OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
OpenID Foundation MODRNA Working Group update presented by Bjorn Hjelm (Verizon) and John Bradley (Yubico) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
An update on MODRNA (Mobile Profile of OpenID Connect) WG at OpenID Foundation Workshop during EIC 2017 (https://www.kuppingercole.com/events/eic2017-oidf).
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around.
Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications.
These slides will review:
- The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns
- Sender-constrained token patterns
- Solution patterns being employed to improve user experience in client-side applications
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
OpenID Foundation MODRNA Working Group update presented by Bjorn Hjelm (Verizon) and John Bradley (Yubico) at the OIDF Workshop at EIC 2018 on May 15, 2018 in Munich.
An update on MODRNA (Mobile Profile of OpenID Connect) WG at OpenID Foundation Workshop during EIC 2017 (https://www.kuppingercole.com/events/eic2017-oidf).
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around.
Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications.
These slides will review:
- The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns
- Sender-constrained token patterns
- Solution patterns being employed to improve user experience in client-side applications
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...WSO2
Suva, the main provider of compulsory accident insurance in Switzerland, used API management to reduce internal costs for handling cases and customer costs through higher business process automation. This slide deck shares insights on setting up the Suva Digital Platform to production readiness.
NFC-based User Authentication Mechanisms for Personalized IPTV ServicesChun-Kai Wang
Internet Protocol Television (IPTV) is becoming a platform that changes the way we obtain information and entertainment, and offers interactive features and personalized services. Although IPTV service providers can perform TV viewer identification and authentication through a unique hardware identifier of the Set-top box (STB), it is based on STB-level identification leads to whole family members get the same access level and services. This indicates that existing authentication schemes are inconsistent with IPTV's main intent of providing personalized services.
Smartphones with NFC (Near Field Communication) capabilities have grown to become very popular over the years. The NFC-based user authentication mechanisms by using HCE (Host Card Emulation) technology, and two authentication schemes are presented in this thesis. The first is the HMAC-based authentication scheme with light- weight operations and relatively low cost. The second is the Digital Signature-based authentication scheme that it particularly applies to design open IPTV services. In this thesis, the experiments and analysis show that the proposed mechanisms can meet the security requirements and provide great system usability, deployability and service scalability for personalized IPTV services. The proposed mechanisms are suitable for personalized IPTV services and able to be easily deployed onto current IPTV systems.
[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital EconomyWSO2
In this slide deck, Marie Austenaa, the vice president and head of personal data and mobile identity at GSMA, will explore mobile identity in the digital economy.
Digital transformation is the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It's also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.
It is essential that you integrate digital technology into all areas of business so that your business can be agile and adapts to changing circumstances. Microservices architecture gives you the agility required to build a digital business, while APIs are the enablers for turning a conventional business into a digital business. In this webinar, we will discuss how an enterprise can adopt an API-first approach for building a digital business leveraging microservices architecture.
We will explain and show the business benefits of:
- An API-first approach for building a digital business
- How microservices enables business agility
- Building and integrating your microservices
- Modernization of your legacy applications
- How to leverage the WSO2 API integration platform to build a digital business.
Watch the webinar on-demand here - https://wso2.com/library/webinars/api-first-integration-for-microservices/
An Overview of the interface of MODRNA and GSMA Mobile ConnectBjorn Hjelm
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presented on June 22, 2017, Cloud Identity Summit 2017.
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presentation as part of "International Identity Standards – Innovation in Government & Global Interoperability" on September 20, 2016, at Global Identity Summit 2016.
More details at https://events.afcea.org/GlobalID16/Public/Content.aspx?ID=61320&sortMenu=102002 and https://events.afcea.org//GlobalID16/CUSTOM/pdf/innov-in-federation.pdf.
Mobile Network Operators and Identity – Crossing the ChasmBjorn Hjelm
Mobile Network Operators and Identity presented at the panel session "Opportunities and Issues in Mobile Technologies" at Global Identity System 2015. More details at https://events.jspargo.com/id15/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=3670&SessionDateID=237.
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...WSO2
Suva, the main provider of compulsory accident insurance in Switzerland, used API management to reduce internal costs for handling cases and customer costs through higher business process automation. This slide deck shares insights on setting up the Suva Digital Platform to production readiness.
