IRC log of telecom-authn on 2019-09-18
Timestamps are in UTC.
- 01:42:44 [RRSAgent]
- RRSAgent has joined #telecom-authn
- 01:42:44 [RRSAgent]
- logging to https://www.w3.org/2019/09/18-telecom-authn-irc
- 01:42:47 [dom]
- RRSAgent, make log public
- 01:47:16 [dom]
- Meeting: Authentication by Communication Network
- 01:50:53 [koalie]
- koalie has joined #telecom-authn
- 01:51:05 [koalie]
- RRSAgent, make logs public
- 01:51:09 [koalie]
- koalie has changed the topic to: https://w3c.github.io/tpac-breakouts/sessions.html
- 01:51:12 [koalie]
- koalie has left #telecom-authn
- 01:54:28 [weiler]
- weiler has joined #telecom-authn
- 01:54:44 [Zakim]
- Zakim has joined #telecom-authn
- 01:55:02 [Chunming]
- Chunming has joined #telecom-authn
- 01:56:11 [Chunming]
- Meeting: Authentication by Communication Network
- 01:56:40 [weiler]
- present+
- 01:56:57 [nmooney]
- nmooney has joined #telecom-authn
- 01:57:00 [Chunming]
- present+
- 01:57:22 [dom]
- dom has joined #telecom-authn
- 01:57:28 [disoul]
- disoul has joined #telecom-authn
- 01:57:33 [yuyin]
- yuyin has joined #telecom-authn
- 01:57:51 [cwarnier]
- cwarnier has joined #telecom-authn
- 01:59:16 [Chunming]
- [Summary: Summary:
- 01:59:16 [Chunming]
- Introduce what Telecom Authentication is, and introduce the security risks and solutions of Telecom Authentication, especially when using WEB, instead of client, to authenticate.]
- 01:59:30 [Chunming]
- https://w3c.github.io/tpac-breakouts/sessions.html#telecom-authn
- 02:00:43 [Chunming]
- Jiaqiang: Introduce myself, I am from security team of Chinamobile, with my college chenjun
- 02:00:47 [weiler]
- jIa: I'm from the China Mobile security team.
- 02:00:55 [Chunming]
- ... we come from operators
- 02:01:22 [Chunming]
- ... [slide 1]
- 02:01:45 [weiler]
- [slide: background: "mobile number is userID in most APPs"]
- 02:01:57 [Chunming]
- ... telcom authentication: the mobile phone number is the userID in most APPs in china.
- 02:02:58 [lilin]
- lilin has joined #telecom-authn
- 02:03:15 [hyojin]
- hyojin has joined #telecom-authn
- 02:03:17 [xfq]
- xfq has joined #telecom-authn
- 02:03:20 [weiler]
- Gerhard: phone is not used for login, but when strong auth - 2FA - is needed, phone number is used as "thing you have", so this will let us get rid of SMS-OTP and prevent SIM-swap fraud.
- 02:03:25 [weiler]
- ... interested to see a std soln. this is still useful.
- 02:04:10 [xueyuan]
- xueyuan has joined #telecom-authn
- 02:04:16 [weiler]
- [slide: problem solved: hard user acquisition caused by complex registration, 2) mgmt burden from multiple mlogin methods 3) security risks of pw dilvuge]
- 02:04:44 [Chunming]
- Jiaqiang: we want to delivery the "one-click-login"
- 02:05:05 [Chunming]
- ... [slide 2: Process of Telecom Authetication]
- 02:05:43 [dsinger]
- dsinger has joined #telecom-authn
- 02:05:48 [weiler]
- [there's a pre-comm phase between app and erver to decide if telecom-authn is available or not]
- 02:06:02 [xueyuan]
- s/delivery/deliver
- 02:06:39 [Chunming]
- ... pre-authentication phase: to pre-estimate whether this user could use telecom-authn or not, via a pre-authn logic
- 02:06:44 [ryosuke1224]
- ryosuke1224 has joined #telecom-authn
- 02:07:16 [Chunming]
- ... authentication phase: to formally launch the authentication and retrieve the token, with interaction with user.
