Telefonica, Deutsche Telekom, and Vodafone Deutschland Drop Passwords. What Does That Mean?
The more the time goes by, the smaller the number of people willing to say that the traditional authentication mechanism that involves a username and a password is robust enough to protect our data in the twenty-first century. There's more and more evidence that in the modern world with the modern hackers, the system is severely flawed, and not surprisingly, technology companies the world over are hard at work, trying to find a viable alternative for quickly and securely locking and unlocking our electronic devices and online accounts.
For many people, biometric authentication is the obvious choice, and indeed, fingerprint reading and facial recognition are well and truly a part of our everyday lives now. The problem is, those mechanisms do come with their own downsides, and although they streamline the login process, there is still a backup password or PIN which goes to show that biometrics doesn't contribute a whole lot to people's security. Couple this with the fact that if they are motivated enough, criminals can accurately replicate the body parts that you use for authentication, and you'll see why, as common as it is, some people are still not willing to adopt biometric authentication.
There is another authentication system which is nowhere near as widespread as biometrics and is still relatively new. Despite this, three major German telecommunication providers think that it is the best way to secure their customers' data.
Telefonica, Deutsche Telekom, and Vodafone Deutschland adopt Mobile Connect
The system is called Mobile Connect, it's developed by GSMA, an organization that represents the interest of over 750 mobile service providers, and it will soon be used by customers of Telefonica, Deutsche Telekom, and Vodafone Deutschland. The idea is that subscribers will be able to use the online services offered by their telecommunication providers without the need to register any accounts or enter any usernames and passwords. There is no biometrics involved, either.
Instead, the user lands on the service provider's online portal, and they enter only their mobile phone number. Mobile Connect then sends an SMS with a link which the user needs to click in order to assure the system that the login attempt is legitimate. After the link is clicked, Mobile Connect automatically generates a code, encrypts it, and sends it to the mobile service provider. Every new login attempt will generate a new, unique code, which means that even if someone manages to somehow intercept and decrypt it, they won't be able to use it. As soon as the portal operator receives the code, it automatically lets the user in. Mobile Connect can be used both as a single-factor authentication system and as a second factor in a 2FA scenario.
How does Mobile Connect compare to the traditional login mechanism?
You could say that it's a much better option. After all, as we established already, technology companies invest a lot of time, money, and expertise into trying to get rid of the traditional password, and on the face of it, Mobile Connect does seem to achieve the desired result. It also has the edge from a usability standpoint. Tapping a link on a smartphone is much easier than remembering, entering, and/or copy-pasting usernames and passwords, and users are bound to appreciate this.
Let's not forget, however, that Mobile Connect isn't the first password-less authentication system. Like its competitors, it too has its problems.
A successful login attempt with Mobile Connect is dependent on the user having their mobile phone with them. While we rarely let these small devices go, we do occasionally end up without them or without charge in their batteries. We also lose and break them more frequently than we want to admit, and our overall understanding of mobile device security leaves a lot to be desired.
Although locking down a smartphone is not exactly rocket science, many people still fail to do it for a variety of different reasons, and if Mobile Connect is used as an authentication mechanism, an unlocked phone is as good as the world's worst password. And even the best phone locking mechanisms can't protect you if you're targeted by a SIM swapping attack.
All in all, it's fair to say that Mobile Connect isn't perfect. We mustn't discard it as a useful security feature, especially when it's used as a second authentication factor, but we also need to be aware that it too can be susceptible to a number of different attack scenarios. The customers of the three German telecommunication providers that are adopting it should enjoy the convenience of having fewer passwords, but they also need to bear in mind that the system they're using carries its own potential risks.