NFC-based User Authentication Mechanisms for Personalized IPTV ServicesChun-Kai Wang
Internet Protocol Television (IPTV) is becoming a platform that changes the way we obtain information and entertainment, and offers interactive features and personalized services. Although IPTV service providers can perform TV viewer identification and authentication through a unique hardware identifier of the Set-top box (STB), it is based on STB-level identification leads to whole family members get the same access level and services. This indicates that existing authentication schemes are inconsistent with IPTV's main intent of providing personalized services.
Smartphones with NFC (Near Field Communication) capabilities have grown to become very popular over the years. The NFC-based user authentication mechanisms by using HCE (Host Card Emulation) technology, and two authentication schemes are presented in this thesis. The first is the HMAC-based authentication scheme with light- weight operations and relatively low cost. The second is the Digital Signature-based authentication scheme that it particularly applies to design open IPTV services. In this thesis, the experiments and analysis show that the proposed mechanisms can meet the security requirements and provide great system usability, deployability and service scalability for personalized IPTV services. The proposed mechanisms are suitable for personalized IPTV services and able to be easily deployed onto current IPTV systems.
[WSO2Con EU 2017] Keynote: Mobile Identity in the Digital EconomyWSO2
In this slide deck, Marie Austenaa, the vice president and head of personal data and mobile identity at GSMA, will explore mobile identity in the digital economy.
Digital transformation is the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It's also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.
It is essential that you integrate digital technology into all areas of business so that your business can be agile and adapts to changing circumstances. Microservices architecture gives you the agility required to build a digital business, while APIs are the enablers for turning a conventional business into a digital business. In this webinar, we will discuss how an enterprise can adopt an API-first approach for building a digital business leveraging microservices architecture.
We will explain and show the business benefits of:
- An API-first approach for building a digital business
- How microservices enables business agility
- Building and integrating your microservices
- Modernization of your legacy applications
- How to leverage the WSO2 API integration platform to build a digital business.
Watch the webinar on-demand here - https://wso2.com/library/webinars/api-first-integration-for-microservices/
An Overview of the interface of MODRNA and GSMA Mobile ConnectBjorn Hjelm
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presented on June 22, 2017, Cloud Identity Summit 2017.
An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presentation as part of "International Identity Standards – Innovation in Government & Global Interoperability" on September 20, 2016, at Global Identity Summit 2016.
More details at https://events.afcea.org/GlobalID16/Public/Content.aspx?ID=61320&sortMenu=102002 and https://events.afcea.org//GlobalID16/CUSTOM/pdf/innov-in-federation.pdf.
Mobile Network Operators and Identity – Crossing the ChasmBjorn Hjelm
Mobile Network Operators and Identity presented at the panel session "Opportunities and Issues in Mobile Technologies" at Global Identity System 2015. More details at https://events.jspargo.com/id15/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=3670&SessionDateID=237.
Mobile Number Portability completed its 8 months, investment of approximate Rs.10,000 Crore, & according to data from the telecommunications regulator, about 13 million subscribers changed their service providers until the end of June
Initially presented at European Identity & Cloud Conference 2019, this is a revised presentation that covers the background, including the various use case defined by multiple industry organizations, requirements, and technical development of 5G to enable this fundamental shift towards a user-centric view in next-generation cellular system to unlock the potential of what 5G can deliver.
With the emergence of a more digitized world combined with the prospect of a broadband communication of 20 Gbps, the development of an Identity and Access Layer in 5G started with the vision of user’s identities in the center of a new value proposition. Identity as an abstraction layer in 5G bridges across domains, cross access technologies and between the network and Internet services focused on enhanced user experience as well as higher personalization of services that can only be achieved through a user-centric approach shifting the view from the subscriber to the user.
This presentation will cover the background, including the various use case defined by multiple industry organizations, requirements, and technical development of 5G to enable this fundamental shift in next-generation cellular system to unlock the potential of what 5G can deliver.
Presented at European Identity & Cloud Conference 2019 (https://www.kuppingercole.com/sessions/3080).
NSTIC Panel on Mobile-based Identity and Access ManagementBjorn Hjelm
Mobile Network Operator's perspective on the NSTIC pilot "Mobile-based Identity and Access Management" [NISTIR 8054] presented at MWC Americas 2017 Mobile Connect Workshop
on September 12, 2017. More details at https://www.gsma.com/identity/mwca-mobile-connect-workshop.
