Our mobile phones have become extensions of ourselves.
They’re our wallets, our communicators, our entertainment hubs, and crucially, our most trusted digital identities. We use many types of work and fun apps that have become an integral part of our lives – all easily accessed with a finger print, a face scan, or quick PIN.
But when we switch to our laptop or tablet for the same apps? Suddenly, we’re back to the familiar friction of usernames and passwords. Typing, remembering, resetting – it’s a jarring interruption to the smooth, secure flow we’ve come to expect on our phones.
Can our laptop or tablet use the same trust that has been established with the mobile device, to instantly unlock online applications on your computer, without ever needing to type a username or password?
Yes, we can. The technology, mobile trust transfer, is already here.
What is Mobile Trust Transfer, and How Does it Work?
Imagine you have just enough time to log into your online bank to pay bills before you have to pick up your child from school. When you navigated to the website and entered your mobile number, the webpage showed a QR code. You quickly scan the code with your smartphone. Within seconds, your account is loaded on the screen. You pay your bills faster than expected and are able to fit in a latte before the pickup.
This scenario is enabled by the following technologies:
-
- Silent network authentication (SNA), which uses a process called header enrichment, to capture the phone number passively from a mobile device’s cellular signal with the mobile network operator (MNO) to verify possession and ownership.
- One-time passcode (OTP) where a code is sent either via SMS text or voice call to a mobile phone number, to be entered into the online app’s sign-up/sign-in. This is used if the mobile number is assigned by carriers that do not support silent authentication.
- Passkeys, where an asymmetric key pair is generated in the secure enclave of the device upon verifying the mobile phone number over Wi-Fi during enrollment. The private key is stored in the secure enclave and the public key, now associated with the verified mobile number, is shared with the server. Subsequent logins via the same device will bypass the sign-in process, resulting in a frictionless experience.
How Does Mobile Trust Transfer Work?
While a user is accessing online services via a laptop or tablet, the service provider’s web server requests for a username or an email address associated with the account as the log-in ID. After the user enters the email address, the service provider validates that this account exists. The service provider sends the mobile phone number associated with the account to Zumigo to verify.
Method 1: Using SNA
Zumigo determines whether the number belongs to a mobile network operator (MNO) that supports silent network authentication. If supported, Zumigo generates a unique QR code associated with the phone number and sent it back to the laptop or tablet.
If SNA isn’t supported, Zumigo generates a one-time passcode (OTP) and delivers it to the phone number associated with the account. The user is prompted to enter the OTP on the screen. Zumigo verifies the OTP entered is the same OTP that was sent before generating a QR code associated with the phone number.
The user scans the QR code on the laptop or tablet with the device that has the associated mobile phone number. Zumigo extracts the phone number from the mobile data session and verifies that it matches the phone number associated with the account.
If there is a match, the trust from the mobile phone is transferred to the laptop or tablet, and the user is allowed access to the account. If there is no match, then the service provider can present a different authentication method to the user.
Method 2: Using passkeys
When the service provider sends the mobile phone number back to Zumigo, Zumigo uses the installed passkey on the device to verify the authenticity of the identity associated with the phone number. A QR code is then presented on the log-in screen for the user to scan. Upon verification, the trust is transferred to the laptop or tablet, and the user is allowed access to the account. Otherwise, a different authentication workflow can be presented.
What’s the Benefit of a Mobile Trust Transfer?
The headaches associated with user names and passwords is well-known. Transferring the trust associated with a mobile identity can make account origination or access a lot simpler, quicker, more secure and less expensive.
-
- No password reuse: Since no passwords are required, the risk of credential stuffing and phishing attacks that target weak or reused passwords is dramatically reduced.
- No fear of “Quishing,” or QR phishing: because we extract the phone number to authenticate the user before presenting the QR code, there is no threat of “quishing” where attackers present QR codes to redirect victims to malicious websites or prompt them to download harmful content.
- Unmatched convenience: Say goodbye to login friction and password fatigue by using the always-on, always available mobile identity authentication to transfer trust to the laptop or tablet.
- Reduced support costs: Fewer forgotten passwords mean fewer support tickets and fewer management expenses.
- Improved experience: A smooth, integrated digital journey across all your devices using familiar and unobtrusive technologies.
The technology to achieve this seamless trust transfer is available today. By embracing solutions that bridge the gap between our mobile and desktop security, we can usher in an era of truly frictionless and highly secure online interactions. Your phone is already your most trusted digital key – it’s time to let it unlock your entire digital world.
Yu-Ting Huang is Sr. Director of Marketing at Zumigo. Comment or questions? Find her at on LinkedIn @yutinghuang.