SlideShare a Scribd company logo

OpenID Foundation MODRNA WG Update

Download as PPTX, PDF
Bjorn Hjelm
Bjorn Hjelm

This document discusses the MODRNA working group, which aims to develop profiles and extensions to OpenID Connect for use by mobile network operators providing identity services. It provides an overview of Mobile Connect and how it uses the mobile phone number and device for user authentication. It then describes MODRNA specifications for discovery, client registration, and authentication. Additional work on user questioning APIs, account porting, and client-initiated backchannel authentication is mentioned. The status of MODRNA, its collaboration with GSMA on Mobile Connect, and next steps are also summarized.

1 of 14
MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect October 22, 2018 Bjorn Hjelm Verizon John Bradley Yubico http://openid.net/wg/mobile/
Purpose • Support GSMA technical development of Mobile Connect • Enable Mobile Network Operators (MNOs) to become Identity Providers • Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services.
Participants
What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
Example Use Case
Mobile Connect Portfolio Roadmap
Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
MODRNA Specifications • Discovery – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html – Specifies a way to normalize a user identifier applicable to a mobile environment and MNO. The specification defines discovery flow for both web and native applications residing on mobile device. • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html – Defines how a RP dynamically registers with a MNO by extending the OIDC Dynamic Client Registration with software statements (RFC 7591). • Authentication – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Specify how RP’s request a certain level of assurance (LoA) for the authentication and an encrypted login hint token to allow for the transport of user identifiers to the MNO in a privacy preserving fashion. The specification also specify an additional message parameter to bind the user’s consumption device and authentication device.
Auxiliary MODRNA Work • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Defines a mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes. • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Defines a mechanism to allow the migration of user account from old to new OP. – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way.
CIBA Development • Initial work on Client Initiated Backchannel Authentication (CIBA) specification started to define a mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication. – CIBA specification approved as Implementer’s Draft in May 2017. • As part of the collaboration with Financial-grade API (FAPI) WG, the CIBA specification will be spilt into two specifications to support multiple use cases. – The CIBA Core specification defines the flows where the RP initiates an authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication. – The MODRNA: Client Initiated Backchannel Authentication Profile addresses the MODRNA requirements for CIBA. • Working group scheduled extra calls to resolve open issue with the plan to have the specifications ready for Implementer’s Draft end of October.
MODRNA WG Status • CIBA development a priority for the group to get specs. ready for Implementer’s Draft. • Discovery Profile progressing towards Implementer’s Draft status in support of market deployment. – U.S. deployment to support mobile-based authentication is leveraging the MODRNA Discovery specification. • Account Porting discussion taking place to address options in the first part of the porting flow. – The first stage for a porting event is for the New OP to get confirmation from the Old OP that the user wants to port and discussions focused on what can be leveraged from existing MNO porting events to start the porting process. • Plan to progress Authentication Profile towards Final Specification. – Effort planned for Nov-Dec after CIBA development has been either completed or progressed enough to allocate time for this effort.
MODRNA - GSMA CPAS Status • User Questioning API being adopted by Mobile Connect as an enabler based on work done in MODRNA WG. – Mobile Connect product definition and technical effort led by Orange. • Possible impact to Mobile Connect from new CIBA development. – Mobile Connect currently support back-channel authentication in the Server- initiated Profile specification. • New work started to add support in Mobile Connect for Token Binding. – Based on recent IETF approved RFCs and work aligning with OpenID Connect Token Bound Authentication spec. in EAP (Enhanced Authentication Profile) WG. – Token Binding also considered and supported by MNO community.
Thank you http://openid.net/wg/mobile/

