This document discusses the MODRNA working group, which aims to support GSMA Mobile Connect through developing profiles and extensions to OpenID Connect for use by mobile network operators providing identity services. Key points include:
- MODRNA seeks to enable MNOs to become identity providers and support authentication via a user's mobile phone number and device.
- Core MODRNA specifications address discovery, registration, and authentication profiles, while auxiliary specifications cover areas like user questioning and account porting.
- Work is ongoing to further specifications and address integration with Mobile Connect, including exploring the use of new standards like Client Initiated Backchannel Authentication and token binding.
With the emergence of a more digitized world combined with the prospect of a broadband communication of 20 Gbps, the development of an Identity and Access Layer in 5G started with the vision of user’s identities in the center of a new value proposition. Identity as an abstraction layer in 5G bridges across domains, cross access technologies and between the network and Internet services focused on enhanced user experience as well as higher personalization of services that can only be achieved through a user-centric approach shifting the view from the subscriber to the user.
This presentation will cover the background, including the various use case defined by multiple industry organizations, requirements, and technical development of 5G to enable this fundamental shift in next-generation cellular system to unlock the potential of what 5G can deliver.
Presented at European Identity & Cloud Conference 2019 (https://www.kuppingercole.com/sessions/3080).
Initially presented at European Identity & Cloud Conference 2019, this is a revised presentation that covers the background, including the various use case defined by multiple industry organizations, requirements, and technical development of 5G to enable this fundamental shift towards a user-centric view in next-generation cellular system to unlock the potential of what 5G can deliver.
An Overview of the interface of MODRNA and GSMA Mobile ConnectBjorn Hjelm
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presented on June 22, 2017, Cloud Identity Summit 2017.
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presentation as part of "International Identity Standards – Innovation in Government & Global Interoperability" on September 20, 2016, at Global Identity Summit 2016.
More details at https://events.afcea.org/GlobalID16/Public/Content.aspx?ID=61320&sortMenu=102002 and https://events.afcea.org//GlobalID16/CUSTOM/pdf/innov-in-federation.pdf.
With the emergence of a more digitized world combined with the prospect of a broadband communication of 20 Gbps, the development of an Identity and Access Layer in 5G started with the vision of user’s identities in the center of a new value proposition. Identity as an abstraction layer in 5G bridges across domains, cross access technologies and between the network and Internet services focused on enhanced user experience as well as higher personalization of services that can only be achieved through a user-centric approach shifting the view from the subscriber to the user.
This presentation will cover the background, including the various use case defined by multiple industry organizations, requirements, and technical development of 5G to enable this fundamental shift in next-generation cellular system to unlock the potential of what 5G can deliver.
Presented at European Identity & Cloud Conference 2019 (https://www.kuppingercole.com/sessions/3080).
Initially presented at European Identity & Cloud Conference 2019, this is a revised presentation that covers the background, including the various use case defined by multiple industry organizations, requirements, and technical development of 5G to enable this fundamental shift towards a user-centric view in next-generation cellular system to unlock the potential of what 5G can deliver.
An Overview of the interface of MODRNA and GSMA Mobile ConnectBjorn Hjelm
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presented on June 22, 2017, Cloud Identity Summit 2017.
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presentation as part of "International Identity Standards – Innovation in Government & Global Interoperability" on September 20, 2016, at Global Identity Summit 2016.
More details at https://events.afcea.org/GlobalID16/Public/Content.aspx?ID=61320&sortMenu=102002 and https://events.afcea.org//GlobalID16/CUSTOM/pdf/innov-in-federation.pdf.
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
OpenID Foundation MODRNA Working Group update presented by Bjorn Hjelm (Verizon) and John Bradley (Yubico) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
FIDO, Federation and the Internet of ThingsFIDO Alliance
Learn how FIDO-based authentication can complement federated authentication - and why they are better together.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
OpenID Foundation iGov Working Group Update - October 22, 2018OpenIDFoundation
OpenID Foundation iGov Working Group update presented by Paul Grassi (Easy Dynamics) and Bjorn Hjelm (Verizon) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
FIDO, PKI & beyond: Where Authentication Meets IdentificationFIDO Alliance
Explore new directions for authentication and identification. Learn the inner workings of FIDO and PKI, and how to integrate these two worlds into one token.
David Pollington, Head of Applications and Services at GSMA joins Bjorn Hjelm, Distinguished Member of Technical Staff at Verizon, to discuss Strong Authentication - Mobile Connect and FIDO.
FIDO, Strong Authentication and elD in GermanyFIDO Alliance
Bernd Kowalksi of the Federal Office for Information Security discusses government objectives in strong ID and authentication, and derived identity and authenticity approach, while answering the questions, "Why did BSI join the FIDO Alliance?" and "What is the market perspective?"
