Page 21 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 21

Figure 6 – Mobile Connect Portfolio of Services


                                                                                             Networketwork
                                                                                             N
                   A
                   Authenticationuthentication  Authorisationuthorisation  Identitydentity
                                                                      I
                                           A
                                                                                            A
                                                                                            Attributesttributes
                                                                                      I
                                                               Provision or verification rovision or verification
                                       U
                 Simple and globally imple and globally   User authorisation of SP ser authorisation of SP   P  In sights about the device n sights about the device
                 S
               u
                                                                   o
               ubiquitous log-in or step-biquitous log-in or step-  r requestsequests  of user identityf user identity  a and users mobile accountnd users mobile account
                  up authenticationp authentication
                  u
                                                                 Phone                      Account takeover
                     Authenticate             Authenticate                  KYC match
                                                                 number                     protection
                     Authenticate             Authenticate                                  verified
                     plus                     plus               National ID  Sign-up       MSISDN
            Mobile Connect uses a distributed architecture in   •  Possession-based (Something I Have); the posses-
            which each Mobile Operator deploys Mobile Connect    sion of the mobile device by the user. This is the
            services for its particular user base, but with all   first factor used in Mobile Connect Authentication.
            deployments abiding by a strict set of technical   •  Knowledge/secrecy-based (Something  I Know);
            standards to ensure that from a Service Provider’s   for example, PIN/Personal Code.
            perspective, the experience of consuming Mobile    •  Active Inherence (Something I Am); for example,
            Connect services from any of the Mobile Operators    biometrics: fingerprints, iris scan, facial biometrics.
            is consistent.                                     •  Passive Inherence (Something the Network
               Mobile Connect is based upon the OpenID Con-      Knows); Mobile network-based inherence ele-
            nect (OIDC) protocol which provides an identity lay-  ments, such as usual cell sites (can also be used
            er on top of the OAuth 2.0 protocol. It allows Users   as “something the user does”) available to the
            to be identified by their MSISDN (or a related Pseud-  mobile operator. This separation between device
            onymous Customer Reference) and to be authenti-      and network is vital to fighting fraud and estab-
            cated securely via their mobile device with the SIM   lishing ownership of the device.
            providing security. Mobile Connect defines two pro-  •  Contextual (Something I Do); for example, sup-
            files of OIDC to support Device-Initiated and Serv-  plement the device-based authentication with
            er-Initiated requests for authentication, authorisation   network-based insights to create a more robust
            or permissioned access to User attributes.           multi-factor authentication mechanism (such as
               The serving Mobile Operator supports and selects   pairing status between IMSI, IMEI and MSISDN).
            an appropriate authenticator to present the authen-
            tication and authorisation requests to the user on   Mobile Connect levels of assurance are a guide to the
            their mobile device to which the user responds. The   degree of confidence in an authentication process. As
            authenticator may also be used to seek user consent   a critical element within the Mobile Connect ecosys-
            for the serving operator to share or validate user   tem, the Mobile Connect levels of assurance are used
            attributes with the Service Provider. The authentica-  in the Mobile Connect API (OpenID Connect), in the
            tor is selected based on operator policy, device capa-  cryptographically-signed Identity Token sent as an
            bility and the Level of Assurance required.        authentication proof to the Service Provider, in the
               Mobile Connect authentication factors and       authenticator-selection policy and also in the Mobile
            insights include:                                  Connect product-enablement policy.














                                             Implementation of Secure Authentication Technologies for Digital Financial Services  19
   16   17   18   19   20   21   22   23   24   25   26