The document outlines the objectives and workings of the Modrna group, which focuses on mobile operator discovery, registration, and authentication. It details the development of a mobile network operator (MNO) profile for OpenID Connect, aiming to replace traditional authentication methods with mobile phone-based solutions. Additionally, it discusses various specifications related to discovery, client registration, and authentication to enhance user security and interoperability within mobile connect services.

1. MODRNA Group
John Bradley, Bjorn Hjelm, Torsten
Lodderstedt

2. MODRNA
• Stands for Mobile Operator Discovery,
Registration, aNd Authentication
• Develop a profile of OpenID Connect intended
Mobile Network Operators (MNOs) providing
identity services.
• Serve as technical input to Mobile Connect
development.
• OIDFs IPR framework ensures that all
specifications can can be freely implemented.
• WG members from OpenID community as well as
MNOs.

3. Members
• John Bradley (Ping Identity)
• Philippe Clement (Orange)
• Bjorn Hjelm (Verizon Wireless)
• Gonzalo Fernandez Rodriguez (Telefonica)
• Jörg Connotte, Sebastian Ebling, Torsten
Lodderstedt, Florian Walter (Deutsche Telekom)
• Roland Hedberg (UMU)
• Nat Sakimura (NRI)

4. Mobile Connect
• Mobile phone number as user identifier
• Mobile phone as authenticator
• MNO as authentication/identity provider
• replace passwords and hardware security
tokens

5. Mobile Connect
Reference Architecture
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery

6. MODRNA WG
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
1
2 3
Set up
credentials

7. Specifications
• Discovery (draft-mobile-discovery) - Editors: John Bradley, Torsten
Lodderstedt
– dedicated discovery service
– account chooser integration
• Client registration (draft-mobile-registration) – Editor: Bjorn Hjelm
– OIDC Dynamic Client Registration with software statements (RFC 7591)
– mandatory claims in the statements
– signature algorithms
– lifecyle mgmt, e.g. revocation of statements/blocking of RPs
• Authentication (draft-mobile-authentication) – Editor: Jörg
Connotte
– ACR values
– additional parameters: login_token_hint, context

8. The Onion
OpenID Connect 1.0
OAuth2.0
MODRNA 1.0
Mobile Connect Profile 1.2

9. MODRNA - GSMA Status
• Mobile Connect Profile 1.2 partly incorporate
Authentication spec.
• For Mobile Connect Release 2, security issue with user
account portability to be addressed.
– Recommendation to follow OpenID concept of scoped identity.
• Changes beyond Mobile Connect Release 2.
– Modify discovery to favor OIDC openid_configuration over
endpoint URL from OneAPI Exchange.
– Adopt dynamic client registration with software statements for
credential management.
– Mechanism to perform transaction authorization and server-
initiated authentication to be based on MODRNA proposal.

10. Thanks!