SlideShare a Scribd company logo

OpenID Foundation MODRNA WG Update

Download as PPTX, PDF
Bjorn Hjelm
Bjorn Hjelm

OpenID Foundation MODRNA WG update presented at OpenID Foundation Workshop at PayPal in San Jose, CA on Oct. 16, 2017.

1 of 13
Download to read offline
MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect October 16, 2017 Bjorn Hjelm Verizon John Bradley Yubico http://openid.net/wg/mobile/
Purpose • Support GSMA technical development of Mobile Connect • Enable Mobile Network Operators (MNOs) to become Identity Providers • Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services.
Participants
What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
Example Use Case
Towards Mobile Connect Services Enabler model
Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
MODRNA Specifications • Discovery – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Dedicated discovery service – Account Chooser integration • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html – ACR values – Additional parameters
Auxiliary MODRNA Work • Client Initiated Backchannel Authentication – http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication- 1_0.html – Mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Mechanism to allow the migration of user account from old to new OP – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way
MODRNA WG Status • Following four specifications approved as Implementer’s Draft (May 2017). – MODRNA Authentication Profile – Account Porting – User Questioning API – Client Initiated Backchannel Authentication • Collaboration with Financial API (FAPI) WG on use cases, Mobile Connect, Backchannel Authentication, and Dynamic Client Registration. – Joint face-to-face meeting with FAPI WG planned for Nov. in London. • Collaboration with International Government Assurance (iGov) WG on Attribute Exchange using NIST IR 8112 Attribute Metadata as guideline.
MODRNA - GSMA CPAS Status • Established a Governance Process for how Mobile Connect will reference and adopt MODRNA spec. – Process outlines how Mobile Connect specs. handle Implementer’s Draft and Published specs. • Collaboration with GSMA includes joint MODRNA – GSMA CPAS technical workshop held twice a year with significant progress achieved. – Recent (May 2017) workshop focused on the development of Client Initiated Backchannel Authentication spec. • Active work on aligning priorities and roadmap between both organizations. • Services Enabler model and evolved Mobile Connect architecture in Release 3 targeted for 2018. – MODRNA Discovery Profile spec. proposal for discovery functionality. – Dynamic client registration with software statements (RFC 7591) for credential management.
Thank you http://openid.net/wg/mobile/

More Related Content

OpenID Foundation MODRNA WG Update

  • 1. MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect October 16, 2017 Bjorn Hjelm Verizon John Bradley Yubico http://openid.net/wg/mobile/
  • 2. Purpose • Support GSMA technical development of Mobile Connect • Enable Mobile Network Operators (MNOs) to become Identity Providers • Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services.
  • 4. What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
  • 7. Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
  • 8. MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
  • 9. MODRNA Specifications • Discovery – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Dedicated discovery service – Account Chooser integration • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html – OIDC Dynamic Client Registration with software statements (RFC 7591) – Mandatory claims in the statements – Signature algorithms – Lifecycle management, e.g. revocation of statements/blocking of RPs • Authentication – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html – ACR values – Additional parameters
  • 10. Auxiliary MODRNA Work • Client Initiated Backchannel Authentication – http://openid.net/specs/openid-connect-modrna-client-initiated-backchannel-authentication- 1_0.html – Mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Mechanism to allow the migration of user account from old to new OP – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way
  • 11. MODRNA WG Status • Following four specifications approved as Implementer’s Draft (May 2017). – MODRNA Authentication Profile – Account Porting – User Questioning API – Client Initiated Backchannel Authentication • Collaboration with Financial API (FAPI) WG on use cases, Mobile Connect, Backchannel Authentication, and Dynamic Client Registration. – Joint face-to-face meeting with FAPI WG planned for Nov. in London. • Collaboration with International Government Assurance (iGov) WG on Attribute Exchange using NIST IR 8112 Attribute Metadata as guideline.
  • 12. MODRNA - GSMA CPAS Status • Established a Governance Process for how Mobile Connect will reference and adopt MODRNA spec. – Process outlines how Mobile Connect specs. handle Implementer’s Draft and Published specs. • Collaboration with GSMA includes joint MODRNA – GSMA CPAS technical workshop held twice a year with significant progress achieved. – Recent (May 2017) workshop focused on the development of Client Initiated Backchannel Authentication spec. • Active work on aligning priorities and roadmap between both organizations. • Services Enabler model and evolved Mobile Connect architecture in Release 3 targeted for 2018. – MODRNA Discovery Profile spec. proposal for discovery functionality. – Dynamic client registration with software statements (RFC 7591) for credential management.