Zenkey App
Full Title
The Zenkey App is a joint venture of the 3 dominant mobile phone service providers in the US.
Context
FIDO for 5G from Authenticate 2021-10-19 presented that among the big telco adopters of FIDO is Verizon which is using strong authentication for a number of different services.
Josna Kachroo, Sr. Manager for Device Technology at Verizon, commented in a session that password phishing continues to be a major problem. She noted that Verizon has adopted FIDO standards to enable a best in class authentication solution and one that is able to scale across many different use cases.
Bjorn Hjelm, Distinguished Member of Technical Staff at Verizon, outlined a number of use cases including the ZenKey app that is a joint development across AT&T, T-Mobile and Verizon to enable access to services. The need for strong authentication and FIDO is also important for 5G wireless. Hjelm explained that 5G enables operators to do network slicing. With network slicing, an operator can virtually reserve network resources for a specific purpose. One such specific purpose can be for first responders, where there is a need also for strong user authentication in order to grant access to the service. “We are positioning FIDO as part of the user authentication for first responders,” Hjelm said. See wiki on FirstNet.
Problems
- Each telco (MNO) provides their own app and their own client ID for the Relying Party
- ZenKey similar to the internet provider giving you an email address. It makes changing carriers more difficult.
- There is a common service point with a Zenkey logo that can be placed on the Relying Party Website.
Solutions
- ZenKey simplifies integration by following the OpenID Connect (OIDC) authentication protocol. OpenID Connect is based on the OAuth 2.0 specification. It uses JSON web tokens (JWTs) obtained using OAuth 2.0 flows. The ZenKey SDK uses OIDC to support developers, creating experiences in web and native applications
- Zenkey Developer
- Building Security & Trust in Mobile Banking addresses one of the favorite attacks against banking credentials is sim-stuffing whereby an attacker takes control of a user's mobile phone number and uses that to reset the password on their bank account. Since Zenkey uses the SIM Card Number as part of the authentication of they, the telcos imagine that they will provide the security that the RP cannot get from the phone number. However, if the sim stuffing was done at the telco then that sim card will be the one that can be used for authentication.
References
- This link from Zenkey on LinkedIn gives a good summary of the ZenKey as Identifier.