01:42:44 RRSAgent has joined #telecom-authn 01:42:44 logging to https://www.w3.org/2019/09/18-telecom-authn-irc 01:42:47 RRSAgent, make log public 01:47:16 Meeting: Authentication by Communication Network 01:50:53 koalie has joined #telecom-authn 01:51:05 RRSAgent, make logs public 01:51:09 koalie has changed the topic to: https://w3c.github.io/tpac-breakouts/sessions.html 01:51:12 koalie has left #telecom-authn 01:54:28 weiler has joined #telecom-authn 01:54:44 Zakim has joined #telecom-authn 01:55:02 Chunming has joined #telecom-authn 01:56:11 Meeting: Authentication by Communication Network 01:56:40 present+ 01:56:57 nmooney has joined #telecom-authn 01:57:00 present+ 01:57:22 dom has joined #telecom-authn 01:57:28 disoul has joined #telecom-authn 01:57:33 yuyin has joined #telecom-authn 01:57:51 cwarnier has joined #telecom-authn 01:59:16 [Summary: Summary: 01:59:16 Introduce what Telecom Authentication is, and introduce the security risks and solutions of Telecom Authentication, especially when using WEB, instead of client, to authenticate.] 01:59:30 https://w3c.github.io/tpac-breakouts/sessions.html#telecom-authn 02:00:43 Jiaqiang: Introduce myself, I am from security team of Chinamobile, with my college chenjun 02:00:47 jIa: I'm from the China Mobile security team. 02:00:55 ... we come from operators 02:01:22 ... [slide 1] 02:01:45 [slide: background: "mobile number is userID in most APPs"] 02:01:57 ... telcom authentication: the mobile phone number is the userID in most APPs in china. 02:02:58 lilin has joined #telecom-authn 02:03:15 hyojin has joined #telecom-authn 02:03:17 xfq has joined #telecom-authn 02:03:20 Gerhard: phone is not used for login, but when strong auth - 2FA - is needed, phone number is used as "thing you have", so this will let us get rid of SMS-OTP and prevent SIM-swap fraud. 02:03:25 ... interested to see a std soln. this is still useful. 02:04:10 xueyuan has joined #telecom-authn 02:04:16 [slide: problem solved: hard user acquisition caused by complex registration, 2) mgmt burden from multiple mlogin methods 3) security risks of pw dilvuge] 02:04:44 Jiaqiang: we want to delivery the "one-click-login" 02:05:05 ... [slide 2: Process of Telecom Authetication] 02:05:43 dsinger has joined #telecom-authn 02:05:48 [there's a pre-comm phase between app and erver to decide if telecom-authn is available or not] 02:06:02 s/delivery/deliver 02:06:39 ... pre-authentication phase: to pre-estimate whether this user could use telecom-authn or not, via a pre-authn logic 02:06:44 ryosuke1224 has joined #telecom-authn 02:07:16 ... authentication phase: to formally launch the authentication and retrieve the token, with interaction with user. 02:07:33 ... login phase: to login with token 02:07:50 ... [slide 3: Scenario 1 - Auto Login] 02:08:13 ... the apps ascuiremobile phone numbers by communication network 02:08:19 ... then use the phone numbers to login 02:08:34 ... right now, we provide SDK to support this feature 02:08:54 ... it is faster, login within 3 seconds 02:09:12 ... it is safer, than password and login with short messages(SMS) 02:09:54 ... more efficient, in this scenario, you do not do the seperate registration anymore, login is integrated with registration. 02:10:27 yuki-uchida has joined #telecom-authn 02:10:45 @@2: will this provide more registration information? 02:11:24 Jiaqiang: No. only provide mobile number in lightweight user scenario. 02:11:44 Sam: if the user change the operator, the history will get lost. 02:11:47 jeff has joined #telecom-authn 02:11:56 Jiaqiang: (continue) 02:12:07 Steven-Google has joined #telecom-authn 02:12:08 ... Scenario 2, phone number checking 02:12:09 wseltzer has joined #telecom-authn 02:12:37 jiaqiang: we're workong on number protability 02:12:42 ... [slide 5: application status] 02:12:49 sam: absent norber portability, this is just more user lock-in. this is user-hostile! 