- 02:07:33 [Chunming]
- ... login phase: to login with token
- 02:07:50 [Chunming]
- ... [slide 3: Scenario 1 - Auto Login]
- 02:08:13 [Chunming]
- ... the apps ascuiremobile phone numbers by communication network
- 02:08:19 [Chunming]
- ... then use the phone numbers to login
- 02:08:34 [Chunming]
- ... right now, we provide SDK to support this feature
- 02:08:54 [Chunming]
- ... it is faster, login within 3 seconds
- 02:09:12 [Chunming]
- ... it is safer, than password and login with short messages(SMS)
- 02:09:54 [Chunming]
- ... more efficient, in this scenario, you do not do the seperate registration anymore, login is integrated with registration.
- 02:10:27 [yuki-uchida]
- yuki-uchida has joined #telecom-authn
- 02:10:45 [Chunming]
- @@2: will this provide more registration information?
- 02:11:24 [Chunming]
- Jiaqiang: No. only provide mobile number in lightweight user scenario.
- 02:11:44 [Chunming]
- Sam: if the user change the operator, the history will get lost.
- 02:11:47 [jeff]
- jeff has joined #telecom-authn
- 02:11:56 [Chunming]
- Jiaqiang: (continue)
- 02:12:07 [Steven-Google]
- Steven-Google has joined #telecom-authn
- 02:12:08 [Chunming]
- ... Scenario 2, phone number checking
- 02:12:09 [wseltzer]
- wseltzer has joined #telecom-authn
- 02:12:37 [weiler]
- jiaqiang: we're workong on number protability
- 02:12:42 [Chunming]
- ... [slide 5: application status]
- 02:12:49 [weiler]
- sam: absent norber portability, this is just more user lock-in. this is user-hostile!
- 02:12:58 [xueyuan]
- zakim, make minutes
- 02:12:58 [Zakim]
- I don't understand 'make minutes', xueyuan
- 02:13:03 [Chunming]
- ... by may 2019, average active users 210 millions per day
- 02:13:11 [weiler]
- [slide: 1.16B auths/day, 210M users/day, 2600+ apps]
- 02:13:13 [Chunming]
- ... it is widely used
- 02:13:22 [xueyuan]
- rrsagent, make minutes
- 02:13:22 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/18-telecom-authn-minutes.html xueyuan
- 02:13:32 [xfq]
- s/protability/portability/
- 02:13:36 [Chunming]
- ... [slide: security concerns]
- 02:13:46 [xueyuan]
- s/zakim, make minutes//
- 02:13:46 [Chunming]
- ... aspect 1: XSS attack risks
- 02:14:01 [Chunming]
- ... attackers could put malicious code in website
- 02:14:16 [Chunming]
- ... the target server may return token to user
- 02:14:27 [Chunming]
- ... aspect 2: mobile hotspot security rishs
- 02:14:33 [Chunming]
- s/rishs/risks/
- 02:14:34 [xueyuan]
- rrsagent, make log public
- 02:14:47 [Chunming]
- ... in mobile hotspot cases, the token of hotspot sponsor might be leaked
- 02:15:11 [Chunming]
- ... [slide: solutions]
- 02:15:25 [Chunming]
- ... all these risks has been solved by our SDK ways now
- 02:15:44 [Chunming]
- ... SDK testifies the app id and sim card info, thus the attacker can no longer fake the user to login
- 02:15:59 [Chunming]
- ... [slide: expectations of web standardization]
- 02:16:14 [Chunming]
- ... we propose to promote a wider acceptance of telecom authentication
- 02:16:25 [Chunming]
- ... and apply the telecom authentication to the browser/server applications
- 02:16:41 [Chunming]
- ... we hope to make the telecom authn standardized in W3C
- 02:16:42 [jbarclay]
- jbarclay has joined #telecom-authn
- 02:16:47 [Chunming]
- ... to help solve the problem i just mentioned
- 02:16:55 [xfq]
- q?
- 02:16:56 [Chunming]
- q?
- 02:17:14 [tung_]
- tung_ has joined #telecom-authn
- 02:17:17 [tung_]
- tung_ has left #telecom-authn
- 02:17:21 [tung_]
- tung_ has joined #telecom-authn
- 02:17:46 [jbarclay]
- present+ James_Barclay
- 02:17:55 [tung_]
- tung_ has left #telecom-authn
- 02:17:58 [weiler]
- gerhard: are sim-swap attacks - which are often used - have you seen those?