More Related Content

OpenID Foundation MODRNA WG Update

  • 1. MODRNA WG The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile Connect October 22, 2018 Bjorn Hjelm Verizon John Bradley Yubico http://openid.net/wg/mobile/
  • 2. Purpose • Support GSMA technical development of Mobile Connect • Enable Mobile Network Operators (MNOs) to become Identity Providers • Developing (1) a profile of and (2) an extension to OpenID Connect for use by MNOs providing identity services.
  • 4. What is Mobile Connect? • Mobile phone number as user identifier • Mobile phone as authenticator • MNO as authentication/identity provider • Replace passwords and hardware security tokens
  • 7. Mobile Connect Reference Architecture 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery
  • 8. MODRNA WG 2. The service provider requests the authenticating operator from the API Exchange. 3. The service provider makes a request for authentication. 4. The operator selects the appropriate authenticator depending on the request for assurance and capabilities 1. The user clicks on a Mobile Connect button to access a service. • SIM Applet • USSD • SMS • Smartphone App • FIDO MNO Service access request Authentication Service Provider Authentication request Authentication server Identity Gateway MNO Discovery 1 2 3 Set up credentials
  • 9. MODRNA Specifications • Discovery – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html – Specifies a way to normalize a user identifier applicable to a mobile environment and MNO. The specification defines discovery flow for both web and native applications residing on mobile device. • Client Registration – http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html – Defines how a RP dynamically registers with a MNO by extending the OIDC Dynamic Client Registration with software statements (RFC 7591). • Authentication – http://openid.net/specs/openid-connect-modrna-authentication-1_0.html – Specify how RP’s request a certain level of assurance (LoA) for the authentication and an encrypted login hint token to allow for the transport of user identifiers to the MNO in a privacy preserving fashion. The specification also specify an additional message parameter to bind the user’s consumption device and authentication device.
  • 10. Auxiliary MODRNA Work • User Questioning API – http://openid.net/specs/openid-connect-user-questioning-api-1_0.html – Defines a mechanism to perform transaction authorizations. Define additional OpenID Connect endpoint (Resource Server) that RP would use (server-to-server) to initiate transaction authorization processes. • Account Porting – http://openid.net/specs/openid-connect-account-porting-1_0.html – Defines a mechanism to allow the migration of user account from old to new OP. – Protocol allowing new OP to obtain the necessary user data from the old OP and provide every RP with the necessary data to migrate the RP's local user account data in a secure way.
  • 11. CIBA Development • Initial work on Client Initiated Backchannel Authentication (CIBA) specification started to define a mechanism to perform authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication. – CIBA specification approved as Implementer’s Draft in May 2017. • As part of the collaboration with Financial-grade API (FAPI) WG, the CIBA specification will be spilt into two specifications to support multiple use cases. – The CIBA Core specification defines the flows where the RP initiates an authentication (out-of-band) when there is no user agent available and the authentication process needs to initiated via server-to-server communication. – The MODRNA: Client Initiated Backchannel Authentication Profile addresses the MODRNA requirements for CIBA. • Working group scheduled extra calls to resolve open issue with the plan to have the specifications ready for Implementer’s Draft end of October.
  • 12. MODRNA WG Status • CIBA development a priority for the group to get specs. ready for Implementer’s Draft. • Discovery Profile progressing towards Implementer’s Draft status in support of market deployment. – U.S. deployment to support mobile-based authentication is leveraging the MODRNA Discovery specification. • Account Porting discussion taking place to address options in the first part of the porting flow. – The first stage for a porting event is for the New OP to get confirmation from the Old OP that the user wants to port and discussions focused on what can be leveraged from existing MNO porting events to start the porting process. • Plan to progress Authentication Profile towards Final Specification. – Effort planned for Nov-Dec after CIBA development has been either completed or progressed enough to allocate time for this effort.
  • 13. MODRNA - GSMA CPAS Status • User Questioning API being adopted by Mobile Connect as an enabler based on work done in MODRNA WG. – Mobile Connect product definition and technical effort led by Orange. • Possible impact to Mobile Connect from new CIBA development. – Mobile Connect currently support back-channel authentication in the Server- initiated Profile specification. • New work started to add support in Mobile Connect for Token Binding. – Based on recent IETF approved RFCs and work aligning with OpenID Connect Token Bound Authentication spec. in EAP (Enhanced Authentication Profile) WG. – Token Binding also considered and supported by MNO community.