oix telco gsma telus 2013cis

GLOBAL TELECOM INVOLVEMENT

July 2013

I DE NT I T Y E COS YS T E M

in the

David Pollington – GSMA (UK/EU)

Andrew Johnston – TELUS (CANADA)

Scott Rice – PACIFICEAST / OIX TDWG (US)

S P E AKE RS

Telecom Data Working Group:

Verification Trust Framework

July 2013

Telecom Data Working Group: Verification Trust Framework

The Telecom Data Working Group (TDWG) founded in

2010 by AT&T, Verizon, TNSI & PacificEast

Focus: North American Telco-

Centric PII/TN Verification

Framework approved March 2013.

Most members came from disbanded LIDB Forum

Contractual, not Standards

Framework focused on the

“what”, not the “how”


Allowed Purposes:

• Law Enforcement

• Fraud Prevention

• Identity Verification


Forbidden Purposes:

• Updating Databases

• Marketing without

clear and conspicuous

consumer opt-in


Process Flow:

Name

Billing

Address

Telephone

Number


Process Flow:

Certified Verification

System

Name

Billing

Address

Telephone

Number


Process Flow:

Certified Verification

System

Name

Billing

Address

Telephone

Number

Cooperating Carrier/Operators


Cooperating Carrier/Operators

Mobility

Landline

VoIP

Landline Only

Landline Only


Contractual or Transactional

Depends on verification source,

contractual permission &

multi-factor authentication

Level of Assurance


Telified

Commercial Implementations

™

TNSVerify

Neither have yet been certified

™ Launched: May 2013

Launched: April 2011

© GSMA 2013

All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy

June 2013

Mobilising Identity

© GSMA 2011 © GSMA 2013


Overview of the GSMA

• Founded: 1982

• Purpose: The GSMA represents the interests of the mobile industry and mobile users worldwide

• Membership: 800 network operators and 230+ companies from wider mobile ecosystem

• Mobile Identity Programme: 1 of 6 strategic programmes

To help mobile operators deliver interoperable authentication that enables consumers, business and government to transact in a private, trusted and secure environment

© GSMA 2013


Authentication services

Identity services + Verified identity

Attribute sharing

Service Provider (Relying Party)

1

2

3

Credential assertion

GSMA mIdentity programme covers 3 core areas

© GSMA 2011 © GSMA 2013


1. Portfolio of identity assertion & mgmt services

Untrusted

Verified

Level of assurance

Federated Identity (unverified)

SIM Secret-PIN (mobile signature ‘lite’)

Mobile Signature

Federated Identity + seamless login1

1 Seamless login provides identity assertion via

MSISDN

Anonymous

© GSMA 2011 © GSMA 2013


2. Authentication services

Internet Mobile

network

Username & password

Authentication

Something I Know Something I Have

19 CONFIDENTIAL

Leveraging the phone to provide authentication is a natural, logical progression

Ea

se

of U

se

/ C

on

ve

nie

nce

fo

r U

se

rs

Practicality for Issuers

Deeply inconvenient

for users

Not especially secure

Easily lost

Costly to update

Not particularly user friendly

Very expensive for issuer

Easily lost

Disliked by consumers

Potentially very easy to use

Inexpensive for issuers

Remotely manageable

Harder to lose

© GSMA 2011 © GSMA 2013


Something I Am

1. Behavioural profiling

– Location check (in expected country; in habitual location)

– More sophisticated behavioural profiling possible if requested/consented to by the customer

2. Biometrics

– Operator partnership with biometric suppliers (fingerprint, iris scan, voice recognition) to pre-embed functionality into mobile handsets

Additional authentication factors

© GSMA 2011 © GSMA 2013


3. Attribute sharing & credential assertion

Various standards :

– OAuth 2.0, OpenID AX, OpenID Connect

Wide range of attributes:

– Name, alias, user ID

– DoB, gender, language, photo

– Home address, business address

– Contact details (Phone number, email, IM etc.)

– Online identifiers (LinkedIn, Facebook, Twitter etc.)

Many verified at contract registration (market dependent)

Attribute usage dependent on user consent & privacy model

Option of provisioning credentials directly into SIM either for presentation via the display or via NFC

© GSMA 2011 © GSMA 2013


The mobile phone has become ubiquitous, carried with you all the time…

…and is therefore an ideal extension of you and a tool for authenticating your identity

Operators exploring & delivering identity services in 3 areas:

1. Identity assertion

2. Authentication

3. Attribute/credential sharing

Through the mobile network, mobile phone and SIM, Operators can help support identity services & requirements in ways which are:

– Convenient for the user

– Cost effective for the Identity Provider and Service Provider

Take aways

OIX Workshop:

Global Telecom and the

Identity Ecosystem

Andrew Johnston

Member of the TELUS team

Cloud Identity Summit 2013

July 8, 2013

TELUS Public 26

(coverage map)

(key services, technology)

TELUS Public 27

Canadian operators working together

Inter-carrier messaging Very successful

Location services Good, not great

Video-calling Inter-operation before customer demand?

© GSMA 2010

Network APIs provide easy, quick access to carriers’ unique network assets without developers

needing to undergo lengthy and costly integrations, or needing to learn each network intricacy.

Access to Over 22 Million Customers

through a Single Set of APIs

Faster time-to-market, lower costs and broader

customer base for the developer! B

ell L

ocatio

n

Ro

gers

Billin

g

Ro

gers

SM

S

Bell S

MS

TE

LU

S B

illing

Bell B

illing

Ro

gers

Lo

catio

n

Old State:

Many Integrations

Required

TE

LU

S L

ocatio

n

TE

LU

S S

MS

Bell L

ocatio

n

Ro

gers

Billin

g

Ro

gers

SM

S

Bell S

MS

TE

LU

S B

illing

Bell B

illing

Ro

gers

Lo

catio

n

TE

LU

S L

ocatio

n

TE

LU

S S

MS

New State:

Single Seamless

Integration OneAPI standardized and

cross-functional APIs,

single integration

Pilot Abstraction Platform

Fragmented, with

many integrations

required

???

TELUS Public 29

Identity for operators

What problem are we solving?

Clear use-cases are important

Identity as an API enabler

Standards are essential

Interoperable, interchangeable technology

OAuth 2.0, OpenID Connect

Defined security, privacy and assurance characteristics

Trust frameworks

Balance incentives

Recognize that not all participants are market equals

Ensure all can contribute, and all can benefit

Thanks!

[email protected]

oix telco gsma telus 2013cis

Documents