- 02:18:02 [dsinger]
- q+ to ask how the service and operator interact to get the phone number and verify it’s authorized for this service
- 02:18:23 [weiler]
- jia: have not seen this. can't logout.
- 02:18:54 [Chunming]
- q?
- 02:19:28 [Chunming]
- Sam: if i lsot my phone, i will request a new simcard from vendor
- 02:19:45 [xueyuan]
- s/lsot/lost
- 02:19:50 [Chunming]
- s/lsot/lost/
- 02:20:12 [weiler]
- q+
- 02:23:59 [nmooney]
- q+
- 02:25:03 [weiler]
- gherardt: we have a N-hour sim-swap lockout - we won't allow access if sim has been swapped in an interval
- 02:25:09 [weiler]
- ack ds
- 02:25:09 [Zakim]
- dsinger, you wanted to ask how the service and operator interact to get the phone number and verify it’s authorized for this service
- 02:25:30 [Chunming]
- q?
- 02:25:32 [jeffh]
- jeffh has joined #telecom-authn
- 02:25:40 [Jv_]
- Jv_ has joined #telecom-authn
- 02:25:50 [jeffh]
- q?
- 02:25:56 [weiler]
- q+ jeffh
- 02:25:59 [dsinger]
- present+ david_singer
- 02:26:01 [jeffh]
- q+
- 02:26:07 [weiler]
- ack me
- 02:26:39 [dsinger]
- q+ to talk about authorization and identification
- 02:26:40 [Jv_]
- q+ relating this to payment request api
- 02:26:54 [dontcallmeDOM]
- dontcallmeDOM has joined #telecom-authn
- 02:27:04 [Chunming]
- Sam: what is the information exchanged during the Pre-authentication phase (phase 1-3)
- 02:27:34 [weiler]
- jia: [not much detail]
- 02:27:38 [Jv_]
- q+ to talk about payment request api and this
- 02:28:04 [Chunming]
- q?
- 02:28:37 [weiler]
- sam: how detailed of a spec do you?
- 02:28:41 [weiler]
- s/you/you have/
- 02:28:46 [weiler]
- jia: very detailed.
- 02:30:17 [weiler]
- gherardt: important problem
- 02:30:31 [weiler]
- @3: used for login, not payment
- 02:31:05 [dsinger]
- q?
- 02:31:07 [weiler]
- gherardt: trend is to use both something you have and something you know. this helps with the former
- 02:31:17 [weiler]
- @3: this does not replace PW; this is for login. - replacing SMS code for login.
- 02:31:23 [weiler]
- ack nm
- 02:31:42 [weiler]
- nick: people bristling at using this as primary auth. this flow is something we commonly do.
- 02:32:20 [weiler]
- ... CEO of twitter just had a sim-swap attack hit him. I'm curious re: attestation of SIM card - not just phone number.
- 02:32:38 [weiler]
- ... could this sign a claim of "here's the last time this SIM was swapped"?
- 02:32:54 [ymatsuura]
- ymatsuura has joined #telecom-authn
- 02:32:54 [weiler]
- jia: repeating: besides phone number, any other identifies?
- 02:33:08 [weiler]
- nick: any more info that can be attested to? more info might be useful.
- 02:33:17 [weiler]
- gerhardt: non-PII.
- 02:33:23 [weiler]
- ... e.g. IMSI hash
- 02:33:35 [weiler]
- sam: hash is still linkable
- 02:33:43 [weiler]
- .. linkable is still an issue
- 02:33:47 [xueyuan_]
- xueyuan_ has joined #telecom-authn
- 02:33:54 [weiler]
- nick: I'd claim linkability isn't an issue w/ the spec.
- 02:34:08 [weiler]
- ... We will have to use phone numbers to solve some problems.
- 02:34:18 [weiler]
- q?
- 02:34:19 [nmooney]
- ack me
- 02:34:41 [weiler]
- jia: maybe we could build a mechanism ... let user know IMSI number connected to other accounts.
- 02:35:08 [weiler]
- ack jeff
- 02:35:29 [weiler]
- jeffh: GSMA Mobile Connect - are you aware of it?
- 02:35:44 [weiler]
- jia: not aware of it. but engaged with GSMA.
- 02:36:07 [weiler]
- jeffh: GSMA Mobile Connect seems similar.
- 02:36:38 [weiler]
- ... verification of user is possession of phone, right?
