Mobile Connect

About Mobile Connect

Mobile Connect is a digital identity service used in Germany for identifying natural persons via their mobile phones. This service is provided by GSMA and developed by the mobile-operators Deutsche Telekom, Telefonica (O2) and Vodafone.

Signicat’s integration with Mobile Connect supports one-factor authentication. The end-user simply enters their mobile number as identification. It complies with eIDAS level 2, which is “Low”  Level of Assurance (LoA). So you should only use this service in transactions that do not require a strong security level, or in combination with another factor to support two-factor authentication. Examples of use areas can be logins for merchant’s benefit cards, streaming services, games etc.

The main aim of this service is to give the end-users an easy and efficient way of authenticating themselves when using online services. This offers users greater security and convenience than having to create and remember usernames and passwords for each website or service they use. Mobile Connect allows the end-users to log in more easily, simply by entering their mobile number.

Key features

  • Easy login with mobile phone number.
  • No user password required.
  • One-factor authentication, LoA level “Low”.
  • The authentication is connected to the mobile SIM card.
  • Mobile phone customers of Deutsche Telekom, Telefonica (O2) and Vodafone automatically get access to Mobile Connect.

Authentication

You can use Mobile Connect for authentication of your users both during the onboarding process and re-authentication. The only requirement is that the end-user has a valid mobile number with one of the mobile operators, Deutsche Telekom, Telefonica (O2) or Vodafone. During the onboarding process, the end-user must also sign a one-off consent form for using Mobile Connect.

Use case

The authentication process may look as follows from the end-user perspective. This assumes the end-user wants to log in to an online service, for example, a streaming service.

  1. The end-user opens the merchant’s streaming app or application on a mobile or desktop device.
  2. The end-user is redirected to Mobile Connect’s login box and is asked to provide their mobile phone number (MSISDN):
  3. When the end-user has entered the mobile number, they are redirected to the waiting page of the mobile network operator:
    This waiting page is displayed if the end-user has a valid mobile phone number from one of the three mobile phone operations. Here, the mobile operator informs that the end-user should have received an SMS with a login link. The end-user can also cancel the login from this screen.
  4. The end-user receives an SMS with an authentication link.
  5. The end-user clicks the authentication link and is now logged into the service.

How to integrate with Mobile Connect

The integration is done via the same API as Signicat’s other ID methods. See Get started with authentication for more information. Through the single point of integration, you will get access to Signicat’s wide portfolio of integrated ID methods, not only Mobile Connect, but also other services like signing, identity paper verification and lookups.

Mobile Connect is based on the OIDC as the authentication protocol.

The method name is mobile-connect.

Result example

The result from the request is coming back in a SAML response:

subject.name	                        cc795096-d995-48d7-95b6-2620100d59f6
subject.format	                        urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
subject.nameQualifier	                urn:ksi:names:SAML:2.0:ac:mobileconnect
authentication.method	                urn:ksi:names:SAML:2.0:ac:mobileconnect
authentication.instant	                Mon Jun 29 10:13:02 CEST 2020
signicat.service-name	                nbidmobile
signicat.method-name	                mobile-connect
signicat.unique-id	                    cc795096-d995-48d7-95b6-2620100d59f6
signicat.security-level	                3
signicat.plain-name	
mobileconnect.sub	                    cc795096-d995-48d7-95b6-2620100d59f6
mobileconnect-claims.at_hash	        k4LsKH_QOogN5NoISvK5HQ
mobileconnect-claims.sub	            cc795096-d995-48d7-95b6-2620100d59f6
mobileconnect-claims.aud	            [73f708e1-e478-49d8-8363-3f773f5abc2f, 73f708e1-e478-49d8-8363-3f773f5abc2f]
mobileconnect-claims.acr	            2
mobileconnect-claims.azp	            73f708e1-e478-49d8-8363-3f773f5abc2f
mobileconnect-claims.auth_time	        1593418380
mobileconnect-claims.amr	            [null]
mobileconnect-claims.iss	            https://mobileconnect-test.telekom.de/openid
mobileconnect-claims.hashed_login_hint	C1F744D2DB37494CCE8185F0101A2E5D3DBE4BD67CB71FDE2491E7FDD80525C1
mobileconnect-claims.exp	            1593420382000
mobileconnect-claims.iat	            1593418382000
mobileconnect-claims.nonce	            c5597ec0-eb9e-4146-a73b-31fb02c1beba

mobileconnect.sub is a unique identifier that is used to identify the end-user. This is a Pseudonymous Customer Reference  (PCR) used by Mobile Connect to reference a pairing between a specific end-user’s account and a specific application/web service. The name of the end-user is empty, which means it is anonymized.

Test information

Signicat’s test environment preprod.signicat.com is available 24×7, and may be used during your development and test phase.

To be able to test, you need a  valid telephone number from one of the following mobile operators, Deutsche Telekom, Telefonica (O2) or Vodafone.

Each of the mobile operators has their own test environments. Signicat will set this up for you. Please, contact Signicat to get help with setting this up.