Authentication on Mobile for Africa – what are the options and risks
Robust ID and authentication are central to the development of a digital economy - we explore the options available on mobile for Africa and the pros and cons of each.
Robust ID and authentication are central to the development of a digital economy. However, traditional systems of ID are insufficient to meet the needs of a digital economy.
As the default ID system for many digital services, email and password provide a very weak system, which is easy to exploit.To protect against users when their login credentials are compromised, two-factor authentication (2FA) and multi-factor authentication methods are being rapidly adopted across the industry. Authenticating a user where more than one factor is required for validation, enables a much stronger and more reliable fraud deterrent.
Below we explore the options available for authentication on mobile and the pros and cons of each.
SMS with one time password
Two-factor authentication using SMS/text is the most frequently used process for mobile authentication. An OTP is sent to the user via SMS to be used to complete a login or authenticate a transaction.
Though this method is safe, compared with a simple email and password, it does have flaws. OTP via SMS can be compromised by fraudsters who:
- Intercept the messages containing OTPs in the network
- Commit SIM Swap fraud, where fraudsters pose as a customer to report their SIM card damaged, lost or stolen. The customer’s SIM is subsequently deactivated and the new one activated by the fraudster to receive all calls and messages sent to the phone
- Activate call-forwarding, whereby all call and message traffic to the phone is diverted to the mobile of the fraudster
- Trick users into installing malware, which can intercept text messages, including those containing OTPs, on that phone.
Once fraudsters have been able to access the OTP sent via SMS, they can then use these texts to assume the identity of their target and access bank accounts and other sensitive data authenticated through this method.
Another weakness relates to the ‘inside job’. Cellular networks and messaging intermediaries typically store SMS messages and authentication codes. Generally, the short message service centre (SMSC) stores them as plain text before they are delivered to the recipient. This makes the system at risk from corrupt ‘insiders’. They can steal passcodes and intercept messages during transmission.
A different kind of flaw in SMS concerns the reliability of the message flow. It can take many intermediaries to transmit one message. Sometimes these intermediaries use ‘grey routes’ (they go via operators in other countries for reasons of cost). The end result is that messages can take a long time to arrive – or sometimes not arrive at all. When a service provider is sending time-sensitive log-in details, this is clearly unacceptable.
Purpose-built authentication apps, or authentication functions within apps are used to confirm a transaction or login. An authentication code is sent to a server to be verified, with the process end-to-end encrypted.
App authentication provides a robust security measure, with a great user experience. However, in the African context, there is the question of addressable market. While SMS is universal, apps require a smartphone to access them and a data connection to use them for authentication purposes.
According to the GSMA only around 33 per cent of Sub-Saharan Africans own a smartphone. Meanwhile, data connections are still relatively rare in Africa. The GSMA says that 550 million Africans will be connected by 2020 – leaving 60 per cent of the population offline. This means that authentication via apps is not a viable solution for service providers to address all customers across Africa. Further to this, service providers cannot guarantee that a user will download an app.
Biometrics add another layer of security to the mobile authentication process. If the PIN is ’something you know’ and the handset is ‘something you have’, the fingerprint, voice or iris is ‘something you are’.
Biometrics are also intrinsically unique and easy to use. Also, biometrics are usually stored locally – inside the phone, rather than in some remote data farm – which acts as another layer of protection against corrupt third parties.
However, biometric technology is not entirely risk-free. Fraudsters and criminals have copied fingerprints, fooled facial recognition systems and hacked some voice-recognition software.
In reality, these risks are still minimal. The bigger problem in an emerging region like Africa is availability. Simply, not many people have smartphones, and still fewer have the kind of premium devices that support biometrics.
Out of Band Authentication via USSD
Out of band authentication (OBA) requires that the channel used to authenticate a transaction or login is separate to the channel used to initiate the transaction or login. Using OBA provides an additional layer of security, because if the channel being used to initiate a login or transaction is compromised, authentication will not be completed over the same channel.
OBA via USSD is a popular choice for mobile authentication in Africa because it provides a powerful authentication method and provides access to 100% of a service provider’s addressable market. USSD (Unstructured Supplementary Service Data) is a communication technology that is used to transfer data between mobile devices and a network in a safe, secure and temporary manner.
Why USSD technology works for authentication in Africa?
- It’s universal
USSD runs on any GSM handset – from the most basic feature phone and therefore does not require a data connection to send or receive messages.
- It is real-time and session-based
USSD messages are up to 182 alphanumeric characters long. Unlike SMS, USSD messages exist only in real-time during a USSD session, which allows a two-way exchange of information. Thus, USSD is more responsive and immediate than SMS.
- USSD messages are not stored or held by any third party
As stated above, USSD is session based. It is only ‘live’ for the duration of the session. Therefore, no third party can store the information and it is not vulnerable to be intercepted or stolen.
- It’s instant
USSD messages go direct from the operator to the handset. There is no intermediary to delay this process. That means communications are almost instant – critical with time-sensitive use cases like access and authentication.
- USSD does not incur charges for roaming
Text can be notoriously expensive, whereas USSD is free to customers. This is important in some mobile authentication use cases – registering for work as an economic migrant for example.