- 02:36:39 [Chunming]
- GSMA Mobile Connect: https://www.gsma.com/identity/mobile-connect
- 02:36:41 [weiler]
- jia: yes.
- 02:36:51 [weiler]
- jeffh: what if my lock screen is turned off?
- 02:36:58 [weiler]
- jia: very dangerous.
- 02:37:26 [weiler]
- ... use this for low-value situations.
- 02:37:51 [weiler]
- jeffh: so you do step-up auth.
- 02:37:51 [Chunming]
- q?
- 02:37:51 [weiler]
- q?
- 02:38:20 [weiler]
- ... if you wanted to attack the pw problem - which isn't doesn't sound like you're doing, since you're still using PWs in other contexts.
- 02:38:39 [weiler]
- ack dsin
- 02:38:39 [Zakim]
- dsinger, you wanted to talk about authorization and identification
- 02:39:07 [weiler]
- dsinger: you're replacing a PW - proof of authorization - with identity, which is bad for privacy
- 02:39:29 [weiler]
- nick: important to separate technical means of assocaiting user with number and .... still ahve to solve that problem sometimes.
- 02:39:42 [weiler]
- dsinger: you're encouraging a lot of service to identify users. that is the problem
- 02:40:17 [weiler]
- gerhardt: I see this angle. looking at EU stds... there must ahve been an intial registration to get phone number.
- 02:40:32 [weiler]
- ... this is to confrim ownership of number already linked
- 02:40:35 [weiler]
- sam: not what I heard
- 02:41:14 [weiler]
- dsinger: if I wanted a BB acount - could create an anon acct w/ PW. they don't know it's dsinger, just someone w/ an account. if they move to this, they know the phone number and all accoutns everywhere associated.
- 02:41:30 [weiler]
- q?
- 02:41:42 [Chunming]
- s/ahve been/have been/
- 02:41:46 [weiler]
- gerhardt: I'm thinking from lens of a finacial instituion w/ KYC requiremetns
- 02:41:50 [weiler]
- ack JV
- 02:41:50 [Zakim]
- Jv_, you wanted to talk about payment request api and this
- 02:42:38 [weiler]
- @4: universal authen. probably don't need to associate access rights w/ ID. but as extension for imission-critical apps, people dont' want to create new acct.
- 02:43:07 [weiler]
- ... they're going to provide identity anyway, this is ok. for other scenarios - social networks - you have some other options. they are trying to provide a new option for mission cirital apps.
- 02:43:18 [weiler]
- dsinger: @7
- 02:43:38 [weiler]
- jia: please look at animation again.
- 02:43:54 [weiler]
- talk about payment request api and this
- 02:44:09 [weiler]
- s/talk about payment request api and this//
- 02:44:11 [lilin]
- Mobile Connect Platforms and Operations services, mobile connnect SDK, https://www.gsma.com/identity/wp-content/uploads/2019/03/mc_mwc_platforms_booklet2_web_02_19-1.pdf
- 02:44:12 [weiler]
- q+ jv to talk about payment request api and this
- 02:44:18 [weiler]
- ack jv
- 02:44:18 [Zakim]
- jv, you wanted to talk about payment request api and this
- 02:44:32 [dsinger]
- there are probably ways to set it up such that the service and the MNO set up service-specific identifiers, such that the service is NOT given the phone-number, but something that can’t be correlated with a specific person and their uses of other services.
- 02:45:05 [weiler]
- jv: webpayments WG, payment req API; this is useful: get phone umber - send to bank - they send a code - web browser can pick it up....
- 02:45:25 [Chunming]
- s/phone umber/phone number/
- 02:45:30 [weiler]
- gerhardt: I'd go past this - if you can passively verify - bank has phone # - can we in background attest to it - pass token to bank to validate token - don't need sms
- 02:45:49 [weiler]
- ... use this in a assive way w/o user involvement.
- 02:45:50 [weiler]
- q+
- 02:46:05 [weiler]
- ... bank can say I expect this from this number, is it from there?
- 02:46:26 [weiler]
- dsinger: @8
- 02:46:38 [weiler]
- jv: big problem in payment request is how to auth user in few steps.
- 02:47:21 [weiler]
- ack me
- 02:48:09 [Chunming]
- q?
