Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenID Foundation MODRNA WG Update

674 views

Published on

OpenID Foundation MODRNA WG Update at the workshop on October 22, 2018

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

OpenID Foundation MODRNA WG Update

  1. 1. MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect October 22, 2018 Bjorn Hjelm Verizon John Bradley Yubico http://openid.net/wg/mobile/
  2. 2. Purpose • Support GSMA technical development of Mobile Connect • Enable Mobile Network Operators (MNOs) to become Identity Providers • Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services.
  3. 3. Participants
  4. 4. What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
  5. 5. Example Use Case
  6. 6. Mobile Connect Portfolio Roadmap
  7. 7. Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
  8. 8. MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
  9. 9. MODRNA Specifications • Discovery – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html – Specifies a way to normalize a user identifier applicable to a mobile environment and MNO. The specification defines discovery flow for both web and native applications residing on mobile device. • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html – Defines how a RP dynamically registers with a MNO by extending the OIDC Dynamic Client Registration with software statements (RFC 7591). • Authentication – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Specify how RP’s request a certain level of assurance (LoA) for the authentication and an encrypted login hint token to allow for the transport of user identifiers to the MNO in a privacy preserving fashion. The specification also specify an additional message parameter to bind the user’s consumption device and authentication device.
  10. 10. Auxiliary MODRNA Work • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Defines a mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes. • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Defines a mechanism to allow the migration of user account from old to new OP. – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way.
  11. 11. CIBA Development • Initial work on Client Initiated Backchannel Authentication (CIBA) specification started to define a mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication. – CIBA specification approved as Implementer’s Draft in May 2017. • As part of the collaboration with Financial-grade API (FAPI) WG, the CIBA specification will be spilt into two specifications to support multiple use cases. – The CIBA Core specification defines the flows where the RP initiates an authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication. – The MODRNA: Client Initiated Backchannel Authentication Profile addresses the MODRNA requirements for CIBA. • Working group scheduled extra calls to resolve open issue with the plan to have the specifications ready for Implementer’s Draft end of October.
  12. 12. MODRNA WG Status • CIBA development a priority for the group to get specs. ready for Implementer’s Draft. • Discovery Profile progressing towards Implementer’s Draft status in support of market deployment. – U.S. deployment to support mobile-based authentication is leveraging the MODRNA Discovery specification. • Account Porting discussion taking place to address options in the first part of the porting flow. – The first stage for a porting event is for the New OP to get confirmation from the Old OP that the user wants to port and discussions focused on what can be leveraged from existing MNO porting events to start the porting process. • Plan to progress Authentication Profile towards Final Specification. – Effort planned for Nov-Dec after CIBA development has been either completed or progressed enough to allocate time for this effort.
  13. 13. MODRNA - GSMA CPAS Status • User Questioning API being adopted by Mobile Connect as an enabler based on work done in MODRNA WG. – Mobile Connect product definition and technical effort led by Orange. • Possible impact to Mobile Connect from new CIBA development. – Mobile Connect currently support back-channel authentication in the Server- initiated Profile specification. • New work started to add support in Mobile Connect for Token Binding. – Based on recent IETF approved RFCs and work aligning with OpenID Connect Token Bound Authentication spec. in EAP (Enhanced Authentication Profile) WG. – Token Binding also considered and supported by MNO community.
  14. 14. Thank you http://openid.net/wg/mobile/

×