Integration of FIDO and Mobile Connect to deliver authentication globally wor...Bjorn Hjelm
This presentation outlines how the FIDO standards can be integrated with Mobile Connect to offer authentication services within the Mobile Connect framework. This presentation is an output of the collaboration between FIDO Alliance and GSMA and covers an overview of the architecture, FIDO authentication, handling of assurance levels, authentication context for an OpenID Connect profile, and security guidelines.
1. MODRNA WG
The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile
Connect
October 22, 2018
Bjorn Hjelm
Verizon
John Bradley
Yubico
http://openid.net/wg/mobile/
2. Purpose
• Support GSMA technical development of
Mobile Connect
• Enable Mobile Network Operators (MNOs) to
become Identity Providers
• Developing (1) a profile of and (2) an
extension to OpenID Connect for use by MNOs
providing identity services.
4. What is Mobile Connect?
• Mobile phone number as user identifier
• Mobile phone as authenticator
• MNO as authentication/identity provider
• Replace passwords and hardware security
tokens
7. Mobile Connect
Reference Architecture
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
8. MODRNA WG
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
1
2 3
Set up
credentials
9. MODRNA Specifications
• Discovery
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html
– Specifies a way to normalize a user identifier applicable to a mobile environment and MNO.
The specification defines discovery flow for both web and native applications residing on
mobile device.
• Client Registration
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html
– Defines how a RP dynamically registers with a MNO by extending the OIDC Dynamic Client
Registration with software statements (RFC 7591).
• Authentication
– http://openid.net/specs/openid-connect-modrna-authentication-1_0.html
– Specify how RP’s request a certain level of assurance (LoA) for the authentication and an
encrypted login hint token to allow for the transport of user identifiers to the MNO in a
privacy preserving fashion. The specification also specify an additional message parameter to
bind the user’s consumption device and authentication device.
10. Auxiliary MODRNA Work
• User Questioning API
– http://openid.net/specs/openid-connect-user-questioning-api-1_0.html
– Defines a mechanism to perform transaction authorizations. Define
additional OpenID Connect endpoint (Resource Server) that RP would use
(server-to-server) to initiate transaction authorization processes.
• Account Porting
– http://openid.net/specs/openid-connect-account-porting-1_0.html
– Defines a mechanism to allow the migration of user account from old to new
OP.
– Protocol allowing new OP to obtain the necessary user data from the old OP
and provide every RP with the necessary data to migrate the RP's local user
account data in a secure way.
11. CIBA Development
• Initial work on Client Initiated Backchannel Authentication (CIBA) specification started
to define a mechanism to perform authentication (out-of-band) when there is no user
agent available and the authentication process needs to initiated via server-to-server
communication.
– CIBA specification approved as Implementer’s Draft in May 2017.
• As part of the collaboration with Financial-grade API (FAPI) WG, the CIBA specification
will be spilt into two specifications to support multiple use cases.
– The CIBA Core specification defines the flows where the RP initiates an authentication (out-of-band) when
there is no user agent available and the authentication process needs to initiated via server-to-server
communication.
– The MODRNA: Client Initiated Backchannel Authentication Profile addresses the MODRNA requirements for
CIBA.
• Working group scheduled extra calls to resolve open issue with the plan to have the
specifications ready for Implementer’s Draft end of October.
12. MODRNA WG Status
• CIBA development a priority for the group to get specs. ready for Implementer’s
Draft.
• Discovery Profile progressing towards Implementer’s Draft status in support of
market deployment.
– U.S. deployment to support mobile-based authentication is leveraging the MODRNA Discovery
specification.
• Account Porting discussion taking place to address options in the first part of the
porting flow.
– The first stage for a porting event is for the New OP to get confirmation from the Old OP that
the user wants to port and discussions focused on what can be leveraged from existing MNO
porting events to start the porting process.
• Plan to progress Authentication Profile towards Final Specification.
– Effort planned for Nov-Dec after CIBA development has been either completed or progressed
enough to allocate time for this effort.
13. MODRNA - GSMA CPAS
Status
• User Questioning API being adopted by Mobile Connect as an enabler
based on work done in MODRNA WG.
– Mobile Connect product definition and technical effort led by Orange.
• Possible impact to Mobile Connect from new CIBA development.
– Mobile Connect currently support back-channel authentication in the Server-
initiated Profile specification.
• New work started to add support in Mobile Connect for Token Binding.
– Based on recent IETF approved RFCs and work aligning with OpenID Connect
Token Bound Authentication spec. in EAP (Enhanced Authentication Profile)
WG.
– Token Binding also considered and supported by MNO community.