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Alliance
The new model for stronger, simpler online authentication has implications beyond businesses and their consumers, including government policy and applications. FIDO was designed with security and privacy at the forefront, making it a natural ally for government initiatives in these areas. View slides from policy experts on the role of FIDO in policy, what the Alliance is doing in policy and how governments are working to implement FIDO.
Contents:
Review of FIDO Alliance
– FIDO’s mission and vision
– Key liaison relationships & government members
– How FIDO enhances privacy
FIDO in Government Services, a NIST Perspective
Introduction to FIDO’s Privacy and Public Policy Workgroup (P3WG) and some key outputs:
– Privacy White Paper
– EBA Response
FIDO’s fit in global regulatory approaches to security and privacy
– Supporting common policy goals
– Key differences from traditional 2-factor authentication
– Related activities, including Cybersecurtiy National Plan (US), and eIDAS (EU)
Learn about a convenient and secure alternative to passwords that also protects consumers privacy on their mobile phones.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
An update on MODRNA (Mobile Profile of OpenID Connect) WG at OpenID Foundation Workshop during EIC 2017 (https://www.kuppingercole.com/events/eic2017-oidf).
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance
The FIDO Alliance was launched with the audacious goal – to move the entire world away from usernames, passwords, and traditional multi-factor authentication to a much simpler and stronger way to log in with FIDO. It’s now 2021, so … are we there yet?
Join us for a webinar to take a look at the past year’s progress, and see what’s next. Our executive director and CMO Andrew Shikiar and our director of standards development David Turner will be on the line to take your questions – ask us anything!
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
OpenID Foundation MODRNA Working Group update presented by Bjorn Hjelm (Verizon) and John Bradley (Yubico) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
FIDO, Federation and the Internet of ThingsFIDO Alliance
Learn how FIDO-based authentication can complement federated authentication - and why they are better together.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
OpenID Foundation iGov Working Group Update - October 22, 2018OpenIDFoundation
OpenID Foundation iGov Working Group update presented by Paul Grassi (Easy Dynamics) and Bjorn Hjelm (Verizon) at the OpenID Foundation Workshop at VMware on Monday, October 22, 2018.
FIDO, PKI & beyond: Where Authentication Meets IdentificationFIDO Alliance
Explore new directions for authentication and identification. Learn the inner workings of FIDO and PKI, and how to integrate these two worlds into one token.
David Pollington, Head of Applications and Services at GSMA joins Bjorn Hjelm, Distinguished Member of Technical Staff at Verizon, to discuss Strong Authentication - Mobile Connect and FIDO.
FIDO, Strong Authentication and elD in GermanyFIDO Alliance
Bernd Kowalksi of the Federal Office for Information Security discusses government objectives in strong ID and authentication, and derived identity and authenticity approach, while answering the questions, "Why did BSI join the FIDO Alliance?" and "What is the market perspective?"
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Alliance
The new model for stronger, simpler online authentication has implications beyond businesses and their consumers, including government policy and applications. FIDO was designed with security and privacy at the forefront, making it a natural ally for government initiatives in these areas. View slides from policy experts on the role of FIDO in policy, what the Alliance is doing in policy and how governments are working to implement FIDO.
Contents:
Review of FIDO Alliance
– FIDO’s mission and vision
– Key liaison relationships & government members
– How FIDO enhances privacy
FIDO in Government Services, a NIST Perspective
Introduction to FIDO’s Privacy and Public Policy Workgroup (P3WG) and some key outputs:
– Privacy White Paper
– EBA Response
FIDO’s fit in global regulatory approaches to security and privacy
– Supporting common policy goals
– Key differences from traditional 2-factor authentication
– Related activities, including Cybersecurtiy National Plan (US), and eIDAS (EU)
Learn about a convenient and secure alternative to passwords that also protects consumers privacy on their mobile phones.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
An update on MODRNA (Mobile Profile of OpenID Connect) WG at OpenID Foundation Workshop during EIC 2017 (https://www.kuppingercole.com/events/eic2017-oidf).
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance
The FIDO Alliance was launched with the audacious goal – to move the entire world away from usernames, passwords, and traditional multi-factor authentication to a much simpler and stronger way to log in with FIDO. It’s now 2021, so … are we there yet?
Join us for a webinar to take a look at the past year’s progress, and see what’s next. Our executive director and CMO Andrew Shikiar and our director of standards development David Turner will be on the line to take your questions – ask us anything!
Identity for IoT: An Authentication Framework for the IoTAllSeen Alliance
John Bradley, Ping Identity, gave this presentation at the AllSeen Alliance's Partner Programme at Mobile World Congress 2015.
