Oh, it’s you. From passwords to SMS to mobile wallets

Who are you? And how can you prove it?

 

These questions didn’t get asked very much in the old ’analogue’ world. Maybe when you were applying for a loan, or trying to enter a foreign country. But buying a pair of shoes? Not so much. Your identity didn’t matter in a world of face-to-face shopping and cash payments.

 

Now, identity matters a lot. In digital spaces you could be anyone. Which means you might be a criminal spending someone else’s money. Or a fraudster trying to steal someone else’s identity. From the earliest days of the internet there were few more important questions than: can you prove you are you?

 

Before we dig into why, let’s establish the basics of identity and authentication. Identity might be described as a set of facts about you: name, address, age, nationality etc. These facts aren’t necessarily secrets, but together they add up to a single unique ID. Now, once you register your ID with an organisation, you need to protect it. This is where authentication comes in. It is the method that ensures only you can unlock your ID and access your account.

 

Regrettably, the first authentication solutions were mostly terrible. People were asked to protect their accounts with a password and maybe a secret (like their mother’s maiden name). The fundamental problem with these methods is that they rely on ’something you know’. They are supposedly secret facts, but criminals can easily steal or phish them using social engineering.

 

 

The two-factor factor

Digital stakeholders eventually realised that it would be much more secure to add a second form of authentication: something you have. The most obvious ’something’? Your mobile phone. And so began the ’two factor’ age of digital authentication, which revolved around the SMS one time passcode (OTP). The idea was simple. Consumers were asked to provide their mobile phone number when signing in. The service would send an OTP, which the user would receive as a text message. They would type it in to authenticate themselves.

 

This method works because it prevents fraudsters from the mass harvesting of sensitive details. For a few pennies per user, enterprises could lock out most fraudsters. But the SMS OTP method has flaws. Criminals have found ways (SIM Swap) to control users’ accounts and intercept their passcodes. In fact, so-called account takeover fraud drained $262 million from US bank accounts alone in 2025, according to the FBI.

 

Meanwhile, dishonest OTP service providers have added to the pain. They use ’SMS trashing’ to set up and monetise fictitious accounts. Happily, the mobile industry has devised technical schemes to detect SIM swaps and root out most of the bad actors. This is why, despite its challenges, the OTP remains effective – in combination with other techniques.

 

 

Upping the game: passkeys, APIs and wallets

Thankfully, new ideas have emerged. In-app authentication is one. Banks, for example, frequently ask customers to open their banking app to approve a transaction. It’s a solid use case, but clearly not every company has the scale to deploy this option. For this reason, new authentication ideas are gathering support. We can group them into three main types.

 

Device passkeys. This method uses biometrics to unlock cryptographic keys stored securely in a device. Passkeys are easy to use and resistant to most fraud, but they only indicate a trusted device is being used. They don’t identify who the person actually is. This is fine in many cases, but not all.

 

Network APIs. This method uses signals like duration of SIM tenure, recent device changes, location and behavioural anomalies to assess if a device can be trusted. These indicators cannot be forged by malware, deepfakes or synthetic identities.

 

Wallets. The new breed of digital identity wallets could bring the biggest change of all. Here, a customer downloads a wallet and stores inside it a range of encrypted credentials (passport, driver licence, age, professional qualification etc.). When asked to prove something, he/she simply shares the identity attribute. Wallets put users in control of their data, and they also allow for ’selective’ disclosure. In other words, a person can prove they are over 18 without giving any other personal details.

 

After many years of speculation, the age of ’sign in with digital wallet’ is becoming a reality. A number of private wallet specialists (ID.me, Yoti etc.) are making progress in many regions, mostly helping people to prove their age. And official national schemes are launching all over the world too. In 2025, for example, Malaysia mandated that telcos must use the official MyDigital ID tech to verify and on-board customers. This prevents scammers from registering a SIM with another person’s details.

 

Meanwhile, in the US, around 20 states now authenticate people using a mobile driver’s licence stored in the Apple or Google Wallet. But the biggest initiative of all is the European Digital Identity (EUDI) Wallet, which will launch across all 26 states in late 2026/2027. It will store multiple secure credentials and could completely transform digital authentication in years to come.

 

 

Show me the money

The unanswered question for the wallet model is how it pays for itself. There is still no agreed approach, although the main options are as follows: 

• Verifier pays. Here, the company authenticating a person pays the company, providing the secure credentials each time a verification occurs. 
• Holder pays. The consumer might be prepared to pay in niche cases where extra value is provided.
• Hybrid model. A mix of fees from verifiers, issuers, and end users, depending on the attributes being verified.
• Company subsidies. In some cases, when a wallet supports products or services, a company might subsidise transactions.
• Public subsidies. Government might fund some wallets and transactions for public services.

 

An evolving space

Obviously, it’s impossible to predict how the digital authentication space will evolve. But what is clear is the collective drive to bolster defences against rampant account takeover fraud – and also to give people more control over their data. The challenge is to build robust systems, while ensuring that everyone gets paid. 

 

---

 

Dario Betti is CEO of MEF (Mobile Ecosystem Forum), a global trade body established in 2000 and headquartered in the UK with members across the world

 

Main image courtesy of iStockPhoto.com and nyaberkut