wso2 telco mcx
TRANSCRIPT
Mobile Connect Accelerator
Digital Enablement Powered By APIs For Telcos
About WSO2.Telco
Confidential 2
Axiata Group
Global with Local
Relevance
IDENTITY
Operational Model
limitless Innovation
Future ReadyAgile & Digitally empowered
Micro services
990India
Customers
290
Foot PrintCountries
8
Visionary team and breakthrough platform
Confidential 3
Empower Telcos and
enterprises globally in their
quest to extract value from the
digital ecosystem and remain
relevant in the digital age
Vision
Apply agility to a legacy
landscape by offering seamless
Telco / OTT interoperability to
enable agile business
Mission
Built from MNO Digital Centre of
Excellence combined with digital
industry veterans
Visionary Team
Ground breaking WSO2 Code
base & Telco Digital Innovation
Visionary Platform
DIGITAL SUCCESS• 3 state of the art DIGITAL HUBS in Asia
• 4 Local API Gateways
• 3 internal micro services projects and
400 APIs exposed in 9 months
Typical challenges for Digital enablement
Confidential 4
Our Approach
Confidential 5
Confidential 6
Be Digitally enabled with WSO2.Telco
Freedom &
Control
o Open source
o Fully customizable
o Use any system
integrator
Support &
Services
Enterprise grade
production support
and professional
services
Cost
Saving
Zero CAPEX with
OPEX based
model
Flexible/
Scalable
On premise or
cloud . Scale as
your business
grows
Confidential 7
WSO2.Telco: Wider ecosystem
GLOBAL SERVICE PROVIDERS
MNO
GSMA ECOSYSTEM
REGIONAL/COUNTRY/GROUP HUB
WSO2.Telco ecosystem
Confidential 8
Opening up to a digital world full of opportunities
Mobile Connect ++Ready to expose ID SMS
and USSD services
Enhanced offering • Operator billing
• Location API
• Existing APIs
Access global
ecosystemEmbrace regional and
global digital opportunitiesFuture ready, digitally
enabled you
Rapid, interoperable digital service enablement
Confidential 9
subscriber
SMS USSD LBS DOB ID
MNO
Interfaces Internet of things
App developersService providers
GSMA API
exchange
WSO2.Telco Identity Gateway with more than
1bn customers enabled by WSO2.Telco
• Standalone solution capable of being the backbone
of a fully integrated ID Strategy including SSO,
federated ID services and more.
• Currently the only fully featured open source GSMA
certified ID solution.
• SPs and enterprises can use this solution to
implement a federated ID solution for their own
use.
• For Mobile Connect the solution consists of
authenticators for Levels of Assurance 2 and 3
(LOA2, LOA3) including Header enrichment, SMS,
USSD and Smartphone applications.
• The solution also works with third party SIM applets
and is GSMA Mobile Connect, GSMA OneAPI V3
and ETSI 102.204 compliant.
• Available to download as open source software.
Confidential 10
Mobile Connect Accelerator (MCX) by WSO2.Telco
Confidential 11
FEATURE
RICH LOW
COST
No message arrived?
Click to get a text
message instead.
Login to wow.lk
account with mobile
connect?
1.Okay
2.Cancel
QUICK
START
Open source with modular scaling.
OPEX model to grow with trafficLOW COST
Mobile Connect ++ and authentication
API’s for other services
FEATURE
RICH
Highly flexible for adapting to changing
requirements and new use casesFLEXIBLE
Proven middleware with tools enabling
seamless integration + horizontal scaling
SCALABL
E
Allows MNO’s to both collaborate and
innovate internally whilst reducing friction
INTER
OPERABL
E
How MCX works
Confidential 12
CUSTOMER LOGIN Desktop/mobile service access request Operator discovery
Authentication
SERVICE PROVIDER
4
WSO2.Telco MCX solution
1 2
3
Secure, convenient &
I don’t need to
remember multiple
usernames and
passwords!
GSMA API
exchange
Confidential 13
Deployment options and upgrade path
Cloud based quick start
Live deployment in 30 days
Fully managed cloud solution with
light integration
Low cost for full production instances
Simple contract with no fuss
Hybrid for scaling and upgrade
Multiple architectures to choose from
(partial/full HA)
Quick upgrade to full API
management
All capabilities built on highly efficient
WSO2 code base
On premise
Free POC/ beta trial
Same code and rapid VM based
deployment
Seamless migration from cloud -
with no additional integration
Adaptable for use of any system
integrator
No friction, quick start!
