[Openid-specs-mobile-profile] Authentication for the Backchannel and User questioning
GONZALO FERNANDEZ RODRIGUEZ
gonzalo.fernandezrodriguez at telefonica.com
Sun May 14 08:49:54 UTC 2017
Telefónica implements the SIM authenticator through the so-called MSSP (Mobile Signature Subscriber Provider) Server, when the AuthServer receives the request to authenticate the user and once it knows the user’s MSISDN, it makes a call to our MSSP Server which builts a binary Class 2 SMS that is sent directly to the SIM card of the user where the applet is located, this SMS contains the text to be displayed signed by the MSSP with the same key that the applet has (each SIMCard has one different), then the applet displays a popup (using native the mobile phone native interface) and depending of the level of assurance the applet asks the user Yes/No or prompts him to introduce a Pin Code previously stored in the applet, if the response is Yes or the Pin Code is correct the applet sends an OK to the MSSP Server, otherwise it sends an NOK. Every message between MSSP Server and the applet (and viceversa) are signed.
This applet could be preinstalled in the SIMCard or could be installed via the MNO OTA.
However, I am a little confusing, because the CIBA flow is not tied to any specific kind of authenticator. There is no problem for me to include a reference to this class of authenticator, but which is the idea is to recommend this kind of authenticators and other that are similarly secures? or even constraint CIBA to be used only with some specific authenticators?
Please let me know everything you want to know or clarify.
From: Openid-specs-mobile-profile <openid-specs-mobile-profile-bounces at lists.openid.net> on behalf of Nat Sakimura <n-sakimura at nri.co.jp>
Date: Friday, 12 May 2017 at 07:31
To: "openid-specs-mobile-profile at lists.openid.net" <openid-specs-mobile-profile at lists.openid.net>
Subject: [Openid-specs-mobile-profile] Authentication for the Backchannel and User questioning
If I remember correctly, I thought there was a talk in one of the meeting that for CIBA etc. class 3 SMS is being used to kick authenticator or something. I was expecting to read them in CIBA and User questioning on this, but there is nothing there.
In the practice, what kind of implementation is being imagined?
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile