OIDF Modrna WG UpDate
Convener: Bjorn Hjelm, John Bradley
Notes-taker(s): Mike Schwartz
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
MODRNA (pronounced modernah) stands for Mobile Operator Discovery, Registration & autheNticAtion. The MODRNA WG is developing a profile of OpenID Connect intended to be appropriate for use by mobile network operators (MNOs) providing identity services to RPs and for RPs in consuming those services as well as any other party wishing to be interoperable with this profile. The WG is also developing extensions to OpenID Connect as needed in the context of GSMA’s Mobile Connect initiative (GSMA = GSM Association), such as server-initiated authentication, transaction authorization, and account migration. Additionally, it will identify and make recommendations for additional standards items.
Not just about logging into stuff from your phone, but logging into web applications, and using your phone as an authentication mechanism.
Standardizing the profile the phone operators
User ---> SP <-- API Exchange
Authenticators: FIDO / SIM
Either each MNO can have a OpenID Connect, but there are also hubs serving multiple MNO's.
MODRNA has a few specs:
MODRNA Authentication Profile
OpenID Connect Account Porting
OpenID User Questioning API
OpenID Backchannel Authentication
The GSMA issues software statements to the RP's, which they can use to register at MNO OP's to get client creds. It's a similar design to the OpenID Connect banking standard. The software statement is basically a Metadata Statement as defined in the OpenID Connect Federation draft spec.
Discovery is in the API Exchange... it's not required if the operators has a way to look up the metadata (i.e. an operator can setup a discovery endpoint that all the operatings in Germany might use...) In a given country, you probably already know the mappings of numbers to carriers.
Right now, RP's are not generating JWT metadata statements, but are simply going to a form to fill out the information about their RP.
Adoption is going well in Africa, India, Pakistan for banking, commerce (the Indian version of ebay).
No fee from GSMA for registration. RP's must agree to terms of service, privacy and provide contact info. MNO's may charge for advanced services like 2FA, or identity proofing (higher LOA), backchannel authentication (like a push notification).
Only fee is lookup from API Exchange (but free for first million lookups)
Software statements may be revoked, but it will be handled on a case by case basis.
Even feature phones can support SIM card implementation. However iPhones don't give access to the SIM card, so FIDO is better (UAF to a dedicated authenticator app).