Introduction to T-Mobile ID Identity Vision for T-Mobile

Michael Engan

Agenda

• Background

• Why an identity project

• What is going on with identity in the industry

• T-Mobile ID

• Technical details

• Architecture • Device agent call flows

• How to integrate

• Screen shots

No one likes the status Quo

Passwords Are Broken

4

• 6 out of 10 people re-use their passwords

Consumer website study key findings: -55% still accept notoriously weak passwords such as “123456” or “password” -51% make no attempt to block entry after 10 incorrect password entries (including Amazon, Dell, Best Buy, Macy’s and Williams-Sonoma) -64% have highly questionable password practices -61% do not provide any advice on how to create a strong password during signup, and 93% do not provide an on-screen password strength assessment -Only 10% scored above the threshold for good password policies -8 sites, including Toys “R” Us, J.Crew and 1-800-Flowers.com, send passwords in plain text via email

Mobile can deliver security

2nd Factor Authentication

+

Something I know Something I have Something I am

A single account, a growing ecosystem

Multi Screen Strategy Tablets

PCs TVs

Internet devices

Phones

Smart cars

Multi Brand

Multi Line

Login

• New “User account” (login with email) • User consented access to their profile “T-Mobile Connect” T-Mobile ID : Project and User Experience IAM: Platform (Identity and Access Management)

Core Concepts and Features • “User” not “Line”

– Login with email, username, phone number

– Stays with the user even if they cancel their phone line

– Register a phone line to a user

• User consents – Exposure (profile, line, location,..)

– Access: approve access to bill

• Services and access specific not open ended – Application have access to only the user present, for

the data users have granted

– Core, Branded, Sponsored

• Any device, any where, for anyone. – Over the top integration

– Future connection to SIM authentication

• A TMUS not a My.T-Mobile account – Applicable to multi brands

– Integration across carriers

• Users can create their account from anywhere – On device, in app, in store, on web, or from

purchasing portal

– Users can help themselves (create, access, manage)

• Central authentication & authorization – Built on standards, and easy to integrate

• Device Agent and libraries for developers

+

Something I know Something I have Something I am

High Level Targeted Roadmap

• Alpha release

• Login with phone number

June

• Beta release

• Login with Email

Q3

• Login with Social

• Client Pre-loads

TBD

• Mobile Connect

• Cross carrier interop

TBD

• Initial Testing release • Slow roll out of new

services

• Various T-Mobile services over 2014 • My.T-Mobile.com • MyAccount • On Device Apps

Deeper penetration across 2015

• Background

• Why an identity project

• What is going on with identity in the industry

• T-Mobile ID

• Technical details

• Architecture • Device agent call flows

• How to integrate

• Screen shots

Agenda

T-Mobile ID

High level Design

___________ ___ __________ __________ __ _____

App

IAM

Browser

• User loads application

• User browser redirected to T-Mobile ID to authenticate with Oauth2 authentication parameters

• User interacts with authentication (Login, Consent, Create, Forgot, ...)

• Redirection back to application with Authentication Cookie & Authentication Code

Profile

Token

Auth

Profile

Care LDAP

Internal interfaces

Refresh

validation

• Application converts Authentication code to access token by authenticating with pre-shared secrets

• Application uses Access Token to retrieve profile elements

Exte

rnal

• Dashboard delivered as standalone service • While users are encouraged to use my.T-

Mobile.com they can use account.tmus.net as a standalone location to manage the User profile elements.

APP

APP

APP

Account.TMUS.net

What data can I get?

User Profile

• First name

• Last name

• Email address

• Unique T-ID

• Username

• Account Creation date

• Last login…

T-Mobile Line Profile List of

• Phone number

• Ban

• Permissions

• Account type

• Account status

• Operator id

• Bill cycle

• Birthday

• Zipcode

Billable MSISDN

• Phone number

Entitlements

• Dynamic Biz rules

• Premium VM?

• Days left in trial?

Scopes Subscriber Display

“App” is using T-Mobile ID. “App” is asking to access your T-Mobile ID profile. “App” is asking to manage your T-Mobile ID profile. “App” is asking for your phone number which might be used for billing extra services “App” is asking to access information about your T-Mobile account “App” is asking for information about your T-Mobile services

Applications not already approved must ask for access. 4 launch permissions • User profile (FN/LN/Username/email…) • T-Mobile Line data (MSISDN, …..) • Billable MSISDN (MSISDN only) • Entitlements (dynamic biz rules)

T-Mobile Core Application • Pre-approved • Seamless • Non-revocable

T-Mobile Sponsored Application • Users must initially approve

T-Mobile Branded Application • Pre-approved • Revocable

Device Agent and Helper Library • Standard Android service. • Standard interfaces for clients to request tokens. • “Sync” will be used for contact scraping and

other future use cases. Signatures

• OAuth 2.0 uses client ID and client secret to authenticate the client, and then grants the user approved access to that specific client.

• Secrets are not secure within mobile devices (or within browsers).

Therefore: • IAM Agent will calculate the client secret based

on the application signature. • IAM Server will ensure only the IAM Agent can

perform authentication for mobile apps.

IAM Device Agent

Integration Options & Best Practices Integration Variations

• As an enabler you get to choose how your application integrates to T-Mobile ID

– Provide service, redirect to authentication only to validate what MSISDN a user has

– Provide no service until they bounce through authentication

Best practices

• Link to T-ID not phone number

• Issue short lived service tokens

• Re authenticate when users changes service

• Minimize your requested access

Sandwich • First determine if the user is signed in with T-Mobile ID

– Display = none (Soft authentication attempt)

• Honor the MSISDN insertion (If traffic is over the radio) • Redirect to T-Mobile ID

– If MSISDN insertion fails, or user requests to login as different user.

First Steps

For Web Developers • Have your client ID, and client secret

assigned • Confirm your redirect URL. • Configure your Oauth endpoints

– Auth: https://auth.tmus.net/oauth2/v1/ – Token: https://token.tmus.net/token/ – Profile: https://profile.tmus.net/userinfo/

For App developers • Confirm your public signature • Have your Client ID assigned, and public

signature recorded (or client name for iOS) • Download your helper library (Android&iOS)

– Bitbucket.com/tmobile/TIDAHL – Bitbucket.com/tmobile/TIDIHL

• Download an Agent – Links within beta test group

• Download the configurator, logger, and sandbox to help with your development – Links within beta test group

1. Join the Google+ beta testing group (and introduce yourself) • T-Mobile ID Beta

2. Reach out to meetup@t-mobile.com 3. Accept the developer agreement 4. Schedule an integration discussion

• Background

• Why an identity project

• What is going on with identity in the industry

• T-Mobile ID

• Technical details

• Architecture • Device Agent Call flows

• How to integrate

• Screen shots

Agenda

Opt In