It is not a new trend, but as we are becoming increasingly connected, a unique identifier for people is becoming increasingly important. Created in 1936, the original sole purpose of the social security number (SSN) was to track Social Security benefits. Almost all Americans have one, receiving a unique social security number shortly after birth usually at the same time the birth certificate is being processed. The uniqueness of the SSN number lends it much better than names to identify individuals in the employment records of people, for bank purposes, insurance records. The problem is that it is being used for purposes it was never designed for which opens the floodgates to fraud and criminal activity such as identity fraud.
With the advent of the mobile phone, telephone numbers transformed from a way to reach a family to reaching an individual. Wireless local number portability, introduced in 2003, has allowed customers to take their number with them when they change operators. Combined with essentially full mobile penetration, the result is that people are rarely changing their mobile phone number anymore and the number has become almost an extension of the person.
What differentiates the phone number from the social security number is the extensibility and the built-in security of the phone number and the associated device. Mobile phones, especially in the US, are the thing that is around us more than anything else. People will leave their home without their keys, they will leave their home without their wallet, they will leave their home without underwear, but they won’t leave their home without their mobile device. It is with us all the time. This always on the person, makes the time lap between a theft and the reporting of the theft very short. You know immediately when your phone is gone missing. For example, every phone and SIM number has a unique identifier which is registered with the operator’s network. When the phone number associated with the SIM or the phone are no longer in synch, especially when the device appears suddenly at a location far away from where the customer usually is, fraud could be a factor if the phone is being used for a transaction. This is especially true when your phone is active thousands of miles apart within minutes of each other.
People are creatures of habit. There is an old saying in wireless that 90% of the people use their phone in the same places 90% of the time. We generally wake up in the same place, we go the same way to work at the same time, day in and day out. The majority of calls go to the same five people. The wireless identity management ecosphere is able to bring a level of security and flexibility that social security numbers were never designed for and never had nor will have – all tied to a phone number.
The possibilities are endless. The phone combined with a unique ID and behavior pattern can solve our most vexing security problems. Security measures are based on three factors: Something you know, something you have, and something you are.
Something you know is the worst of all the factors. Passwords are something you know and we all know how bad passwords are. Our system for passwords has made it difficult for people to remember and easy for programs to crack. Password retrieval tools are a significant vulnerability to the security of the system. On top of it, people cannot be trusted with passwords. 30% of phishing emails get opened. 97% of users are not able to identify a sophisticated phishing email. Only 3% report a phishing attack to IT or management. Every time a system uses a password for access you know your security system is a failure. Passwords have to die in order for us to be safe.
Something you have is much harder to fake. Authentication tools ranging from RSA fobs to authentication software are one way to make sure that only authorized individuals get access. The phone is just about the most personal device there is and theft is almost immediately reported.
Something you are is the most reliable single factor. Our finger prints or retina is difficult to impersonate. Our behavior pattern of where we go, when we go and what we do is even more difficult to fake.
Just imagine this scenario: You wake up at your home because your phone’s alarm went off at the same time as always, pressing the snooze button twice. As you get up you check your messages and your favorite app. By combining your location with your device interaction both roughly at the same time and the same applications, the system knows you are most likely you. You take a shower and then leave your home at the same time as every workday as you head to the gym. Your phone and car synch their Bluetooth for handsfree calling and you call your mother. Since you regularly stop at your favorite coffee drive through, the system asks you if you would like your usual order. You agree and the system contacts the coffee drive through with your order and the time of arrival based on your normal route, traffic conditions and the length of the drive through line. As you get to the window your latte is hot and steaming. The barista verbally checks you are you, verified by the NFC chip in your phone. The barista hands you your coffee and you get automatically charged for your beverage because your phone number is tied to your favorite credit card. After the gym you head to work, where as you approach your office the phone lets you know which parking spots are still open. Since you are showing up at the usual time and did you usual morning routine, the automatically locked door opens for you as it identifies your phone as you near the door. As you sit down at your desk you boot up your computer. When you are at the login screen, you provide either a fingerprint scan or retina scan with your phone and the computer provides access. The level of security can be tailored to the situation but predominantly relies of factors “you have” or “you are”. Things that are unique and are difficult to give away. Short of a James Bond-type effort such a system that ties together your phone number with your device and your behavior is as secure as it gets.
This is what is possible with a phone number and will become reality in the next few years. Say good bye to password, all thanks to phone numbers and how they are interconnected through your device to other databases, financial institutions and biometric data.