Mobile Connect

From IIW

Session Topic: Mobile Connect: What would you as an Rp/IoP attribute brokers want from the carriers?

Wednesday 3H

Convener: Michael Engan (T-Mobile)

Notes-taker(s): Michael Engan

Tags for the session - technology discussed/ideas considered:

mobile connect, GSMA, one api, multiple user agents

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The group was gathered to discuss and review the Mobile connect work that the GSMA is currently working on. The Mobile Connect suite will be a likely extension of OpenID connect that supports the use cases and mobile network provider data models.


An Open ID foundation working group is being stood up to work on the common profile and claims that may exist with mobile connect, and the possible OpenID extensions.


GSMA is a member of OIX and vice versa.


The group discussed what data the MNO (mobile network operators) might have. This included but was not limited to


Phone number

Other phone numbers on the account

Location (billing address, mailing address, e911 address, and current location)

Credit class

Billable support

Device identifiers, or details (phone type, version, os…)

Proof of life (has this user been in this fixed location or moving around like a real person does, making calls).


Some various use cases were discussed, but most seemed to focus on the MNO’s as second factor authentication providers. Perhaps to elevate the LoA of the initial IDP.


Some other examples talked about the out of band connection and multi use agent options.


For instance a user on a pc authenticates with an IDP… the IDP makes a request to the MNO for a second layer (higher loA) the MNO reaches directly to the users device (not their pc browser. ) the user approves the transaction on their phone, and then sees the pc now logged in.


Other uses were around the combination of location and the user. With user proofing. For instance the user is in a store, the MNO can prove that it is that user/device currently in the store.


Side conversations also covered MNO exposure of SIM and sim authenticators. And the relevance of an existing One API that GSMA already provides as a point to point query protocol with no user consents.