OpenID recently announced that CIBA, which stands for ‘Client initiated Backchannel Authentication (Flow)’, has been approved by MODRNA for the Implementer’s Draft stage. Ubisecure has participated in the innovation work and specification of CIBA and is an early adopter of this approved new standard. In this blog, I’ll explain what CIBA is, how Ubisecure is involved and the benefits for our customers and partners.
Firstly, what is CIBA?
OpenID defines it as, “OpenID Connect MODRNA Client initiated Backchannel Authentication Flow 1.0 is an authentication flow similar to OpenID Connect. Unlike OpenID Connect there is a direct Relying Party to OpenID Provider communication without redirects through the user’s browser. This specification allows an [sic] Relying Party that knows the user’s identitfier [sic] to obtain tokens from the OpenID Provider. The user consent is given at the user’s Authentication Device mediated by the OpenID Provider.”
CIBA is the brainchild of Work Group MODRNA, who had been defining a mechanism to make out-of-band authentication when there is no user agent, like a browser, available with the authentication process initiated via server-to-server communication. Ubisecure is well known in this Work Group, pronounced ‘modernah’, which stands for Mobile Operator Discovery, Registration & Authentication. It is a joint GSMA and OpenID Foundation effort, developing a profile of OpenID Connect for use by mobile network operators (MNOs). This provides identity services to Service Providers and for e-services consuming those identity services and identities.
Ubisecure’s involvement with CIBA
Ubisecure participated in the development of the specification as an Implementor – guiding the Work Group with practical information about how CIBA would be used to simplify and standardise APIs. We have travelled to multiple face-to-face MODRNA workshops (e.g. in Amsterdam and in London), and have invested time and expertise in order to be build a better and safer internet.
Ubisecure has 15+ years with mobile authenticators (e.g. for Finnish Mobile-PKI, Swedish BankID and Estonian Mobile eID) as well as smartphone-based authenticators in recent years. All of these implement very similar use cases but offer very different APIs of varying complexity for the developers. OpenID Connect CIBA is an attempt to standardise the mobile authenticator APIs with a modern REST-like developer-friendly specification that is very familiar to developers who have been working with other OpenID Connect specifications.
CIBA integration with Ubisecure’s Identity Server
Thanks to our involvement with CIBA, we were able to rapidly implement the service into the Ubisecure Identity Server as a draft specification. In fact, our Authentication Adaptor (released as part of IDS 2018.1 in October 2018) included our first CIBA-based authenticator for Swedish BankID. We will continue to add CIBA-based authenticators into our product in the future as we see many benefits from offering a product-based solution with CIBA-support.
Benefits of CIBA integration for our customers
Utilising the CIBA workflow integration enables a standards-based interface for integrations to a wide variety of authenticators. For Financial Institutions, this is significantly better than having to use proprietary implementations with varying complexity, different capabilities and potential security risks. Viewed in the light of PSD2, when Financial Institutions utilise a CIBA-compliant integration they will ease their self and external certification, while supporting modern security methods and user-experience requirements.
From this perspective, Ubisecure partners and customers are also better prepared for using new modern authenticators. Partners and customers will also be better able to manage their internal service operations and security audits, resulting in increased cost-efficiency.
Implement CIBA as a Ubisecure customer
We recommend that mobile operators and mobile authenticator vendors implement this new specification now. It’s easier to implement than most existing offerings, so this drives down the cost. Existing Ubisecure customers can discuss the implementation with their account manager.
If you’re not already a Ubisecure partner or customer, contact us here to discuss your requirements and how we can help.