- 02:48:11 [weiler]
- me: this is intertwining identity ... you might need only to AUTHORIZE a user, not identify them
- 02:48:15 [weiler]
- s/me/sam/
- 02:48:30 [weiler]
- sam: why does this take 3 secs?
- 02:48:30 [sss]
- sss has joined #telecom-authn
- 02:48:36 [weiler]
- ... that seems slow.
- 02:48:42 [weiler]
- jia: haven't heard that Q before.
- 02:48:55 [weiler]
- ... my colleague says 1 sec.
- 02:50:46 [Chunming]
- sam: security concern aspect 2, how do you avoid sending to the wrong party
- 02:51:31 [weiler]
- jia: we switch to mobile network?
- 02:51:33 [Chunming]
- ... are we trusting the whole network?
- 02:51:54 [Chunming]
- q+
- 02:56:09 [weiler]
- gerhardt: to nick's point, this is a real point that we want to solve... having a way to attest to a phone number.. browser agent has the ability to swap to LTE/3G not just 802.11. has ability to make call to mobile network operatro. many orgs around this world will want to o this. right aporach: not sure. but worthwhile for w3c to explore solving. this is a tough problem to solve. solving it in a goodway.
- 02:56:15 [weiler]
- ... is good for the net.
- 02:56:15 [JUN]
- JUN has joined #telecom-authn
- 02:56:26 [dsinger]
- q+ to comment on the problem
- 02:56:36 [weiler]
- JV: would have to be in collaboration w/ GSMA. in payments, working w/ fida and emvco. gsma has a role to pay.
- 02:57:24 [weiler]
- dsinger; I'm coming across as negative, but I'm more negative about PWs.
- 02:57:35 [weiler]
- ... not sure w3c should be doing mobile.
- 02:58:05 [dsinger]
- s/mobile/a solution that is specific to (only) mobile/
- 02:58:05 [weiler]
- gerhardt: US has new protocol to prevent spam/robot calls. maybe shaken/stir fits in?
- 02:58:09 [weiler]
- ack ch
- 02:58:12 [dsinger]
- q-
- 02:58:30 [weiler]
- chunming: if we have many fixes to soln, how to we integrate this into webauthn framework?
- 02:58:54 [weiler]
- gerhardt: web authn tests for the person - that there is a person present. and that a biometric cred is presented
- 02:59:45 [weiler]
- sam: disagree with you again. Webauthn is more about user.
- 03:00:05 [weiler]
- s/user/device/
- 03:01:38 [weiler]
- jia: maybe youre device and PW are not safe... cannot say PW must be safer than device - both PW and device are auth
- 03:03:21 [weiler]
- sam: how does this compare to building a webauthn device into aphone?
- 03:03:44 [weiler]
- gerhardt: we have this more for registration - not the day-to-day auth. want number at start, for registry.
- 03:04:51 [xueyuan]
- Rrsagent, make minutes
- 03:04:51 [RRSAgent]
- I have made the request to generate https://www.w3.org/2019/09/18-telecom-authn-minutes.html xueyuan
- 03:35:06 [dsinger]
- dsinger has joined #telecom-authn
- 04:15:21 [nmooney]
- nmooney has joined #telecom-authn
- 04:21:11 [dsinger]
- dsinger has joined #telecom-authn
- 04:29:39 [dontcallmeDOM]
- dontcallmeDOM has joined #telecom-authn
- 04:30:14 [dsinger]
- dsinger has joined #telecom-authn
- 04:32:56 [dsinger]
- dsinger has left #telecom-authn
- 04:33:42 [Chunming]
- Chunming has joined #telecom-authn
- 04:36:36 [nmooney]
- nmooney has left #telecom-authn
- 04:39:18 [xfq]
- xfq has joined #telecom-authn
- 04:39:33 [xfq]
- xfq has left #telecom-authn
- 04:44:14 [dom]
- dom has left #telecom-authn
- 05:22:15 [Zakim]
- Zakim has left #telecom-authn
- 07:12:18 [Chunming]
- Chunming has joined #telecom-authn
- 07:52:00 [jbarclay]
- jbarclay has joined #telecom-authn
- 07:53:31 [jbarclay]
- jbarclay has joined #telecom-authn
- 08:00:46 [Chunming]
- Chunming has joined #telecom-authn
- 09:09:15 [Chunming]
- Chunming has joined #telecom-authn
- 09:24:32 [hyojin]
- hyojin has left #telecom-authn