tool. As a result, users have a single login solution for a wide variety of applications – and one that is always to hand. COMPANIES SERVICE PROVIDERS AUTHORITIES Remote work stations, VPN, e-Banking, e-Health, e-Government B2B portals, e-Shopping, web portals, CRM / ERP systems, mobile apps, cloud services, intranet application etc extranet applications etc Swisscom Mobile ID for Swisscom Mobile ID for employees and partners customers, consumers or (business applications) citizens • Secure login for remote work stations • Login to business-to-consumer and citizen-to-government platforms • Access control for data and enterprise applications (e.g. ERP) • Login to online portals for banking, health, shopping, public sector, education, etc. • Protection of VPN access to company network • Login to mobile apps • Login to business-to-business and • Context-based transaction confirmation intranet portals • Protection of electronic financial transactions • Protection of web applications and • Protection of cloud services single sign-on services (e.g. software as a service) • Integration of mobile devices in CRM and Swisscom’s USP is the ability for the user to access services across ERP workflows multiple applications using just one PIN number, thus simplifying • Protection of terminal services and the user experience and encouraging persistent use across remote desktop multiple platforms. • Integration in complete solutions (e.g. authentication gateways and web application firewalls) 4 Swisscom Mobile ID Swisscom Mobile ID 5 Key success factor: Authentication, not identification: A key difference in Swisscom’s offering to that of other mobile signature services is the fact that, although the service uses PKI technology for authenticating the user, there is no actual identity element beyond the user’s mobile number and the MSISDN. This means that, rather than making a Due to the strength of the PKI technology and statement to verify that “John Smith is the cryptographic hardware of the SIM, the accessing x account at this exact moment” authentication adheres to the highest level of (which entails a complex and rigid in-person assurance (Level 4, according to EU Level of identification process for the user), Mobile Assurance standards), in asserting that the ID enables Swisscom to simply state to user is unique and the only one with ability to the relying party that “the same user who access the service. established an account with service X (e.g. personal insurance account) is the same individual who is accessing this account now.” ‘After having spoken to our partner service providers and to the regulatory bodies here in Switzerland with regards to using certificates with the user credentials stored in them, USER INTERNET APPLICATION SERVER DIRECTORY we realised that this was not really necessary. And it did not match with the freedom we wanted for the Mobile ID in that SWISSCOM SERVICE the individual should be able to utilise Mobile ID for many purposes: they should be recognised as both an employee and an ordinary citizen and a bank account holder. If we had chosen to go ahead with the full mobile signature option SIM CARD from the beginning, this would have required many different KEY MATERIAL certificates for each of these “identities,” and different PINs MOBILE NETWORK MOBILE ID SERVER to remember for each one.’ MOBILE PHONE HP Waldegger, Swisscom Mobile ID Business Consultant 6 Swisscom Mobile ID Swisscom Mobile ID 7 From the outset, the Swisscom team determined to ensure that the technical process guides would be open-source, allowing technicians and developers from Key success factor: Product Simplification every client enterprise to access documentation detailing every aspect of technical implementation (including signature codes) via the Swisscom website. The team at Swisscom understood that new business customers would need to evaluate Mobile ID on more than just the highest security criteria if it was going to prove a success. Far too often in the development of new technology products, the needs of IT infrastructure managers and web developers go overlooked, particularly when it comes to integrating the product with existing technical platforms. Underestimating the technical challenges involved in this integration process, or leaving the client to deal with these aspects of implementation, can lead to delays and sometimes significant challenges to the user experience The team developed a standard interface to connect applications and online portals of all kinds to the Mobile ID service (customer platforms, company networks, e-government, other cloud solutions, etc.). SOAP/HTTPS Secure SMS GSM ENVIRONMENT GSM Product-specific documentation designed to help you incorporate Mobile ID in environments