OpenID recently announced that CIBA, which stands for ‘Client initiated Backchannel Authentication (Flow)’, has been approved by MODRNA for the Implementer’s Draft stage. Ubisecure has participated in the innovation work and specification of CIBA and is an early adopter of this approved new standard. In this blog, I’ll explain what CIBA is, how Ubisecure is involved and the benefits for our customers and partners.
What is CIBA?
OpenID defines CIBA as “OpenID Connect MODRNA Client initiated Backchannel Authentication Flow 1.0 is an authentication flow similar to OpenID Connect (OIDC). Unlike OIDC there is a direct Relying Party to OpenID Provider communication without redirects through the user’s browser. This specification allows an [sic] Relying Party that knows the user’s identifier [sic] to obtain tokens from the OpenID Provider. The user consent is given at the user’s Authentication Device mediated by the OpenID Provider.”
This basically means that a user is granted the option to provide consent (OAuth grant) via an out-of-band flow. As a result, Client initiated Backchannel Authentication will improve the user experience by streamlining how the user gives consent.
CIBA operates with the concept of a Consumption Device (on which the user interacts with the Relying Party) and an Authentication Device (on which the user authenticates with the OpenID Provider and grants consent).
For example, in the case of purchasing something from an online merchant and choosing to pay via their bank, the user does not need to be redirected to the bank website to provide authorisation. Instead CIBA enables a backchannel authorisation, such as a push notification sent to the Authentication Device (likely the banks app installed on a smartphone app). Once the user authenticates with the Authentication Device and authorises the request, the server responds with tokens such as Access Token, Refresh Token, or ID Token.
This avoids the traditional use of website redirects. CIBA authentication also extends to the physical world, where such consent can be obtained via a push notification sent at a store’s Point of Sale (Consumption Device), or a money transfer service terminal, or even during an identity verification process in a call centre.
This last example is particularly interesting in these times of sophisticated phishing attacks and social engineering. CIBA would enable a consumer to authenticate to a call center identity check without the need to share any specific Personally Identifiable Information such as date of birth, social security etc with the call centre representative (whether real or an imposter). If the call centre is fraudulent, they will not be able to obtain the consent. The flexibility of CIBA to manage consent to share critical identity information in secure and trusted communications is considerable.
CIBA is the brainchild of Work Group MODRNA, who had been defining a mechanism to make out-of-band authentication when there is no user agent, like a browser, available with the authentication process initiated via server-to-server communication. Ubisecure is well known in this Work Group, pronounced ‘modernah’, which stands for Mobile Operator Discovery, Registration & Authentication. It is a joint GSMA and OpenID Foundation effort, developing a profile of OpenID Connect for use by mobile network operators (MNOs). This provides identity services to Service Providers and for e-services consuming those identity services and identities.
Ubisecure’s involvement with CIBA & OIDC
Ubisecure participated in the development of the specification as an Implementer – guiding the Work Group with practical information about how CIBA authentication would be used to simplify and standardise APIs. We have invested time and expertise in order to build a better and safer internet.
Ubisecure has 15+ years with mobile authenticators (e.g. for Finnish Mobile-PKI, Swedish BankID and Estonian Mobile eID) as well as smartphone-based authenticators in recent years. All of these implement very similar use cases but offer very different APIs of varying complexity for the developers. OIDC CIBA standardises the mobile authenticator APIs with a modern REST-like developer-friendly specification that is very familiar to developers who have been working with other OpenID Connect specifications.
CIBA integration with Ubisecure’s Identity Management software and services
Thanks to our involvement with CIBA, we were able to rapidly implement the service into the Customer IAM (CIAM) solutions for IDaaS and Identity Server. Our Authentication Adaptor includes a CIBA-based authenticator for Swedish BankID. We will continue to add CIBA-based authenticators into our product in the future as we see many benefits from offering a product-based solution with CIBA-support.
Benefits of CIBA integration for CIAM customers
Utilising the CIBA workflow integration enables a standards-based interface for integrations to a wide variety of authenticators. For Financial Institutions and within banking, this is significantly better than having to use proprietary implementations with varying complexity, different capabilities and potential security risks. Viewed in the light of PSD2, when Financial Institutions utilise a CIBA-compliant integration they will ease their self and external certification, while supporting modern security methods and user-experience requirements.
From this perspective, Ubisecure partners and customers are also better prepared for using new modern authenticators. Partners and customers will also be better able to manage their internal service operations and security audits, resulting in increased cost-efficiency.
Implement CIBA as a CIAM customer
We recommend that mobile operators and mobile authenticator vendors implement the new CIBA specification now. It’s easier to implement than most existing offerings, so this drives down the cost. Existing Ubisecure CIAM customers can discuss the implementation with their account manager.
If you’re not already a Ubisecure partner or CIAM customer, contact us here to discuss your requirements and how we can help with Client initiated Backchannel Authentication.