About Ping Identity: Ping Identity provides next-generation identity security solutions. With more than 1,200 enterprise customers worldwide, including half of the Fortune 100, Ping Identity delivers professional-grade identity security solutions that meet the needs of organizations managing workforce, customer, and partner identities. Identity at Internet scale is a concept that will be required as the industry builds services that encompass billions of connected devices and identities.
Mobile Network Operators and Identity – Crossing the ChasmBjorn Hjelm
Mobile Network Operators and Identity presented at the panel session "Opportunities and Issues in Mobile Technologies" at Global Identity System 2015. More details at https://events.jspargo.com/id15/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=3670&SessionDateID=237.
Smart OpenID brings strong authentication for internet cloud service access to mobile devices by leveraging the crypto capabiliteis provided by smart cards and secure elements in mobile phones.
Presentation held at Chip-To-Cloud Forum in Nice, September 2012
ACDKOCHI19 - Enterprise grade security for web and mobile applications on AWSAWS User Group Kochi
AWS Community Day Kochi 2019 - Technical Session
Enterprise grade security for web and mobile applications on AWS by Robin Varghese , Chief Architect - TCS
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the OpenID Connect 1.0 protocol. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
This presentation talks about various access management topics in IAM domain like authentication, authorization, MFA, Password less authentication, certificate based authentication SSO protocols like SAML, OIDC.
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around.
Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications.
These slides will review:
- The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns
- Sender-constrained token patterns
- Solution patterns being employed to improve user experience in client-side applications
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...apidays
INTERFACE, by apidays 2021 - It’s APIs all the way down
June 30, July 1 & 2, 2021
The Evolution of API Security for Client-Side Applications
Johann Dilantha Nallathamby, Head of Solutions Architecture for IAM at WSO2
Advanced mechanism for single sign on for distributed computer networkseSAT Journals
Abstract A distributed computer networks could be a special form of the network that facilitates the purchasers to use completely different network services that is provided by the service suppliers. Within the distributed computer networks, user verification is a crucial method for the protection. Within the verification, the choice is taken whether the user is legal or not and then enabled the users to access the service. In general users are using multiple usernames and passwords for to access different applications on a distributed computer network. This increase the burden of the user and organization administrator as each and every account of the organization is going to be handled with their explicit username and credential. A new certification plan that is named as single sign-on mechanism that facilitates the users with one identity token to be verified by multiple service suppliers. Single sign-on is one of user authentication method that allows a user to enter one name and identity token so as to access multiple applications. The method authenticates the user for all the applications they have been offered access to and eliminates additional prompts after they switch applications throughout a specific session. However, existing approaches which are utilizing single sign-on scheme have some drawbacks relating to security needs. Thus, through this paper, we will discuss regarding the event of security from earlier stage to present stage. And clearly discuss regarding the authentication steps between user and service supplier. Keywords — single sign-on, authentication token , mutual authentication
Understanding the oAuth2 flows can be challenging. At some point we have probably interacted with one, most of us struggle with how they work, and often times they leaves us very confused. Whether you are on the frontend or backend, understanding oAuth2 can take your skills to the next level. Learn how to secure your APIs through the oAuth2 flows using express. We will dive into the different oAuth flows, the use of scopes, and validating Json Web Tokens (JWT). Each step along the way will be illustrated with code examples using express. Finally, we will touch on the challenges with integration testing and local development.
NSTIC Panel on Mobile-based Identity and Access ManagementBjorn Hjelm
Mobile Network Operator's perspective on the NSTIC pilot "Mobile-based Identity and Access Management" [NISTIR 8054] presented at MWC Americas 2017 Mobile Connect Workshop
on September 12, 2017. More details at https://www.gsma.com/identity/mwca-mobile-connect-workshop.
Integration of FIDO and Mobile Connect to deliver authentication globally wor...Bjorn Hjelm
This presentation outlines how the FIDO standards can be integrated with Mobile Connect to offer authentication services within the Mobile Connect framework. This presentation is an output of the collaboration between FIDO Alliance and GSMA and covers an overview of the architecture, FIDO authentication, handling of assurance levels, authentication context for an OpenID Connect profile, and security guidelines.
2. MODRNA WG
The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile
Connect
May 14, 2019
Bjorn Hjelm
Verizon
John Bradley
Yubico
http://openid.net/wg/mobile/
3. Purpose
• Support GSMA technical development of
Mobile Connect
• Enable Mobile Network Operators (MNOs) to
become Identity Providers
• Developing (1) a profile of and (2) an
extension to OpenID Connect for use by MNOs
providing identity services.
