Today there was a press release that the “big four” US mobile operators are collaborating to provide a universal two-factor authentication system. And we applaud their effort. The real news here, though, is not technical, nor even limited to authentication – it goes to the heart of business opportunity and growth for CSPs in the digital collaboration (services) era. If they get it right, this is a terrific opportunity for the major mobile operators on several fronts:
- It has major implications in terms of their customers’ security and user experience
- If CSPs succeed, it will greatly enhance their reputations as trusted suppliers of secure services, and of security itself – a major opportunity in enterprise
- Two-factor authentication plays to network operators’ “core competencies” including the existing hardware and software authentication that exists on SIM cards, and the complex tuples behind them
- It may provide a stepping stone to the “value added” APIs (digital services) that CSPs so desire to provide, but have had only modest success in
In short, it can launch them into the digital service business they crave, and move them beyond “simple pipes”. And its a realistic objective that builds on acknowledged strengths.
There is no question that today’s authentication environment is broken. The latest, and worst breach is Equifax, yet this is but a symptom of the real problem: passwords that are too complex (and too many) to be managed; and at the same time too simple to be secure. NIST recently recanted its long-standing recommendations – that all passwords have a mix of caps, small letters, numbers, special characters and be changed periodically. Why? They were hard for humans to remember but easy for computer to crack — so everyone had a “system” that made them even easier on the machine-enabled crooks.
Two factor authentication, based on mobile devices, solves all these problems. It avoids human memory limitations. It creates a transparent user experience. It raises the complexity. And it even provides a central location to data-mine for suspicious patterns.
CSPs are inherently in a great position to handle this task. They have everywhere (almost) connectivity, and least-common denominator methods (SMS). They have strong authentication, a clear identity of users, location data, and a strong culture of process orientation and security.
Too often I see CSPs looking to get beyond their traditional strengths. I have always argued that they simply need to understand what their strengths are, and then exploit them in innovative ways. This is such as case.
In closing I want to emphasize both the strategic fit, and the opportunity behind this relatively innocuous announcement. Technically and operationally, authentication is a uniquely good fit with CSPs – better than with the Webscale providers or banks – the logical competitors. In terms of future opportunity it changes the perception of CSPs from purveyors of pipes, to partners that can exploit a ubiquitous, sophisticated, costly and capable infrastructure. It can lead them into other relationships, as providers of charging, settlement, security, managed secure services and myriad other value added services, offered via digital ecosystems.
I urge the carriers to execute on this strategically, and potential; vendors and partners to consider how to improve and leverage this opportunity.
Grant Lenahan
Partner and Principal Analyst, Appledore Research Group, LCC