A Surakshit Digital India
Today, we exist in two worlds – the organic and the digital…
A Surakshit Digital India: The Internet is a wonderful enabler. But the Internet was never designed to identify human users; it was designed to identify the computers, hence there are IP addresses. Fortunately or unfortunately we humans do not have IP addresses. The Internet does not have an “Identity Layer”.
In the early days of the Internet, we spent most of our time “browsing” and “surfing” the Internet. Identifying human users was not much of a need; it did not matter much if me or someone else was browsing the digital service. The Internet, or more accurately the “web” was read-only.
Later, we started to do interesting things on the Internet, the “web”; we started to do commerce, we started to buy and sell things on the Internet, we started to generate content and started to transact through it. And then it did matter who is transacting on the Internet.
In short, as services over the Internet gathered scale there was a need to identify oneself to the services. Internet online usernames and passwords came into being as a stopgap, as the Internet still did not have the “Identity Layer”.
However, in parallel, a quiet revolution was taking shape. Four years after Tim Berners-Lee created the World Wide Web, an equivalent Internet came into being in 1991: the Mobile Network, which allows a person to be connected wirelessly, never needing to be identified and always online without the need to be challenged to be identified.
It does so by using the superpower of the SIM, the “I” in SIM stands for “Identity” after all. The SIM is one of the most inclusive hardware-based cryptographic engines, which provides the same level of security and identification irrespective of it being used in an expensive mobile device or in a humble, low-cost device.
Other methods of authenticating the human user on the Internet such as biometrics, Passkeys, SMS OTP, TOTP authenticator apps etc. come and go, but these are always workarounds with caveats – they sacrifice security and user experience for ubiquity and familiarity.
The mobile network connected and identified humans securely and easily on the internet in 1991 using the cryptographic superpower of the SIM. It still does this in 2024.
And it goes beyond just the identification – it has valuable signals to protect human users from online frauds – including account takeover fraud through SIM swap or call divert etc. In the age of AI and machine learning, with a strong threat of synthetic identity fraud, dynamic, time-sensitive signals from the mobile networks have immense value as these cannot be used to train ML models unlike static demographic data.
Creating the Internet’s missing Identity layer:
The Internet requires one to start from a trust-less position: ‘Identify yourself, prove you are who you say you are.’ The mobile network behaves differently – it does not challenge the human user to identify themselves, it establishes the identity of the human user without the active participation of the human user. The mobile network is “humanised”. The mobile network has had an Identity Layer since 1991.
Sekura.id is building the Identity Layer of the traditional Internet by bringing in the human Identity Layer from the mobile network. To date the most widespread adoption of authentication is that of Short Message Service One Time Passwords (SMS OTPs), however, these are prone to their weakest link – the user who inadvertently shares the OTP through social engineering or phishing attacks to those with malintent or it is compromised by rogue applications.
As we always say at Sekura.id: ‘The best password is no password.’ The “P” in OTP stands for ‘password’, which is knowledge and can be compromised.
Biometrics and face recognition are convenient for the user but require user accounts and device binding as well as being prone to deepfakes and Generative AI attacks. Lexis Nexis CEO, Haywood Talcove talks of Gen. AI being a ‘Trillion-dollar fraud problem’.
Major players like Apple, Google and WhatsApp etc. have rolled out Passkeys based on cryptography, but these also have an Achille’s heel in that they need an account, username, password and 2FA to set up or reset on a new device.
Passkeys use the mobile device for cryptographic key storage and for the cryptographic processes, which are not inclusive. The cryptographic security of the device could be appropriate on expensive smartphones but what about the human user who cannot afford the expensive smartphone? It is unfair on the human user to not to be included under the security umbrella if the user cannot afford the expensive smartphone, similarly it is not fair for the businesses.
The future is now: Surakshit Digital India.
SAFr (Sekura API Framework) is a world-class mobile identity security framework that was designed by Sekura.id’s leadership team based on the experiences gained in deploying mobile identity services globally, over decades, along with multiple trained machine learning models – it provides overall mitigation against online frauds and assurance to businesses and the citizens.
SAFr Auth is the flagship authentication service launched in India, which relies on a key element of the cryptography of the humble SIM card found in every active mobile phone. SAFrAuth harnesses the power of the unhackable and unspoofable cryptography hardware in the SIM to identify humans seamlessly, without the active participation of the human user.
SAFr Auth provides an inclusive security umbrella utilising the SIM as the cryptographic engine, which unlike similar methods like Passkeys does not rely on the mobile device, provides the exact same level of security irrespective of the type of mobile device used by the user. And that too, making the authentication process invisible for the user – this is humanisation of Identity.
India embraced the mobile Internet. With the explosion in India’s digital infrastructure, mobile became central to commerce, governance, and banking, to name a few.
The Internet is truly democratised with consumers given choices on not just what they buy but whom they buy it from and who delivers it to them.
The Government of India set into motion astounding digital measures which are the envy of the developed world today: Aadhar, UPI, ONDC, OCEN and other digital platforms, through the introduction of the DPI and DPG to the world.
The success of Digital India relies on the expectation that every Indian citizen is safe online in terms of privacy and security.
A key objective is inclusion – both financial and social. Regardless of economic or social status, all citizens, whether using the latest iPhone or Samsung device to a modest handset, should be able to experience the same safety and protection from frauds and transact unhindered.
The Indian Government’s determined drive is to ensure every citizen, business, and agency is protected and to be able to transact safely.
Sekura.id is already transforming, through SAFr, the way Indians log in and transact and through the roll out of SAFr Auth across India, millions of people are discovering the benefits of the Internet’s missing Identity layer.
The assurance of privacy, safety and security will drive inclusion in the Indian social and financial sphere and go a long way in catapulting India to being the leader of the digital world.
“Sabka Saath, Sabka Vikas, Sabki Suraksha – towards a Surakshit digital India”.
Connect with Gautam Hazari on LinkedIn to stay updated on his latest insights and contributions to the field of digital identity and technology and AI beyond artificial.