Mobile Connect and MODRNA: Evolving Mobile Authentication
Learn about the collaboration between Mobile Connect and MODRNA to enhance secure digital authentication leveraging OpenID Connect. Explore how MNOs are providing identity services and how this evolution is shaping the future of mobile authentication.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
MODRNA Torsten Lodderstedt, John Bradley, Bjorn Hjelm
The Mobile Profile GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. OpenID Foundation MODRNA WG created to support this evolution. Stands for Mobile Operator Discovery, Registration, aNd Authentication Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services. Serve as technical input to Mobile Connect development. OIDFs IPR framework ensures that all specifications can can be freely implemented. WG members from OpenID community as well as MNOs. Deutsche Telekom, Ping Identity, Orange, Verizon Wireless, Telefonica, Telenor, Telstra, GlobalSign.
Mobile Connect Mobile phone number as user identifier Mobile phone as authenticator MNO as authentication/identity provider Replace passwords and hardware security tokens
Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 1. The user clicks on a Mobile Connect button to access a service. Service Provider Service access request MNO Discovery Authentication request 3. The service provider makes a request for authentication. Identity Gateway 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities Authentication SIM Applet USSD SMS Smartphone App FIDO Authentication server MNO
MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 1. The user clicks on a Mobile Connect button to access a service. 1 Service Provider MNO Discovery Service access request 2 3 Authentication request 3. The service provider makes a request for authentication. Set up credentials Identity Gateway 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities Authentication SIM Applet USSD SMS Smartphone App FIDO Authentication server MNO
MODRNA Specifications Discovery (draft-mobile-discovery) - Editors: John Bradley, Torsten Lodderstedt Dedicated discovery service Account Chooser integration Client registration (draft-mobile-registration) Editor: Bjorn Hjelm OIDC Dynamic Client Registration with software statements (RFC 7591) Mandatory claims in the statements Signature algorithms Lifecycle management, e.g. revocation of statements/blocking of RPs Authentication (draft-mobile-authentication) Editor: J rg Connotte ACR values Additional parameters: login_token_hint, context
Auxiliary MODRNA Work Server Initiated Backchannel Authentication (SIBA) - Editors: Gonzalo Fernandez Rodriguez, Florian Walter Mechanism to perform authentication (out-of-band) when there is no user agent available (such as Call Center) and the authentication process needs to initiated via server-to-server communication. User Questioning API Editors: Charles Marais, Nicola Aillery Mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (UserInfo) that RP would use (server-to-server) to initiate transaction authorization processes. Account migration (draft-account-migration) Editor: James Manger, Torsten Lodderstedt, Arne Gleditsch Mechanism to allow the migration of user account from old to new OP. Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way.
The Onion Mobile Connect Profile 1.2 MODRNA 1.0 OpenID Connect 1.0 OAuth2.0
MODRNA - GSMA Status Mobile Connect Profile 1.2 partly incorporate Authentication spec. Collaboration identified and resolved security issue with original GSMA account migration proposal resulting in MODRNA Account Migration spec. Discovery/Credential Management: Mobile Connect Release 2 now utilizes and favors OIDC openid_configuration over endpoint URLs from OneAPI Exchange. MODRNA input to ongoing discussions about architecture evolutions towards more distributed approach based on security, privacy, and operational considerations. New specs for transaction authorization and server-initiated authentication (for later adoption by GSMA). Regular technical workshops with GSMA CPAS group significantly improved collaboration.