02:12:58 zakim, make minutes 02:12:58 I don't understand 'make minutes', xueyuan 02:13:03 ... by may 2019, average active users 210 millions per day 02:13:11 [slide: 1.16B auths/day, 210M users/day, 2600+ apps] 02:13:13 ... it is widely used 02:13:22 rrsagent, make minutes 02:13:22 I have made the request to generate https://www.w3.org/2019/09/18-telecom-authn-minutes.html xueyuan 02:13:32 s/protability/portability/ 02:13:36 ... [slide: security concerns] 02:13:46 s/zakim, make minutes// 02:13:46 ... aspect 1: XSS attack risks 02:14:01 ... attackers could put malicious code in website 02:14:16 ... the target server may return token to user 02:14:27 ... aspect 2: mobile hotspot security rishs 02:14:33 s/rishs/risks/ 02:14:34 rrsagent, make log public 02:14:47 ... in mobile hotspot cases, the token of hotspot sponsor might be leaked 02:15:11 ... [slide: solutions] 02:15:25 ... all these risks has been solved by our SDK ways now 02:15:44 ... SDK testifies the app id and sim card info, thus the attacker can no longer fake the user to login 02:15:59 ... [slide: expectations of web standardization] 02:16:14 ... we propose to promote a wider acceptance of telecom authentication 02:16:25 ... and apply the telecom authentication to the browser/server applications 02:16:41 ... we hope to make the telecom authn standardized in W3C 02:16:42 jbarclay has joined #telecom-authn 02:16:47 ... to help solve the problem i just mentioned 02:16:55 q? 02:16:56 q? 02:17:14 tung_ has joined #telecom-authn 02:17:17 tung_ has left #telecom-authn 02:17:21 tung_ has joined #telecom-authn 02:17:46 present+ James_Barclay 02:17:55 tung_ has left #telecom-authn 02:17:58 gerhard: are sim-swap attacks - which are often used - have you seen those? 02:18:02 q+ to ask how the service and operator interact to get the phone number and verify it’s authorized for this service 02:18:23 jia: have not seen this. can't logout. 02:18:54 q? 02:19:28 Sam: if i lsot my phone, i will request a new simcard from vendor 02:19:45 s/lsot/lost 02:19:50 s/lsot/lost/ 02:20:12 q+ 02:23:59 q+ 02:25:03 gherardt: we have a N-hour sim-swap lockout - we won't allow access if sim has been swapped in an interval 02:25:09 ack ds 02:25:09 dsinger, you wanted to ask how the service and operator interact to get the phone number and verify it’s authorized for this service 02:25:30 q? 02:25:32 jeffh has joined #telecom-authn 02:25:40 Jv_ has joined #telecom-authn 02:25:50 q? 02:25:56 q+ jeffh 02:25:59 present+ david_singer 02:26:01 q+ 02:26:07 ack me 02:26:39 q+ to talk about authorization and identification 02:26:40 q+ relating this to payment request api 02:26:54 dontcallmeDOM has joined #telecom-authn 02:27:04 Sam: what is the information exchanged during the Pre-authentication phase (phase 1-3) 02:27:34 jia: [not much detail] 02:27:38 q+ to talk about payment request api and this 02:28:04 q? 02:28:37 sam: how detailed of a spec do you? 02:28:41 s/you/you have/ 02:28:46 jia: very detailed. 02:30:17 gherardt: important problem 02:30:31 @3: used for login, not payment 02:31:05 q? 02:31:07 gherardt: trend is to use both something you have and something you know. this helps with the former 02:31:17 @3: this does not replace PW; this is for login. - replacing SMS code for login. 02:31:23 ack nm 02:31:42 nick: people bristling at using this as primary auth. this flow is something we commonly do. 02:32:20 ... CEO of twitter just had a sim-swap attack hit him. I'm curious re: attestation of SIM card - not just phone number. 