09 March 2022

Dario Betti, CEO,
Mobile Ecosystem Forum (MEF)

It’s time to review your organisation’s approach and how it fits the world outside, writes Dario Betti, CEO, Mobile Ecosystem Forum (MEF).

The wave of digital transformation triggered by the pandemic has changed many organisations quickly – from governments to restaurants, organisations are now getting digitally ready. How has that impacted Africa? The region has seen a bout of growth with Fintech – an industry without some strong fundaments on identity and authentication is not a stable construct. There is some good news here, but a lot of work to be done still. There are some important considerations to be made at a global level too.

African markets have embraced biometrics solutions. These are those solutions that measure a person’s unique physical characteristics; usually fingerprints, face or eye recognition. They do not require high digital literacy which can be positive in some parts of markets but usually require a more advanced or specialised device. Solutions like that are more common for government use or as gatekeeping, where an office or institution may check digitally identity. For instance, in Zimbabwe the Public Service Commission (the government / civil service) implemented a biometric index of its workers. The scheme captured the fingerprints, DNA, iris and retina patterns of every official within government. It was announced in 2018 and rolled out in 2018. It showed that 3,000 salaried workers were non-existent. However, this large deployment has not yet been a truly digital identity solution – yet a welcome first step showing good results for the nation.

Many countries’ laws on biometrics are still not truly ready for the digital age. However, there are already 24 countries with laws and regulations to protect personal data. We have often commented at MEF on the South African POPI (Protection of Personal Information) and found it as an advanced literature.

Unsurprisingly though, mobile remains the major identity solution for African countries. Many people in Africa still lack identity numbers or other forms of formal identification, yet now all aspects of daily life are converging to mobile. People are accessing services and curating a digital identity through their phones, and this trend is already particularly strong in financial services where many use mobile wallets.

Take the mobile money success in Kenya, m-Pesa. This can show an example of success in Africa, but also how it is important to keep on innovating on authentication. Safaricom in 2017 gave merchants access to photo identification technology. This was an attempt to limit fraud on its payment platform. Special, pre-programmed smartphones were given to m-Pesa agents to verify the identity of customers. These handsets allowed comparison via an app of the photo taken of the user the moment of SIM registration. M-Pesa’s success made it more vulnerable to the attention of criminals and fraudsters.

In 2020, in Tanzania it became compulsory to register each SIM card against the biometrics of the users. In a successful move, the government found a way to distribute an equivalent to a digital ID card to the mass market linked to biometrics, effectively based on a mobile phone.

There are many mobile solutions to authenticate, and in Africa just as in Europe, one-time passwords – or codes sent to a nominated/registered phone number are growing in importance. The use of these services also allows to reach users who are not on data networks, or do not want to spend money on data access. Two Factor Authorisation (2FA) is now a mandatory requirement in most jurisdictions across Africa. Most of the banks and payment service providers across the continent have met this requirement with SMS OTP.

Myriad is a company that specialises in authentication for the African market and have championed the commonly used USSD channel. USSD is a signalling message presented temporarily on a phone screen. The content is not stored in the phone; it is a string of content or a menu of up to 182 characters. It is available on old 2G devices as well as smartphones. This old GSM standard provides a basis for digital banking.

Security in personal data/authentication and identities is hardly an Africa only problem. In 2015, global fraud amounted to US$3tn. By 2025 the figure from fraud and cybercrime will reach US$10.5tn. The implication is that identity and access management to services are now the trojan horse for fraudsters worldwide.

What is the role of mobile in these personal data and authentication scenarios? Mobile is a truly personal service, always present and mass adopted: it has carved a role as an identifier. What is emerging is firstly a pronounced move towards device-based technology and using the hardware device itself to authenticate the user and produce a result, such as face ID or fingerprints. Secondly, it is the role that the mobile operator can play by using the unique assets of a mobile device and knowledge of the SIM. One application of leveraging the SIM is ‘Mobile Connect’ which has been very successful in India. A solution like this could be asking users to confirm a PIN code via their/phone SIM.

The solutions are still widely fragmented though; it should not be surprising that overall authentication is a fragmented market. The level of security that is required by each action is different and the level of acceptable ease of use for authentication or verification. To approve a large bank payment, you might want to use a highly secure one and are happy to wait a few more seconds but to check your medical records or pay for your groceries you might have expectations on security and immediacy.

Finally, we are seeing significant growth in approaches that are independent of either the device or mobile operator which can be used when a device may be unavailable – such as lost or out of a coverage area. A mobile identity (as well as other biometrics) would be maintained through a cloud-based interface or another distributed means of authentication.