SlideShare a Scribd company logo
MODRNA WG
The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile
Connect
May 15, 2018
Bjorn Hjelm
Verizon
John Bradley
Yubico
http://openid.net/wg/mobile/
Purpose
• Support GSMA technical development of
Mobile Connect
• Enable Mobile Network Operators (MNOs) to
become Identity Providers
• Developing (1) a profile of and (2) an
extension to OpenID Connect for use by MNOs
providing identity services.
Participants
What is Mobile Connect?
• Mobile phone number as user identifier
• Mobile phone as authenticator
• MNO as authentication/identity provider
• Replace passwords and hardware security
tokens
Example Use Case
Towards Mobile Connect
Services Enabler Model
• The aim of the Service Enabler model
is to enhance the modularity of the
Mobile Connect framework by
defining it as a set of Service Enablers
that can be used (and re-used) for
supporting Global Products as well as
Local Products devised by MNOs to
meet their local market needs.
– In R2, each Product was defined and
specified individually.
– In R3. with the Service Enabler model,
each of these Products can be
implemented using a common service
enabler.
Mobile Connect
Reference Architecture
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
MODRNA WG
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
1
2 3
Set up
credentials
MODRNA Specifications
• Discovery
– http://openid.net/specs/openid-connect-modrna-authentication-1_0.html
– Dedicated discovery service
– Account Chooser integration
• Client Registration
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html
– OIDC Dynamic Client Registration with software statements (RFC 7591)
– Mandatory claims in the statements
– Signature algorithms
– Lifecycle management, e.g. revocation of statements/blocking of RPs
• Authentication
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html
– ACR values
– Additional parameters
Auxiliary MODRNA Work
• Client Initiated Backchannel Authentication
– http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication-
1_0.html
– Mechanism to perform authentication (out-of-band) when there is no user agent available and
the authentication process needs to initiated via server-to-server communication
• User Questioning API
– http://openid.net/specs/openid-connect-user-questioning-api-1_0.html
– Mechanism to perform transaction authorizations. Define additional OpenID Connect
endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction
authorization processes
• Account Porting
– http://openid.net/specs/openid-connect-account-porting-1_0.html
– Mechanism to allow the migration of user account from old to new OP
– Protocol allowing new OP to obtain the necessary user data from the old OP and provide every
RP with the necessary data to migrate the RP's local user account data in a secure way
MODRNA WG Status
• Active progress to close all open issues for the four specifications
approved as Implementer’s Draft (May 2017).
– MODRNA Authentication Profile
– Account Porting
– User Questioning API
– Client Initiated Backchannel Authentication (CIBA)
• Collaboration with Financial API (FAPI) WG on use cases, Mobile Connect,
Backchannel Authentication, and Dynamic Client Registration.
• Still planning on collaboration with International Government Assurance
(iGov) WG on Attribute Exchange using NIST IR 8112 Attribute Metadata as
guideline.
MODRNA - GSMA CPAS
Status
• Mobile Connect enhanced to support back-channel authentication based on
MODRNA WG work on CIBA specification.
– Mobile Connect already adopted OpenID Connect Account Porting specification and aligning
with MODRNA Authentication Profile.
• User Questioning API being adopted by Mobile Connect based on product
definition proposed by Orange.
• Active work on aligning priorities and roadmap between both organizations and
following the Governance Process for how Mobile Connect will reference and
adopt MODRNA specifications.
– Process outlines how Mobile Connect specifications handle Implementer’s Draft and
Published specifications.
– Next joint MODRNA – GSMA CPAS technical workshop possibly 2H 2018 based on Mobile
Connect roadmap.
• GSMA interested in adopting output from FAPI WG to support financial sector.
Thank you
http://openid.net/wg/mobile/

More Related Content

OpenID Foundation MODRNA WG overview at EIC 2018

  • 1. MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect May 15, 2018 Bjorn Hjelm Verizon John Bradley Yubico http://openid.net/wg/mobile/
  • 2. Purpose • Support GSMA technical development of Mobile Connect • Enable Mobile Network Operators (MNOs) to become Identity Providers • Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services.
  • 4. What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
  • 6. Towards Mobile Connect Services Enabler Model • The aim of the Service Enabler model is to enhance the modularity of the Mobile Connect framework by defining it as a set of Service Enablers that can be used (and re-used) for supporting Global Products as well as Local Products devised by MNOs to meet their local market needs. – In R2, each Product was defined and specified individually. – In R3. with the Service Enabler model, each of these Products can be implemented using a common service enabler.
  • 7. Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
  • 8. MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
  • 9. MODRNA Specifications • Discovery – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Dedicated discovery service – Account Chooser integration • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html – ACR values – Additional parameters
  • 10. Auxiliary MODRNA Work • Client Initiated Backchannel Authentication – http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication- 1_0.html – Mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Mechanism to allow the migration of user account from old to new OP – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way
  • 11. MODRNA WG Status • Active progress to close all open issues for the four specifications approved as Implementer’s Draft (May 2017). – MODRNA Authentication Profile – Account Porting – User Questioning API – Client Initiated Backchannel Authentication (CIBA) • Collaboration with Financial API (FAPI) WG on use cases, Mobile Connect, Backchannel Authentication, and Dynamic Client Registration. • Still planning on collaboration with International Government Assurance (iGov) WG on Attribute Exchange using NIST IR 8112 Attribute Metadata as guideline.
  • 12. MODRNA - GSMA CPAS Status • Mobile Connect enhanced to support back-channel authentication based on MODRNA WG work on CIBA specification. – Mobile Connect already adopted OpenID Connect Account Porting specification and aligning with MODRNA Authentication Profile. • User Questioning API being adopted by Mobile Connect based on product definition proposed by Orange. • Active work on aligning priorities and roadmap between both organizations and following the Governance Process for how Mobile Connect will reference and adopt MODRNA specifications. – Process outlines how Mobile Connect specifications handle Implementer’s Draft and Published specifications. – Next joint MODRNA – GSMA CPAS technical workshop possibly 2H 2018 based on Mobile Connect roadmap. • GSMA interested in adopting output from FAPI WG to support financial sector.