SlideShare a Scribd company logo

OpenID Foundation MODRNA WG

Download as PPTX, PDF
Bjorn Hjelm
Bjorn Hjelm

The MODRNA working group was created by the OpenID Foundation to support the evolution of GSMA's Mobile Connect standard for secure digital authentication using mobile phones. MODRNA is developing an OpenID Connect profile and extensions for use by mobile network operators providing identity services. This includes specifications for mobile operator discovery, client registration, and authentication to enable the Mobile Connect framework. The working group involves participants from OpenID and mobile operators to ensure specifications can be freely implemented.

1 of 10
Download to read offline
MODRNA Torsten Lodderstedt, John Bradley, Bjorn Hjelm
The Mobile Profile • GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. • OpenID Foundation MODRNA WG created to support this evolution. – Stands for Mobile Operator Discovery, Registration, aNd Authentication – Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services. – Serve as technical input to Mobile Connect development. – OIDFs IPR framework ensures that all specifications can can be freely implemented. – WG members from OpenID community as well as MNOs. • Deutsche Telekom, Ping Identity, Orange, Verizon Wireless, Telefonica, Telenor, Telstra, GlobalSign.
Mobile Connect • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
MODRNA Specifications • Discovery (draft-mobile-discovery) - Editors: John Bradley, Torsten Lodderstedt – Dedicated discovery service – Account Chooser integration • Client registration (draft-mobile-registration) – Editor: Bjorn Hjelm – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication (draft-mobile-authentication) – Editor: Jörg Connotte – ACR values – Additional parameters: login_token_hint, context
Auxiliary MODRNA Work • Client Initiated Backchannel Authentication (CIBA) - Editors: Gonzalo Fernandez Rodriguez, Florian Walter – Mechanism to perform authentication (out-of-band) when there is no user agent available (such as Call Center) and the authentication process needs to initiated via server-to-server communication. • User Questioning API – Editors: Charles Marais, Nicola Aillery – Mechanism to perform transaction authorizations. – Define additional OpenID Connect endpoint (UserInfo) that RP would use (server-to-server) to initiate transaction authorization processes. • Account migration (draft-account-migration) – Editor: James Manger, Torsten Lodderstedt, Arne Gleditsch – Mechanism to allow the migration of user account from old to new OP. – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way.
The Onion OpenID Connect 1.0 OAuth2.0 MODRNA 1.0 Mobile Connect Profile 1.2
MODRNA - GSMA Status • Mobile Connect Profile 1.2 partly incorporate Authentication spec. • Collaboration identified and resolved security issue with original GSMA account migration proposal resulting in MODRNA Account Migration spec. • Discovery/Credential Management: – Mobile Connect Release 2 now utilizes and favors OIDC openid_configuration over endpoint URLs from OneAPI Exchange. – MODRNA input to ongoing discussions about architecture evolutions towards more distributed approach based on security, privacy, and operational considerations. • New specs for transaction authorization and server-initiated authentication (for later adoption by GSMA). • Regular technical workshops with GSMA CPAS group significantly improved collaboration.
Thanks!

More Related Content

OpenID Foundation MODRNA WG

  • 1. MODRNA Torsten Lodderstedt, John Bradley, Bjorn Hjelm
  • 2. The Mobile Profile • GSMA created Mobile Connect for secure universal digital authentication leveraging OpenID Connect. • OpenID Foundation MODRNA WG created to support this evolution. – Stands for Mobile Operator Discovery, Registration, aNd Authentication – Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services. – Serve as technical input to Mobile Connect development. – OIDFs IPR framework ensures that all specifications can can be freely implemented. – WG members from OpenID community as well as MNOs. • Deutsche Telekom, Ping Identity, Orange, Verizon Wireless, Telefonica, Telenor, Telstra, GlobalSign.
  • 3. Mobile Connect • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
  • 4. Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
  • 5. MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
  • 6. MODRNA Specifications • Discovery (draft-mobile-discovery) - Editors: John Bradley, Torsten Lodderstedt – Dedicated discovery service – Account Chooser integration • Client registration (draft-mobile-registration) – Editor: Bjorn Hjelm – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication (draft-mobile-authentication) – Editor: Jörg Connotte – ACR values – Additional parameters: login_token_hint, context
  • 7. Auxiliary MODRNA Work • Client Initiated Backchannel Authentication (CIBA) - Editors: Gonzalo Fernandez Rodriguez, Florian Walter – Mechanism to perform authentication (out-of-band) when there is no user agent available (such as Call Center) and the authentication process needs to initiated via server-to-server communication. • User Questioning API – Editors: Charles Marais, Nicola Aillery – Mechanism to perform transaction authorizations. – Define additional OpenID Connect endpoint (UserInfo) that RP would use (server-to-server) to initiate transaction authorization processes. • Account migration (draft-account-migration) – Editor: James Manger, Torsten Lodderstedt, Arne Gleditsch – Mechanism to allow the migration of user account from old to new OP. – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way.
  • 8. The Onion OpenID Connect 1.0 OAuth2.0 MODRNA 1.0 Mobile Connect Profile 1.2
  • 9. MODRNA - GSMA Status • Mobile Connect Profile 1.2 partly incorporate Authentication spec. • Collaboration identified and resolved security issue with original GSMA account migration proposal resulting in MODRNA Account Migration spec. • Discovery/Credential Management: – Mobile Connect Release 2 now utilizes and favors OIDC openid_configuration over endpoint URLs from OneAPI Exchange. – MODRNA input to ongoing discussions about architecture evolutions towards more distributed approach based on security, privacy, and operational considerations. • New specs for transaction authorization and server-initiated authentication (for later adoption by GSMA). • Regular technical workshops with GSMA CPAS group significantly improved collaboration.