5. What is Mobile Connect?
• Mobile phone number as user identifier
• Mobile phone as authenticator
• MNO as authentication/identity provider
• Replace passwords and hardware security
tokens
8. Mobile Connect Reference
Architecture
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
9. MODRNA WG
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
1
2 3
Set up
credentials
10. MODRNA Specifications
Core Specifications Status
Authentication Profile Implementer’s Draft
Discovery Profile Draft
Registration Profile Draft
Auxiliary Specifications Status
User Questioning API Implementer’s Draft
Client Initiated Backchannel Authentication (CIBA) Flow - Core Implementer’s Draft
MODRNA CIBA Profile Draft
Account Porting Implementer’s Draft
More information available at https://openid.net/wg/mobile/status/
11. MODRNA Core Specifications
• Discovery Profile
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html
– Specifies a way to normalize a user identifier applicable to a mobile environment and MNO.
The specification defines discovery flow for both web and native applications residing on
mobile device.
• Registration Profile
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html
– Defines how a RP (client) dynamically registers with a MNO by extending the OpenID Connect
Dynamic Client Registration with software statements (RFC 7591).
• Authentication Profile
– http://openid.net/specs/openid-connect-modrna-authentication-1_0.html
– Specify how RP’s request a certain level of assurance (LoA) for the authentication and an
encrypted login hint token to allow for the transport of user identifiers to the MNO in a
privacy preserving fashion. The specification also specify an additional message parameter to
bind the user’s consumption device and authentication device.
12. MODRNA Auxiliary
Specifications
• User Questioning API
– http://openid.net/specs/openid-connect-user-questioning-api-1_0.html
– Defines a mechanism to perform transaction authorizations.
– Defines additional OpenID Connect endpoint (Resource Server) that RP would use
(server-to-server) to initiate transaction authorization processes.
• Account Porting
– http://openid.net/specs/openid-connect-account-porting-1_0.html
– Defines a mechanism to allow the migration of user account from old to new OP.
– Protocol allowing new OP to obtain the necessary user data from the old OP and provide
every RP with the necessary data to migrate the RP's local user account data in a secure
way.
13. CIBA Development
• Initial work on Client Initiated Backchannel Authentication (CIBA) specification defined
a mechanism to perform authentication (out-of-band) when there is no user agent
available and the authentication process needs to initiated via server-to-server
communication.
• As part of the collaboration with Financial-grade API (FAPI) WG, the CIBA specification
was spilt into Core and Profile specifications to support multiple use cases.
– The CIBA Core specification defines the CIBA flows for various use cases and defines the token delivery
modes for the Client (Poll, Ping or Push) determined at registration time.
– The MODRNA: Client Initiated Backchannel Authentication Profile addresses the MODRNA requirements
for CIBA.
• CIBA Core specification approved as Implementer’s Draft on Feb. 4, 2019.
– https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-ID1.html
• MODRNA CIBA Profile is currently in development.
14. CIBA Core Overview
CIBA enables a Client to initiate the authentication of an
end-user by means of out-of-band mechanisms.
1. Client make an "HTTP POST" request to the
Backchannel Authentication Endpoint to ask for
end-user authentication.
2. OpenID Connect Provider (OP) will respond with a
unique identifier that identifies that authentication
while it tries to authenticate the user in the
background.
3. The Client will receive ID Token, Access Token and
optionally Refresh Token through either Poll, Ping
or Push modes (established by the Client at
registration time).
5/7/2019 OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02
https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html 1/23
G. Fernandez
Telefonica
F. Walter
A. Nennker
Deutsche Telekom AG
D. Tonge
Moneyhub
B. Campbell
Ping Identity
January 16, 2019
OpenID Connect Client Initiated Backchannel
Authentication Flow Core 1.0 draft02
openidclientinitiatedbackchannelauthenticationcore02
Abstract
OpenID Connect Client Initiated Backchannel Authentication Flow is an authentication flow like
OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider
communication without redirects through the user's browser. This specification allows a Relying
Party that knows the user's identifier to obtain tokens from the OpenID Provider. The user consent is
given at the user's Authentication Device mediated by the OpenID Provider.
15. MODRNA WG Status
• Currently working on post-Implementer’s Draft issues for
CIBA Core spec. and completing MODRNA CIBA Profile.
• Additional specifications in development
– Plans to progress Authentication Profile towards Final
Specification.
– Discovery Profile to progress towards Implementer’s Draft status
in support of market deployment.
– Continue the Account Porting discussions to address options in
the first part of the porting flow.
16. MODRNA - GSMA CPAS Status
• User Questioning API adopted by Mobile Connect as an enabler
based on work done in MODRNA WG.
– Mobile Connect product definition and technical effort led by Orange.
• Possible impact to Mobile Connect from new CIBA development.
– Mobile Connect currently support back-channel authentication in the
Server-initiated Profile specification.
• New work started to add support in Mobile Connect for Token
Binding.
– Based on recent IETF approved RFCs and work aligning with OpenID
Connect Token Bound Authentication specification in EAP (Enhanced
Authentication Profile) WG.