Confidential 14
Sign upManaged cloud or
on premiseSame integration
pathSingle code
Same integration path
ConnectAuthentication API’s :
OpenID ConnectSMS, USSD
MSSP
(ETSI 102.204 compatible for SIM Applet)
Ready to useOnboarding local
and internal services
Share all existing service providers
Connect to GSMA Exchange
MCX Authenticators
Confidential 15
Mobile connect use cases and UX flows
Confidential 16
User clicks to
login via mobile
connect
Operator
Authenticates the End
User in the
background using
Enriched Header
Item Feature Phone Smart Phone Competition
Primary Authenticator Header
Enrichment
Header Enrichment SMS OTP or
Traditional Username
and passwordRoadmap Smartphone Authenticator and USSD
Click ‘OK’ as a fallback authenticator
o MSISDN is not required to
be input as it is captured
through header enrichments
o USSD Fall back
authenticator used for if
user is using a proxy
caching service like Opera
Simple Authentication (LoA2) on mobile network via Header enrichment
1
Welcome to
wow.lk
Jonathan!
2
Confidential 17
Simple Authentication (LoA2) off mobile network via USSD
No message
arrived? Click to
get a text message
instead.
No message
arrived? Click to
get a text
message
instead.
Login to wow.lk
account with
mobile connect?
1.Okay
2.Cancel Welcome to
wow.lk
Jonathan!
User clicks to login
via mobile connectEnter mobile number USSD pop up
initiated
USSD pop received
and confirmed
User is logged in to
site!
Item Feature Phone Smart Phone Competition
Primary Authenticator USSD Click ‘OK’ USSD Click ‘OK’ SMS OTP or Traditional
username and
passwordFallback Authenticator SMS Click ‘OK’ SMS Click ‘OK’
Roadmap Smartphone Authenticator
1 432 5
Confidential 18
Two factor Authentication (LoA3) on mobile network via USSD
Registration : MISISDN available through header enrichment/auto discovery
Choose a 4 digit
Mobile Connect
pin.
OK Cancel
Confirm your
mobile connect
PIN
OK Cancel
User clicks to login
via mobile connect
Registration
notificationUSSD pop up
initiatedUSSD prompt to
create PIN Re-enter PIN
1 432 5
Confidential 19
Two factor Authentication (LoA3) on mobile network via USSD
Registration : MISISDN available through header enrichment/auto discovery
o Default question
templates can be
localized as per SP
o Select security
questions, input
answers & Accept T
& C
Confirmation and
consent to SP to
proceed with registration
completion
6 7
Confidential 20
Two factor Authentication (LoA3) on mobile network via USSD
Registered customer log on: through header enrichment/auto discovery
Enter your mobile
connect PIN to
continue
OK Cancel
Welcome to
wow.lk Jonathan!
User clicks to login
via mobile connect
USSD pop up
initiated
USSD Prompt to
enter PIN
User is logged in to
site!
Item Feature Phone Smart Phone Competition
Primary Authenticator USSD Enter ‘Pin’ USSD Enter ‘Pin’ SMS OTP and Traditional
username and passwordRoadmap Smartphone Authenticator and USSD Enter ‘PIN’ as a fallback
authenticator
1 432
Confidential 21
Two factor Authentication (LoA3) off mobile network via USSD
User clicks to login
via mobile connect
USSD prompt
initiated
Enter mobile
number
No message
arrived? Click to
get a text
message instead.
Enter your
mobile connect
PIN to continue
OK Cancel
Welcome to
wow.lk
Jonathan!
User enters
correct PIN
User is logged in
to site
Item Feature Phone Smart Phone Competition
Primary Authenticator USSD Enter ‘Pin’ USSD Enter ‘Pin’ SMS OTP and Traditional
username and passwordFallback Authenticator SMS Authenticator (not recommended for LoA3.) *
Roadmap Smartphone Authenticator and USSD
Enter ‘PIN’ as a fallback authenticator
* When fallback
authenticator is
used, SP is
informed of
supported LoA &
authenticator. SP
can implement
business logic to
handle LoA2
authentication.
1 432 5
Confidential 22
PIN reset/PIN error
PIN Incorrect
OK CancelClick on reset PIN option
If user has exhausted all 3
chances of entering the correct
PIN , user will be asked to reset
PIN via the web browser or the
app
PIN entered is incorrect
Users have a maximum of 3
tries to enter the PIN correctly
1 2
Confidential 23
PIN reset/PIN error…
Change PIN option to be selected. Enter default PIN to reset
Enter your Mobile
Connect PIN to
continue or type XX
to reset.
CancelO
K
Operator/Service provider can
configure this option (whether
to enable or disable to end
user). Refer to slide 13
Reset PIN input configurations
as per MNO/SP requests to be
checked with GSMA technical
team
3 4
Confidential 24
Security question set
during registration (refer
slide 7)
Choose a 4
digit Mobile
Connect pin.
