There is the potential that the secure element(s) in the smartphones could in the not-very-distant future be used by any of us as secure storage of sensitive information, digital keys, and even applications. This would be a transformative change in securing our businesses and private lives.
Let’s look at the factors which could enable this development:
There is a significant new development in the regulatory framework, at least in Europe.
“The European Parliament has adopted the Digital Markets Act (DMA) that will obligate Apple, Google, and other “gatekeeper” technology companies to allow app developers and third-party service providers access to device functionalities “such as near-field communication technology, secure elements, and processors, authentication mechanisms and the software used to operate those technologies”.
DMA paves the way for the flexible use of the secure elements. However, to really leverage the potential created by the new regulation an adequate ecosystem needs to be established. This may have the consequence of some further regulatory involvement.
There are more types of secure elements – chip cards – in the smartphones than ever before. The removable SIMs (UICC) in various form factors, the eSIM and iSIM, as well as the embedded secure elements without the SIM functionality. All these chip cards could theoretically be used as secure storage devices.
There are almost 7bn smartphone subscriptions worldwide, with annual smartphone deliveries of over 1.5bn annually, including the new type of personal devices, the smartwatches. All these phones have at least one secure element inside, which could be utilized by secure applications.
Most of these smartphones are also NFC capable. The secure applications/services could not only be used for securing online transactions but also for communication with various reader devices, POS terminals, gate readers, controllers, etc.
It seems that we are getting closer to application interoperability as well. “The GSM Association has released a new requirement specification for Secured Applications for Mobile (SAM). This specification describes how cellular connected devices (e.g. smartphones) may use secured applets within an eUICC (embedded universal integrated circuit card).”
This is the most difficult part of the concept, requires the most work, because practically nothing has been achieved in this respect so far. Without the right operating model, the DMA cannot achieve its desired effects either.
The concept must be based on an app store-like customer service model, must assure application security through a certification program, and also must achieve technical transparency for the service providers. A seamlessly integrated supply chain must be established.
In this complex ecosystem, I just consider the key stakeholders, who must transact with each other, in an ad hoc manner, potentially also without long-term agreements and without bilaterally pre-negotiated financial conditions. The key actors are: consumers; service providers; secure element issuers (owners).
The axioms, which seem to be obvious but have been questioned in the past:
- Security has value that must be paid for;
- Service providers must generate revenues for the services they provide;
- Provisioning secure storage capacity costs money which needs to be recovered from revenues.
The point of the story is that customers will need to pay for secure mobile services. This is not an uncommon business model even in the telecom sector as premium/paid apps are widely used. The fees charged to customers must cover the revenues of the other two parties.
Market and demand
Earlier, everyone was searching for the “NFC killer application”. Obviously, no one found it, as such a service does not exist. But today there are already so many potential use cases that we do not even need to search any longer. So, let’s see the most relevant ones:
Mobile payment: Mobile payment became mainstream already today with Google Pay, Apple Pay, Samsung Pay, Ali Pay, PayPal, etc. Emarketer expects 1.31 billion people to use mobile payment this year.
Mobile ticketing: The technology has been implemented in numerous large cities worldwide and the penetration continues. Several million people use it day after day and its expected value is forecasted to exceed US 10Bn this year.
The rising demand for smart ticketing from sports, entertainment, and tourism sector is another opportunity for using secure smart communication devices in the ticketing sector.
Digital ID: Digital ID is a relatively new phenomenon, but with a global reach, great legislative support, and a vast prospective market. The European Commission, ICAO, IATA, the World Bank, and many countries have related initiatives.
Identification and Access Management (IAM): IAM is another domain where chip cards have long been used and which could be revolutionized by introducing the secure mobile application technology.
FIDO (Fast ID Online) creates a new key pair during registration. User retain the private key in a secure device and register the public key with the online service. Authentication is done by proving possession of the private key to the service by signing a challenge. FIDO is supported by all major browsers.
Cold wallets are used in the crypto world to store larger amounts of crypto offline, as a protection of the funds. The secure mobile architecture would be a great alternative providing the secure storage with an always-on capability.
Front-end Access Management (FEAM) combines the best features of FIDO and OAuth. A chip card is used for authenticating the user, authorizing the transactions, and generating the web tokens to be used for accessing the protected resources. The technology can be used for both online and offline access.
Bring Your Own Device (BYOD) received real meaning and importance with widespread remote work practices. The secure elements could well be used for securely authenticating the users’ communication devices thus substantially improving enterprise security.
The above list contains only a handful of potential use cases that could well leverage the potential of secure mobile services.
In summary, we can determine that most conditions, except the integrated supply chain and the associated business model, are ready for the breakthrough change of using the chip cards inside the smartphones and smartwatches for our personal security purposes.
If you want to know more details and potential consequences of the “secure application on the SIM concept” read this Whitepaper.