[Openid-specs-mobile-profile] [UQ API] SMS OTP requirement

Torsten.Lodderstedt at telekom.de Torsten.Lodderstedt at telekom.de
Thu Dec 1 08:09:14 UTC 2016

Hi Nicolas,

one question: I think one could implement SMS-based authorization without the need to extend the protocol by sending a SMS containing a URL instead of a TAN code. The user either accepts by clicking on the link or the link opens a web page, where the question is presented to the user along with the different options to answer it.

What do you think?

Best regards,

Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von nicolas.aillery at orange.com
Gesendet: Mittwoch, 30. November 2016 18:15
An: openid-specs-mobile-profile at lists.openid.net
Betreff: [Openid-specs-mobile-profile] [UQ API] SMS OTP requirement

Hello everybody,

   In User Questioning API draft 3, we removed the Terminated-by-Client flow that handled user interactions like SMS OTP.
   In this flow, the User receives a code to enter on the Client GUI, the client then transmit the code to the OP and the OP check if the code is correct. Note that if the code is checked by the Client, the current draft handles it.

   Within Orange, the requirement for a SMS OTP (verified by the OP) has been mentioned again.

   Have other OIF contributors been challenged for such a requirement?




Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20161201/88cc0f78/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list