GLOBAL TELECOM INVOLVEMENT
July 2013
I DE NT I T Y E COS YS T E M
in the
David Pollington – GSMA (UK/EU)
Andrew Johnston – TELUS (CANADA)
Scott Rice – PACIFICEAST / OIX TDWG (US)
S P E AKE RS
Telecom Data Working Group:
Verification Trust Framework
July 2013
Telecom Data Working Group: Verification Trust Framework
The Telecom Data Working Group (TDWG) founded in
2010 by AT&T, Verizon, TNSI & PacificEast
Focus: North American Telco-
Centric PII/TN Verification
Framework approved March 2013.
Most members came from disbanded LIDB Forum
Contractual, not Standards
Framework focused on the
“what”, not the “how”
Telecom Data Working Group: Verification Trust Framework
Allowed Purposes:
• Law Enforcement
• Fraud Prevention
• Identity Verification
Telecom Data Working Group: Verification Trust Framework
Forbidden Purposes:
• Updating Databases
• Marketing without
clear and conspicuous
consumer opt-in
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Name
Billing
Address
Telephone
Number
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Certified Verification
System
Name
Billing
Address
Telephone
Number
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Certified Verification
System
Name
Billing
Address
Telephone
Number
Cooperating Carrier/Operators
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Certified Verification
System
Name
Billing
Address
Telephone
Number
Cooperating Carrier/Operators
Telecom Data Working Group: Verification Trust Framework
Cooperating Carrier/Operators
Mobility
Landline
VoIP
Landline Only
Landline Only
Telecom Data Working Group: Verification Trust Framework
Contractual or Transactional
Depends on verification source,
contractual permission &
multi-factor authentication
Level of Assurance
Telecom Data Working Group: Verification Trust Framework
Telified
Commercial Implementations
™
TNSVerify
Neither have yet been certified
™ Launched: May 2013
Launched: April 2011
© GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
June 2013
Mobilising Identity
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Overview of the GSMA
• Founded: 1982
• Purpose: The GSMA represents the interests of the mobile industry and mobile users worldwide
• Membership: 800 network operators and 230+ companies from wider mobile ecosystem
• Mobile Identity Programme: 1 of 6 strategic programmes
To help mobile operators deliver interoperable authentication that enables consumers, business and government to transact in a private, trusted and secure environment
© GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Authentication services
Identity services + Verified identity
Attribute sharing
Service Provider (Relying Party)
1
2
3
Credential assertion
GSMA mIdentity programme covers 3 core areas
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
1. Portfolio of identity assertion & mgmt services
Untrusted
Verified
Level of assurance
Federated Identity (unverified)
SIM Secret-PIN (mobile signature ‘lite’)
Mobile Signature
Federated Identity + seamless login1
1 Seamless login provides identity assertion via
MSISDN
Anonymous
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
2. Authentication services
Internet Mobile
network
Username & password
Authentication
Something I Know Something I Have
19 CONFIDENTIAL
Leveraging the phone to provide authentication is a natural, logical progression
Ea
se
of U
se
/ C
on
ve
nie
nce
fo
r U
se
rs
Practicality for Issuers
Deeply inconvenient
for users
Not especially secure
Easily lost
Costly to update
Not particularly user friendly
Very expensive for issuer
Easily lost
Disliked by consumers
Potentially very easy to use
Inexpensive for issuers
Remotely manageable
Harder to lose
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Something I Am
1. Behavioural profiling
– Location check (in expected country; in habitual location)
– More sophisticated behavioural profiling possible if requested/consented to by the customer
2. Biometrics
– Operator partnership with biometric suppliers (fingerprint, iris scan, voice recognition) to pre-embed functionality into mobile handsets
Additional authentication factors
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
3. Attribute sharing & credential assertion
Various standards :
– OAuth 2.0, OpenID AX, OpenID Connect
Wide range of attributes:
– Name, alias, user ID
– DoB, gender, language, photo
– Home address, business address
– Contact details (Phone number, email, IM etc.)
– Online identifiers (LinkedIn, Facebook, Twitter etc.)
Many verified at contract registration (market dependent)
Attribute usage dependent on user consent & privacy model
Option of provisioning credentials directly into SIM either for presentation via the display or via NFC
© GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Operators already launching identity services…
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
The mobile phone has become ubiquitous, carried with you all the time…
…and is therefore an ideal extension of you and a tool for authenticating your identity
Operators exploring & delivering identity services in 3 areas:
1. Identity assertion
2. Authentication
3. Attribute/credential sharing
Through the mobile network, mobile phone and SIM, Operators can help support identity services & requirements in ways which are:
– Convenient for the user
– Cost effective for the Identity Provider and Service Provider
Take aways
© GSMA 2011 © GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
David Pollington
OIX Workshop:
Global Telecom and the
Identity Ecosystem
Andrew Johnston
Member of the TELUS team
Cloud Identity Summit 2013
July 8, 2013
TELUS Public 26
(coverage map)
(key services, technology)
TELUS Public 27
Canadian operators working together
Inter-carrier messaging Very successful
Location services Good, not great
Video-calling Inter-operation before customer demand?
© GSMA 2010
Network APIs provide easy, quick access to carriers’ unique network assets without developers
needing to undergo lengthy and costly integrations, or needing to learn each network intricacy.
Access to Over 22 Million Customers
through a Single Set of APIs
Faster time-to-market, lower costs and broader
customer base for the developer! B
ell L
ocatio
n
Ro
gers
Billin
g
Ro
gers
SM
S
Bell S
MS
TE
LU
S B
illing
Bell B
illing
Ro
gers
Lo
catio
n
Old State:
Many Integrations
Required
TE
LU
S L
ocatio
n
TE
LU
S S
MS
Bell L
ocatio
n
Ro
gers
Billin
g
Ro
gers
SM
S
Bell S
MS
TE
LU
S B
illing
Bell B
illing
Ro
gers
Lo
catio
n
TE
LU
S L
ocatio
n
TE
LU
S S
MS
New State:
Single Seamless
Integration OneAPI standardized and
cross-functional APIs,
single integration
Pilot Abstraction Platform
Fragmented, with
many integrations
required
???
TELUS Public 29
Identity for operators
What problem are we solving?
Clear use-cases are important
Identity as an API enabler
Standards are essential
Interoperable, interchangeable technology
OAuth 2.0, OpenID Connect
Defined security, privacy and assurance characteristics
Trust frameworks
Balance incentives
Recognize that not all participants are market equals
Ensure all can contribute, and all can benefit