This document provides an overview of the MODRNA Working Group and its work on developing specifications to support identity services provided by Mobile Network Operators. The key points are:
1. MODRNA is working to develop profiles and extensions to OpenID Connect to enable MNOs to serve as identity providers.
2. They have developed specifications for discovery, registration, authentication and auxiliary functions like user questioning and account porting.
3. A major focus was completing the Client Initiated Backchannel Authentication specification to allow for authentication without a user agent.
4. Specifications are at various stages from draft to implementers draft, with ongoing work to progress additional specs and profiles.
1. MODRNA WG
The interface of MODRNA (Mobile Profile of OpenID Connect) and GSMA Mobile
Connect
April 29, 2019
Bjorn Hjelm
Verizon
John Bradley
Yubico
http://openid.net/wg/mobile/
2. Purpose
• Support GSMA technical development of
Mobile Connect
• Enable Mobile Network Operators (MNOs) to
become Identity Providers
• Developing (1) a profile of and (2) an
extension to OpenID Connect for use by MNOs
providing identity services.
4. What is Mobile Connect?
• Mobile phone number as user identifier
• Mobile phone as authenticator
• MNO as authentication/identity provider
• Replace passwords and hardware security
tokens
7. Mobile Connect
Reference Architecture
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
8. MODRNA WG
2. The service provider requests the
authenticating operator from the API
Exchange.
3. The service provider makes a
request for authentication.
4. The operator selects the appropriate
authenticator depending on the request for
assurance and capabilities
1. The user clicks on a Mobile
Connect button to access a
service.
• SIM Applet
• USSD
• SMS
• Smartphone App
• FIDO
MNO
Service access request
Authentication
Service Provider
Authentication
request
Authentication
server
Identity
Gateway
MNO Discovery
1
2 3
Set up
credentials
9. MODRNA Specifications
• Discovery Profile
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html
– Specifies a way to normalize a user identifier applicable to a mobile environment and MNO.
The specification defines discovery flow for both web and native applications residing on
mobile device.
• Registration Profile
– http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-registration-01.html
– Defines how a RP (client) dynamically registers with a MNO by extending the OpenID Connect
Dynamic Client Registration with software statements (RFC 7591).
• Authentication Profile
– http://openid.net/specs/openid-connect-modrna-authentication-1_0.html
– Specify how RP’s request a certain level of assurance (LoA) for the authentication and an
encrypted login hint token to allow for the transport of user identifiers to the MNO in a
privacy preserving fashion. The specification also specify an additional message parameter to
bind the user’s consumption device and authentication device.
10. Auxiliary MODRNA Work
• User Questioning API
– http://openid.net/specs/openid-connect-user-questioning-api-1_0.html
– Defines a mechanism to perform transaction authorizations.
– Defines additional OpenID Connect endpoint (Resource Server) that RP would use
(server-to-server) to initiate transaction authorization processes.
• Account Porting
– http://openid.net/specs/openid-connect-account-porting-1_0.html
– Defines a mechanism to allow the migration of user account from old to new OP.
– Protocol allowing new OP to obtain the necessary user data from the old OP and provide
every RP with the necessary data to migrate the RP's local user account data in a secure
way.
11. CIBA Development
• Initial work on Client Initiated Backchannel Authentication (CIBA) specification defined a
mechanism to perform authentication (out-of-band) when there is no user agent
available and the authentication process needs to initiated via server-to-server
communication.
• As part of the collaboration with Financial-grade API (FAPI) WG, the CIBA specification
was spilt into two specifications to support multiple use cases.
– The CIBA Core specification defines the flows where the RP initiates an authentication (out-of-band) when
there is no user agent available and the authentication process needs to initiated via server-to-server
communication.
– The MODRNA: Client Initiated Backchannel Authentication Profile addresses the MODRNA requirements
for CIBA.
• CIBA Core specification approved as Implementer’s Draft on Feb. 4, 2019.
– https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-ID1.html
• The working group continues to work on MODRNA CIBA Profile.
12. MODRNA WG Status
• Majority of time (fall 2018 and early 2019) spent on completing CIBA Core
specification for Implementer’s Draft vote.
• Currently working on post-Implementer’s Draft issues for CIBA Core spec. and
completing MODRNA CIBA Profile.
• Additional specifications in development
– Plans to progress Authentication Profile towards Final Specification.
• Delayed due to CIBA development but minor open issues remain before spec. is completed.
– Discovery Profile to progress towards Implementer’s Draft status in support of market
deployment.
• U.S. deployment to support mobile-based authentication is leveraging the MODRNA Discovery spec.
– Continue the Account Porting discussions to address options in the first part of the porting
flow.
• The first stage for a porting event is for the New OP to get confirmation from the Old OP that the user
wants to port and discussions focused on what can be leveraged from existing MNO porting events to
start the porting process.
13. MODRNA Specification
Status
Implementer’s Drafts
• Authentication Profile
• Account Porting
• User Questioning API
• CIBA Core
Drafts
• Discovery Profile
• Registration Profile
• MODRNA CIBA Profile
More information available at https://openid.net/wg/mobile/status/.
14. MODRNA - GSMA CPAS
Status
• GSMA CPAS focused on re-structuring the Mobile Connect specifications
the last 3-6 mo.
• User Questioning API adopted by Mobile Connect as an enabler based on
work done in MODRNA WG.
– Mobile Connect product definition and technical effort led by Orange.
• Possible impact to Mobile Connect from new CIBA development.
– Mobile Connect currently support back-channel authentication in the Server-
initiated Profile specification.
• New work started to add support in Mobile Connect for Token Binding.
– Based on recent IETF approved RFCs and work aligning with OpenID Connect
Token Bound Authentication specification in EAP (Enhanced Authentication
Profile) WG.