02:32:38 ... could this sign a claim of "here's the last time this SIM was swapped"? 02:32:54 ymatsuura has joined #telecom-authn 02:32:54 jia: repeating: besides phone number, any other identifies? 02:33:08 nick: any more info that can be attested to? more info might be useful. 02:33:17 gerhardt: non-PII. 02:33:23 ... e.g. IMSI hash 02:33:35 sam: hash is still linkable 02:33:43 .. linkable is still an issue 02:33:47 xueyuan_ has joined #telecom-authn 02:33:54 nick: I'd claim linkability isn't an issue w/ the spec. 02:34:08 ... We will have to use phone numbers to solve some problems. 02:34:18 q? 02:34:19 ack me 02:34:41 jia: maybe we could build a mechanism ... let user know IMSI number connected to other accounts. 02:35:08 ack jeff 02:35:29 jeffh: GSMA Mobile Connect - are you aware of it? 02:35:44 jia: not aware of it. but engaged with GSMA. 02:36:07 jeffh: GSMA Mobile Connect seems similar. 02:36:38 ... verification of user is possession of phone, right? 02:36:39 GSMA Mobile Connect: https://www.gsma.com/identity/mobile-connect 02:36:41 jia: yes. 02:36:51 jeffh: what if my lock screen is turned off? 02:36:58 jia: very dangerous. 02:37:26 ... use this for low-value situations. 02:37:51 jeffh: so you do step-up auth. 02:37:51 q? 02:37:51 q? 02:38:20 ... if you wanted to attack the pw problem - which isn't doesn't sound like you're doing, since you're still using PWs in other contexts. 02:38:39 ack dsin 02:38:39 dsinger, you wanted to talk about authorization and identification 02:39:07 dsinger: you're replacing a PW - proof of authorization - with identity, which is bad for privacy 02:39:29 nick: important to separate technical means of assocaiting user with number and .... still ahve to solve that problem sometimes. 02:39:42 dsinger: you're encouraging a lot of service to identify users. that is the problem 02:40:17 gerhardt: I see this angle. looking at EU stds... there must ahve been an intial registration to get phone number. 02:40:32 ... this is to confrim ownership of number already linked 02:40:35 sam: not what I heard 02:41:14 dsinger: if I wanted a BB acount - could create an anon acct w/ PW. they don't know it's dsinger, just someone w/ an account. if they move to this, they know the phone number and all accoutns everywhere associated. 02:41:30 q? 02:41:42 s/ahve been/have been/ 02:41:46 gerhardt: I'm thinking from lens of a finacial instituion w/ KYC requiremetns 02:41:50 ack JV 02:41:50 Jv_, you wanted to talk about payment request api and this 02:42:38 @4: universal authen. probably don't need to associate access rights w/ ID. but as extension for imission-critical apps, people dont' want to create new acct. 02:43:07 ... they're going to provide identity anyway, this is ok. for other scenarios - social networks - you have some other options. they are trying to provide a new option for mission cirital apps. 02:43:18 dsinger: @7 02:43:38 jia: please look at animation again. 02:43:54 talk about payment request api and this 02:44:09 s/talk about payment request api and this// 02:44:11 Mobile Connect Platforms and Operations services, mobile connnect SDK, https://www.gsma.com/identity/wp-content/uploads/2019/03/mc_mwc_platforms_booklet2_web_02_19-1.pdf 02:44:12 q+ jv to talk about payment request api and this 02:44:18 ack jv 02:44:18 jv, you wanted to talk about payment request api and this 02:44:32 there are probably ways to set it up such that the service and the MNO set up service-specific identifiers, such that the service is NOT given the phone-number, but something that can’t be correlated with a specific person and their uses of other services. 