MIMO|SRG|Ericsson|c-band : Identity & Authorisation – Time For A Revolution?

Identity & Authorisation – Time For A Revolution?

Some things seem fundamental to the nature of telecoms, such as the use of a SIM or eSIM as a root of trust to manage authentication and authorisation. However, the environment is changing in some fundamental ways.

Increasing numbers of devices and sensors are being connected, which still need authentication and protection but aren’t SIM-enabled.

At the same time, there are ongoing developments to enable the seamless movement of services between Wi-Fi and cellular systems and increasingly to manage that between terrestrial and non-terrestrial services. Ultimately, there are strong arguments for enabling customers – whether IoT devices or personal ones – to use any and all available networks in the vicinity to ensure their needs are met.

While the Wireless Broadband Alliance (WBA) has developed Openroaming on Wi-Fi, which goes some way towards a solution, we are currently in a situation where some things have SIMs, some don’t, and the way that authentication and identity are managed varies depending on the type of access network you’re connecting to. Unsurprisingly, some companies are working on alternatives.

Decentralise To Secure

Bloxtel, for example, started out by offering a way to manage decentralised authentication and identity. The company has used this to start offering extra security and authorisation management to private 5G networks, notably as an augmentation to existing SIM-enabled phones.

As Bloxtel points out on its website, even today SIM-based authentication has its risks. “Over $100 million dollars are being stolen every year due to SIM swap attacks,” where hackers use social engineering to take control of the victim’s phone number.

The solution for them is to decentralise identity management. As things stand, a user’s SIM authenticates only to its home network and then the associated permissions are taken forward to other networks via a series of roaming relationships.

However, with a rise in private networking, in solutions making MVNOs simpler and faster to set up (more on this and its implications on 6GWorld soon), and different types of networks getting involved, there must be questions over how reliably this could scale.

Bloxtel CEO Izzo Wane argues that an asymmetric form of authentication, whereby a SIM profile or other secure element holds a decentralised identity that authenticates to a distributed ledger, would be much more effectively able to scale as well as remove points of vulnerability in the storage of public keys. Such an approach would allow for direct authentication onto the network connected to.

An Entitled New Generation

NetLync has been exploring the intersection of authorisation with device and network capabilities. While it is not so invested in the underlying identity piece and aims to build, for example, on eSIMs, it has been focussed on what it calls “entitlements.”

This is a method to simplify issues such as service provisioning and device management based upon combining data about the customer’s contract (what services they are contractually allowed to use), the network’s capabilities and the services it can support, and the user’s device status and capabilities. Today, this is being used to simplify things such as device pairing, for example, between a customer’s smartphone and smartwatch.

However, Product Evangelist Gary Waite spoke to 6GWorld recently about the potential to use entitlements in different ways.

For example, telecom providers are obliged to go through Know-Your-Customer processes upon sign-up for services and have access to information such as age. Connecting to an entitlement server would enable, for example, access to services which are age-specific in a way which means:

  • The actual age of the customer is not disclosed, simply that they are or are not old enough.
  • The information is coming from a verified source as opposed to somebody simply clicking a button to say they are of a certain age.

While this is perhaps a nice-to-have today in many web-based interactions, when we start moving towards services or topics relating to AR, for instance, or metaverse interactions then it may start to become more significant as a way to simplify the user experience.

For a very basic example, it isn’t hard to see how entitlements might work to enable access to different areas within a metaverse environment. Maybe NTT customers will be able to access a concert in the metaverse automatically while others do not, or only people based within a given geographical area will be able to view content whose performance rights do not extend beyond that.

There may be audio or visual elements at the concert which display differently or enable different types of interaction depending on the type of contract the user has, their age, or the other services they use. In situations like that it’s clearly not desirable to have a variety of pop-up messages appearing and getting in the way of the experience.

Unifying Identity

Meanwhile, private company True I/O has been taking aim at the fundamentals of digital identity verification by proposing a new form of identifier, the UCID [Universal Communication Identifier]. Founder Thomas Carter proposed tokenising equipment identifiers such as the Mobile Equipment Identifier (MEID) administered by the TIA.

“If you attach the MEID to the blockchain, this tokenised version is the UCID,” Carter explained to 6GWorld recently. “You can connect all kinds of information to this for the lifespan of the object and have an immutable record to refer to.”

This might include entitlements or information on the ownership of the device and details of what it is. However, Carter also noted that this might be associated with new forms of information as they develop.

“I am working to coordinate standards on how we locate things in three-dimensional space,” he noted. “This could be very helpful for creating and locating artifacts in augmented reality.”

Standards are a key part of the development of the UCID, according to Carter.

“It doesn’t make sense to push this identifier alone. Standards are a great way both to sanity-test the idea and enable mass adoption. That’s why we’re working with the TIA and other organisations.”

As readers can probably see already, the concept of the UCID would in principle be extensible to any networked item; physical devices with or without SIMs and also virtual items. With the increasing overlap and interplay between physical and virtual objects and systems, thanks to phenomena like digital twins, this may be a helpful way to manage that crossover.

Will it Work, Though?

All this is likely to be very welcome to end-users. In an event exploring “Life Beyond 5G” last year, a variety of thought leaders from different areas all highlighted the importance of trust and verification.

From relationship experts keen to help their family prepare for deepfake scams imitating their voices and appearance through to hip-hop stars who want their fans to be confident that THIS is their authentic online avatar, it is clear that people at large need greater certainty that their interactions online are with the entities they expect. 

While we have seen dystopian versions of what an AR or holographic future might look like thanks to films such as the new Blade Runner version, the new generation of companies and concepts might create something much more digestible for users.

Businesses or individuals might place – for example – Pokemon in a real space where only players of that game would be able to see. More risqué establishments would be able to place advertisements that minors would simply not have access to. End users might change their entitlement settings to prevent advertising altogether but might create a virtual rainbow above their house which family members could see.

There is, of course, a good deal of innate resistance in the telecoms industry. Change for change’s sake is rarely welcome and there are many people accustomed to current methods of authentication. We may end up simply modifying what is already on offer.

Netlync has a partnership with Giesecke & Devrient which gives a position for eSIM along with entitlements on an ongoing basis, for example, while BICS has been working to develop more decentralised roaming systems which might reduce or slow the demand for a new identification process.

Even so, while it remains to be seen who the prevailing players become, it is exciting to see that the basis for identity and authentication management is evolving in ways which are likely to facilitate a new generation of services and networks – and, along with them, more confident end users.

Image courtesy of Kuran Ural on Unsplash




To reserve your ticket please fill out the registration form