An overview of the interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect presentation as part of "International Identity Standards – Innovation in Government & Global Interoperability" on September 20, 2016, at Global Identity Summit 2016.
More details at https://events.afcea.org/GlobalID16/Public/Content.aspx?ID=61320&sortMenu=102002 and https://events.afcea.org//GlobalID16/CUSTOM/pdf/innov-in-federation.pdf.
1. OpenID Connect: The Mobile
Profile
Bjorn Hjelm,
Torsten Lodderstedt, John Bradley
2. Mobile Identity
Identity is becoming increasingly
Important in the digital world as
more activities migrate online.
With mobile device becoming single point of
contact for different transactions requiring
identification of user, Mobile Network
Operators (MNOs) are becoming part of identity
management process.
Several standards development
initiative started to support
mobile identity and the different
aspects of this evolution.
3. The Mobile Profile
• GSMA created Mobile Connect for secure universal digital
authentication leveraging OpenID Connect.
• OpenID Foundation MODRNA WG technical work support
this mobile identity evolution.
– Stands for Mobile Operator Discovery, Registration, aNd
Authentication
– Developing a profile of OpenID Connect for use by MNOs
providing identity services.
– Serve as technical input to Mobile Connect development.
– OIDFs IPR framework ensures that all specifications can can be
freely implemented.
– WG members from OpenID community as well as MNOs.
• Deutsche Telekom, Ping Identity, Orange, Verizon Wireless, Telefonica,
NRI.
4. Mobile Connect
• Mobile phone number as user identifier
• Mobile phone as authenticator
• MNO as authentication/identity provider
• Replace passwords and hardware security
tokens
5. Mobile Connect
Reference Architecture
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
6. MODRNA WG
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
1
2 3
Set up
credentials
9. MODRNA - GSMA Status
• Mobile Connect Profile 1.2 partly incorporate Authentication spec.
• For Mobile Connect Release 2, security issue with user account
portability to be addressed.
– Adoption of OpenID concept of scoped identity.
• Changes beyond Mobile Connect Release 2.
– Modify discovery to favor OIDC openid_configuration over endpoint
URL from OneAPI Exchange.
– Adopting dynamic client registration with software statements
– Mechanism to perform transaction authorization and server-initiated
authentication based on MODRNA proposal.
• Key aspects of Mobile Connect Evolved Architecture
– Discovery Mechanism
– Credential Management
10. Auxiliary MODRNA Work
• Account migration (draft-account-migration) – Editor: Torsten Lodderstedt
– Mechanism to allow the migration of user account from old to new OP.
– Protocol allowing new OP to obtain the necessary user data from the old OP
and provide every RP with the necessary data to migrate the RP's local user
account data in a secure way.
• Server-initiated authentication - Editors: Gonzalo Fernandez Rodriguez,
Jörg Connotte
– Mechanisms to perform authentication (out-of-band) when there is no user
agent available (such as Call Center) and the authentication process needs to
initiated via server-to-server communication.
• Transaction authorization – Editors: Charles Marais, Nicola Aillery
– Mechanisms to perform transaction authorizations.
– Define additional OpenID Connect endpoint (UserInfo) that RP would use
(server-to-server) to initiate transaction authorization processes.
• These extensions to Mobile Profile also relevant for other working
groups/domains (e.g. Finance).