02:45:05 jv: webpayments WG, payment req API; this is useful: get phone umber - send to bank - they send a code - web browser can pick it up.... 02:45:25 s/phone umber/phone number/ 02:45:30 gerhardt: I'd go past this - if you can passively verify - bank has phone # - can we in background attest to it - pass token to bank to validate token - don't need sms 02:45:49 ... use this in a assive way w/o user involvement. 02:45:50 q+ 02:46:05 ... bank can say I expect this from this number, is it from there? 02:46:26 dsinger: @8 02:46:38 jv: big problem in payment request is how to auth user in few steps. 02:47:21 ack me 02:48:09 q? 02:48:11 me: this is intertwining identity ... you might need only to AUTHORIZE a user, not identify them 02:48:15 s/me/sam/ 02:48:30 sam: why does this take 3 secs? 02:48:30 sss has joined #telecom-authn 02:48:36 ... that seems slow. 02:48:42 jia: haven't heard that Q before. 02:48:55 ... my colleague says 1 sec. 02:50:46 sam: security concern aspect 2, how do you avoid sending to the wrong party 02:51:31 jia: we switch to mobile network? 02:51:33 ... are we trusting the whole network? 02:51:54 q+ 02:56:09 gerhardt: to nick's point, this is a real point that we want to solve... having a way to attest to a phone number.. browser agent has the ability to swap to LTE/3G not just 802.11. has ability to make call to mobile network operatro. many orgs around this world will want to o this. right aporach: not sure. but worthwhile for w3c to explore solving. this is a tough problem to solve. solving it in a goodway. 02:56:15 ... is good for the net. 02:56:15 JUN has joined #telecom-authn 02:56:26 q+ to comment on the problem 02:56:36 JV: would have to be in collaboration w/ GSMA. in payments, working w/ fida and emvco. gsma has a role to pay. 02:57:24 dsinger; I'm coming across as negative, but I'm more negative about PWs. 02:57:35 ... not sure w3c should be doing mobile. 02:58:05 s/mobile/a solution that is specific to (only) mobile/ 02:58:05 gerhardt: US has new protocol to prevent spam/robot calls. maybe shaken/stir fits in? 02:58:09 ack ch 02:58:12 q- 02:58:30 chunming: if we have many fixes to soln, how to we integrate this into webauthn framework? 02:58:54 gerhardt: web authn tests for the person - that there is a person present. and that a biometric cred is presented 02:59:45 sam: disagree with you again. Webauthn is more about user. 03:00:05 s/user/device/ 03:01:38 jia: maybe youre device and PW are not safe... cannot say PW must be safer than device - both PW and device are auth 03:03:21 sam: how does this compare to building a webauthn device into aphone? 03:03:44 gerhardt: we have this more for registration - not the day-to-day auth. want number at start, for registry. 03:04:51 Rrsagent, make minutes 03:04:51 I have made the request to generate https://www.w3.org/2019/09/18-telecom-authn-minutes.html xueyuan 03:35:06 dsinger has joined #telecom-authn 04:15:21 nmooney has joined #telecom-authn 04:21:11 dsinger has joined #telecom-authn 04:29:39 dontcallmeDOM has joined #telecom-authn 04:30:14 dsinger has joined #telecom-authn 04:32:56 dsinger has left #telecom-authn 04:33:42 Chunming has joined #telecom-authn 04:36:36 nmooney has left #telecom-authn 04:39:18 xfq has joined #telecom-authn 04:39:33 xfq has left #telecom-authn 04:44:14 dom has left #telecom-authn 05:22:15 Zakim has left #telecom-authn 07:12:18 Chunming has joined #telecom-authn 07:52:00 jbarclay has joined #telecom-authn 07:53:31 jbarclay has joined #telecom-authn 08:00:46 Chunming has joined #telecom-authn 09:09:15 Chunming has joined #telecom-authn 09:24:32 hyojin has left #telecom-authn