OK Cancel
Create new PIN
Confirm your
new mobile
connect PIN
OK Cancel
Confirmation of new
PIN
Successful completion
of PIN reset
PIN reset/PIN error
5 6 7 8
Confidential 25
Managing Mobile connect accounts through self care
Enter default PIN to reset
o Reset PIN functionality will
be enabled to all users by
default.
o Enabling /disabling rest of
functionalities of self-care
will be under the discretion
of SP or MNO
Confidential 26
Authenticators
Authenticator LoA 2 LoA3 Usage description
Header
Enrichment
X Suitable for lower levels of assurance (LoA2/single-factor authentication)
and user consent is implicit or taken during the setup/registration phase. Is
a key differentiator as it provides a “seamless” experience, utilising
network authentication.
USSD X X Uses the Network initiated USSD messages and supports both LoA 2 and
LoA 3 interactions.
SMS + ‘Click URL’ X Supports LoA 2 authentication and a better user experience over SMS
OTP as the interaction is non-disruptive [all within the Authentication
Device]
Smartphone
Application
X X Securely supports single and two-factor authentication, with a rich UE. Can
be used with “network binding” to enhance it with MNO value add for
security and business processes.
SIM Applet X X Supports both LoA 2, LoA 3. Very secure - PIN is always stored on the
SIM, and never transmitted.
Header Enrichment – Pros & Cons
Confidential 27
Pros Cons Partial Mitigation
Seamless user experience for the user.
User does not need to enter MSISDN
Does not work with HTTPS A redirection via HTTP can be
used for the authentication part
before reverting back to HTTPS
for the service session
No additional integration needed for
the Service Provider
Not suitable for higher LoA use
cases (only suitable for LoA2)
Reuses the existing MNO core network
authentication
Does not work over non-MNO
network (e.g. WiFi)
Establishes “1 factor” authentication:
User HAS the device [which has been
a-priori authenticated via the mobile
network]
USSD – Pros & Cons
Confidential 28
Pros Cons Partial Mitigation
Supported on majority of
handsets
Minimal user experience Used in conjunction with smartphone
authenticators for better UX on
smartphones
Utilises the MNO assets Limited support in 4G phones LTE phones require fallback to CS for
USSD traffic.
Network Initiated USSI (USSD over
IMS) within the following specifications
in 3GPP Release 12:-
The specs are 3GPP TS 22.173
v12.8.0, 3GPP TS 24.390 v12.2.0,
3GPP TS 24.229 v12.7.0
Not dependent on a data
channel, works on the signalling plane
LoA3 – Recommended not to be used in roaming scenarios
Trust between MNOS
Works in roaming conditions, across devices
No audit logs of traffic either on network/MNO end
or customer end.
In bound/out bound logs can be
captured on WSO2 Identity Server
Potentially supports both LoA2 and LoA3
Network congestion may cause latency and
unreliable delivery.
This can be addressed via SMS or MO
USSD fallback authenticator.
SMS Authenticators – Pros & Cons
Confidential 29
Pros Cons
Reuses MNO assets – SMSC Poor UX requiring context switching between apps
Simple user experience by embedding OTP
in URL rather than requiring user to retype
Not suitable for higher LoA use cases
Works on all devices SMS can be intercepted by apps on the device or any malicious
agents
Live Deployments
&
Achievements
Confidential 30
Live Deployments - India Hub
Confidential
Digital Hub deployed in India, connecting 6 Indian operators to deploy
Mobile connect identity service to their collective 990 Million
subscribers.
The Hub is a fully featured API platform and designed to enable MNOs
in India to leverage a centralized identity solution as well as to expose
multiple network assets and micro services to northbound service
providers.
This includes projects relating to smart cities and the IOT space.
Mobile Connect India Case Study – Six MNOs,
one MCX Hub
Confidential
PLATFORM IN INDIA
Service
Providers
Digital Business enabler
Platform live
for 12 months
Six MNOs
integrated
in 6 months
LOA2 and 3
with three authenticators
Central
Business
Operations
Hub operated as a Platform-as-a-Service hosted in India
• Only operational MCX Hub globally
• Central very agile MCX product evolution
• Fully operational Telco API Hub
• MNO on-premise option with no re-engineering
SMS USSD HE MCX
DoB CRM LBSWall
et
Live deployments
Digital Hub In Singapore powering over
290 Million subscribers
Confidential 33
Axiata Group
290
Live deployments
Confidential 34
8 APIs empowering
6000 Entrepreneurs & businesses
www.ideamart.lk
Achievements
Confidential 35
GSMA’s Project 2 Billion target for Mobile
connect : Contribution from WSO2.Telco
through enabling Indian MNOs
Achievements
Confidential 36
Dialog Axiata PLC – Self care app
that grabbed “Best Mobile Network
Solution” at GLOMO awards 2016 –
Powered by WSO2.Telco APIs