The document discusses the integration of Mobile Connect and FIDO to enhance online authentication and user privacy. It highlights how Mobile Connect simplifies user access to digital services through secure authentication using mobile phones, while FIDO offers additional security by leveraging local device authentication. The combined approach aims to provide easier, safer online authentication solutions for over 2.5 billion mobile users globally.

1. Strong Authentication:
Mobile Connect & FIDO
FIDO Summit
9th May 2016

2. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
About the GSMA
The GSMA represents the interests of
mobile operators worldwide
Spanning more than 220 countries, the
GSMA unites nearly 800 of the world’s
mobile operators, as well as more than
230 companies in the broader mobile
ecosystem

3. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Online privacy and security is the biggest threat to
sustainable digital growth
Personal Data – Mobile Connect3
The Challenge
• By using the inherent security of the mobile device
(‘something I have’) that’s always with customers; secure
and convenient access to digital services can be unlocked
with the use of a secret PIN (‘something I know’)
The Solution
• Digital services rely on username + password or
social login to identify users
• However –
• … Hard to remember for users
• … Security and personal data breaches
• … Difficult to prove identity digitally
• Leads to abandoned log-ins and shopping carts,
online fraud and high data costs

4. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Mobile Connect: convenient alternative to passwords and
protects consumers’ privacy
Personal Data – Mobile Connect4
The key which unlocks
access to online services
Mobile Connect – an Operator service for secure
authentication and identification:
• Convenient for the user – leverages their existing
phone number as a standard and unique identifier
• Delineates between consumption device and
authentication device
• Distributed, federated framework with Global
discoverability
• Pluggable approach to embrace new authentication
mechanisms
• Modular, extensible toolkit to support a roadmap for
new capabilities & services

5. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.Personal Data – Mobile Connect5
Mobile Connect has grown at an
exceptionally rapid pace, and is
today available to more than 2.5bn
mobile users worldwide
Apr May Jun Jul Sep Oct Nov Dec Jan Feb MarAug
42m
Australia
70m
Bangladesh
85m
Spain
178m
Peru Turkey
Argentina
Mexico
622m
Indonesia
Spain
China
France
Italy
2Billion
Malaysia
Bangladesh
Indonesia
Myanmar
Switzerland
Thailand
Philippines
Finland
China
Morocco
Egypt
Mexico
Pakistan
2.5Billion
Thailand
India
Sri Lanka
26m
2015 2016

6. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Service providers can sign up at
https://developer.mobileconnect.io
Personal Data – Mobile Connect6
Tick here for
global acceptance
Tick here for
individual country
acceptance

7. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Decoupled architecture; two key areas of consistency;
importance of standards
Personal Data – Mobile Connect7
MNO
Tablet/desktop
Service access request
Service Provider
Authentication
request
Identity GW
SIM applet protocol (CPAS8)
AuthN
server
SIM
applet
Consistent
user
experience
Consistent SP
experience
SIM
applet
Smartphone
app
SMS+URL USSD
Builds on Web standard OAuth 2.0
ETSI TS 102 204

8. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Mobile Connect and FIDO both seek to replace passwords
Personal Data – Mobile Connect8
Something I
Know
Something I
Have
Something I Have
+
Something I
Know
Something I Have
+
Something I Am
Or

9. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
FIDO and Mobile Connect have a common approach
Personal Data – Mobile Connect9
• Both FIDO and Mobile Connect are addressing the same problem: easier,
safer online authentication
• Both FIDO and Mobile Connect leverage the mobile phone to achieve this
• Whilst Mobile Connect uses existing MNO services for authentication
(SMS, USSD, SIM Toolkit)
• … FIDO leverages the local device authentication on the phone itself
• In doing so, both provide easy, secure two-factor authentication
• Both also provide a pluggable framework that can support a
variety of security levels as well as supporting new
authentication methods as they arise
Something I
Know
Something I
Have
Something I Have
+
Something I
Know
Something I Have
+
Something I Am
Or

10. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Mobile Connect leverages FIDO to expand the set of
Authenticators
Personal Data – Mobile Connect10
Federation
Authentication
User Management
Physical-to-digital identity
Existing MNO
KYC
processes
Device-based authenticators
Existing MNO CRM databases
Network-based authenticators
(USSD, SIM applet etc.)

11. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
FIDO integrates into Mobile Connect as an optional
authenticator subsystem
Personal Data – Mobile Connect11
FIDO UAF protocol
Mobilephone
with FIDO client AuthN server
MNO
Tablet/desktop
Service access request
Service Provider
Authentication
request
Identity GW
First mile
Second mileSIM applet protocol (CPAS8)
AuthN
server
SIM
applet

12. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Mobile Connect and FIDO UAF integration: White Paper
Personal Data – Mobile Connect12
• Main objective:
• Overview of FIDO Architecture and use cases
• Integration of FIDO UAF authenticators into Mobile Connect arch
• Status:
• Co-developed between GSMA, MNOs and FIDO members
• First draft finished
• Second phase:
• UICC based FIDO authenticator
• Use of UICC to enhance FIDO implementation security
• FIDO 2.0 integration

13. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA
If you would like more information, please contact
GSMA via mobileconnect@gsma.com
GSMA London Office
T +44 (0) 20 7356 0600
www.gsma.com/personaldata
Follow the GSMA on Twitter: @GSMA
Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.

14. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Mobile Connect and FIDO UAF integration building blocks
MNO
Server Side
User Mobile Phone
Client Side
FIDO Metadata Service
IdP
FIDO Server
Mobile Connect App
FIDO Client
ASM
FIDO Authenticator
Device Push Notification System
(ex. Android GCM)
FIDO%Authen, cator%
IDGW%
INT 1: FIDO Transport
Binding Protocol
INT 2: Vendor dependent
interface
INT 3: FIDO defined (OS
dependent)
INT 4: Notification system
interface (client-side)
INT 5: Notification system
interface (server-side)

15. Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.
Matching of FIDO policies to OpenID Connect ‘acr_values’
Personal Data – Mobile Connect15
Service Providers need to be able to both specify and receive feedback on the type of
authenticator used
• Mobile Connect
• uses Level of Assurance (LoA) values (ISO 29115) in the OIDC request
acr_values params, so the SP can indicate the authenticator class that
should be used
• FIDO
• uses the FIDO Policy to describe the required authenticator
characteristics for accepted authenticators
• Options:
• Expand the list of acr_values to accommodate additional LoA/policies
• Capture SP requirements at registration to the Mobile Connect service
and propagate via the Mobile Connect federation