A less invasive method would be for the mobile operator and the application provider to federate their identities such that when the user activated an application on the phone, the mobile operator could authenticate the user to the application provider via a SAML assertion. This is not complicated and already supported via the existing SAML protocols. A possible flow could be...
- User goes to application provider (Instant Messaging service) web page
- Web page asks the user if they want to activate their IM account on their phone
- User selects the link to start the process
- The web page asks the user to authenticate their Instant Messaging account (if not already authenticated)
- After authentication, the web site asks the user for their mobile operator and phone number
- One the information is received the web site sends a SMS message to the phone
- The user enters the SMS confirmation code to the web site
- The web site sends a SAML federation message to the mobile operator providing a pseudonymous identifier and phone number for the user
- The mobile operator receives the SAML message and maps the phone number to the user's account and stores the pseudonymous identifier for the IM service
This model keeps the interactions between the mobile operator host services and external application providers. It also makes it much easier for users to configure their applications because they don't have to enter their credentials into the phone itself. A win-win.
Tags: Identity, Mobile, SAML
Update: In my rush to post this entry I was remiss in pointing out that this solution was discussed over lunch at a Liberty Alliance interim TEG meeting. The other principals in the discussion were Fulup Ar Foll and Alvaro Armenteros.