GLOBAL TELECOM INVOLVEMENT

July 2013
I DENTI TY ECOSYSTEM
in the
David Pollington GSMA (UK/EU)
Andrew Johnston TELUS (CANADA)
Scott Rice PACIFICEAST / OIX TDWG (US)
SPEAKERS
Telecom Data Working Group:
Verification Trust Framework
July 2013
Telecom Data Working Group: Verification Trust Framework
The Telecom Data Working Group (TDWG) founded in
2010 by AT&T, Verizon, TNSI & PacificEast
Focus: North American Telco-
Centric PII/TN Verification
Framework approved March 2013.
Most members came from disbanded LIDB Forum
Contractual, not Standards
Framework focused on the
what, not the how
Telecom Data Working Group: Verification Trust Framework
Allowed Purposes:
Law Enforcement
Fraud Prevention
Identity Verification
Telecom Data Working Group: Verification Trust Framework
Forbidden Purposes:
Updating Databases

Marketing without
clear and conspicuous
consumer opt-in
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Name
Billing
Address
Telephone
Number
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Certified
Verification
System
Name
Billing
Address
Telephone
Number
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Certified
Verification
System
Name
Billing
Address
Telephone
Number
Cooperating Carrier/Operators
Telecom Data Working Group: Verification Trust Framework
Process Flow:
Certified
Verification
System
Name
Billing
Address
Telephone
Number
Cooperating Carrier/Operators
Telecom Data Working Group: Verification Trust Framework
Cooperating Carrier/Operators
Mobility
Landline
VoIP
Landline Only
Landline Only
Telecom Data Working Group: Verification Trust Framework
Contractual or Transactional

Depends on verification source,
contractual permission &
multi-factor authentication
Level of Assurance
Telecom Data Working Group: Verification Trust Framework
Telified
Commercial Implementations

TNSVerify

Neither have yet been certified


Launched: May 2013
Launched: April 2011
GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
June 2013
Mobilising Identity
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
Overview of the GSMA
Founded: 1982
Purpose: The GSMA represents the interests of the mobile
industry and mobile users worldwide
Membership: 800 network operators and 230+ companies from
wider mobile ecosystem

Mobile Identity Programme: 1 of 6 strategic programmes
To help mobile operators deliver interoperable authentication
that enables consumers, business and government to transact
in a private, trusted and secure environment
GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
Authentication
services
Identity services +
Verified identity
Attribute sharing
Service Provider (Relying Party)
1
2
3
Credential assertion
GSMA mIdentity programme covers 3 core areas
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
1. Portfolio of identity
assertion & mgmt services
Untrusted
Verified
Level of
assurance
Federated Identity
(unverified)
SIM Secret-PIN
(mobile signature lite)
Mobile
Signature
Federated Identity +
seamless login
1

1
Seamless login provides
identity assertion via
MSISDN
Anonymous
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
2. Authentication services
Internet
Mobile
network
Username &
password
Authentication
Something I Know
Something I Have
19
CONFIDENTIAL
Leveraging the phone to provide authentication
is a natural, logical progression
E
a
s
e

o
f

U
s
e

/

C
o
n
v
e
n
i
e
n
c
e

f
o
r

U
s
e
r
s

Practicality for Issuers
Deeply inconvenient
for users
Not especially secure
Easily lost
Costly to update

Not particularly user friendly
Very expensive for issuer
Easily lost
Disliked by consumers
Potentially very easy to use
Inexpensive for issuers
Remotely manageable
Harder to lose
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
Something I Am

1. Behavioural profiling
Location check (in expected country; in habitual
location)
More sophisticated behavioural profiling possible
if requested/consented to by the customer


2. Biometrics
Operator partnership with biometric suppliers
(fingerprint, iris scan, voice recognition) to pre-
embed functionality into mobile handsets
Additional authentication factors
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
3. Attribute sharing &
credential assertion

Various standards :
OAuth 2.0, OpenID AX, OpenID Connect

Wide range of attributes:
Name, alias, user ID
DoB, gender, language, photo
Home address, business address
Contact details (Phone number, email, IM etc.)
Online identifiers (LinkedIn, Facebook, Twitter etc.)
Many verified at contract registration (market dependent)
Attribute usage dependent on user consent & privacy model

Option of provisioning credentials directly into SIM either for
presentation via the display or via NFC
GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
Operators already launching identity services
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
The mobile phone has become ubiquitous, carried with you all the time
and is therefore an ideal extension of you and a tool for authenticating
your identity

Operators exploring & delivering identity services in 3 areas:
1. Identity assertion
2. Authentication
3. Attribute/credential sharing

Through the mobile network, mobile phone and SIM, Operators can help
support identity services & requirements in ways which are:
Convenient for the user
Cost effective for the Identity Provider and Service Provider
Take aways
GSMA 2011 GSMA 2013
All GSMA meetings are conducted in full compliance with the GSMAs anti-trust compliance policy
David Pollington
dpollington@gsma.com

OIX Workshop:
Global Telecom and the
Identity Ecosystem
Andrew Johnston
Member of the TELUS team
Cloud Identity Summit 2013
July 8, 2013
TELUS Public 26
(coverage map)
(key services, technology)
TELUS Public 27
Canadian operators working together
Inter-carrier messaging
Very successful
Location services
Good, not great
Video-calling
Inter-operation before customer demand?




GSMA 2010
Network APIs provide easy, quick access to carriers unique network assets without developers
needing to undergo lengthy and costly integrations, or needing to learn each network intricacy.
Access to Over 22 Million Customers
through a Single Set of APIs
Faster time-to-market, lower costs and broader
customer base for the developer!
B
e
l
l

L
o
c
a
t
i
o
n


R
o
g
e
r
s

B
i
l
l
i
n
g


R
o
g
e
r
s

S
M
S

B
e
l
l

S
M
S

T
E
L
U
S

B
i
l
l
i
n
g

B
e
l
l

B
i
l
l
i
n
g

R
o
g
e
r
s

L
o
c
a
t
i
o
n

Old State:
Many Integrations
Required
T
E
L
U
S

L
o
c
a
t
i
o
n

T
E
L
U
S

S
M
S

B
e
l
l

L
o
c
a
t
i
o
n


R
o
g
e
r
s

B
i
l
l
i
n
g


R
o
g
e
r
s

S
M
S

B
e
l
l

S
M
S

T
E
L
U
S

B
i
l
l
i
n
g

B
e
l
l

B
i
l
l
i
n
g

R
o
g
e
r
s

L
o
c
a
t
i
o
n

T
E
L
U
S

L
o
c
a
t
i
o
n

T
E
L
U
S

S
M
S

New State:
Single Seamless
Integration OneAPI standardized and
cross-functional APIs,
single integration
Pilot Abstraction Platform
Fragmented, with
many integrations
required
???
TELUS Public 29
Identity for operators
What problem are we solving?
Clear use-cases are important
Identity as an API enabler
Standards are essential
Interoperable, interchangeable technology
OAuth 2.0, OpenID Connect
Defined security, privacy and assurance characteristics
Trust frameworks
Balance incentives
Recognize that not all participants are market equals
Ensure all can contribute, and all can benefit
Thanks!
andrew.johnston@telus.com