|Access Token||Represents an authorisation from the user, after successful authentication, to access user information within a given time window. The Access Token is associated with permissions (known in OIDC as ‘scopes’) which control which information or services an application has permitted access to.|
|Acknowledgement||ACK, a message sent by the Server of the Service Provider indicating that all the procedures after a Mobile Connect product request has been successfully finished (i.e. all the necessary information obtained).|
|API||Stands for Application Programming Interface. A set of definitions, protocols, and tools for building application software. An API defines the correct way for a developer to write a programme that requests services/data from Mobile Connect endpoints.|
|API Endpoints||Resource Endpoints, the various URLs defined by the Mobile Network Operator which applications use to invoke API services provided by Mobile Connect products. API endpoints are provided by the API Exchange for the discovery and by the Mobile Network Operators for Mobile Connect products. The resource endpoints provide service specific attributes, i.e. information about Service Providers, Mobile Network Operator and end-users.|
|API Exchange||The federated API solution that gives developers a quick and easy way to obtain information about an end-user from Mobile Network Operators. The API Exchange provides the Global Discovery service.|
|Asynchronous flow||A flow where a Service Provider's Server does not wait for a response message from the Identity Gateway to initiate another request.|
|Asymmetric signatures||Public key algorithms that use two different keys: a public key and a private key. The private key member of the pair must be kept private and secure. The public key, however, can be distributed to anyone who requests it. When one key of a key pair is used to encrypt a message, the other key from that pair is required to decrypt the message.|
|Authentication||The process or action of verifying the identity of the end-user.|
|Authentication Device||A mobile device (identified by a SIM card associated with a Mobile Connect account) used to approve/reject Mobile Connect challenges necessary to complete the procedures that require end-user's consent. The authentication device maybe the same as the Consumption Device or Consent Device.|
|Authenticator||The method by which a user is authenticates themselves. An authenticator always uses a device that has a MSISDN.
More details can be found here.
|Authorisation||The process which determines user privileges or access levels related to the interaction with applications/web services of Service Providers.|
|Authorisation Device||See Authentication Device.|
|Authorisation Endpoint||An API Endpoint used by Service Providers to initiate Authentication or Authorisation requests in the Device Initiated mode.|
|Authorisation Server Initiated Endpoint||An API Endpoint used by Service Providers to initiate Authentication or Authorisation requests in the Server Initiated mode.|
|Authorization Code||The intermediate code representing a successful end-user's authentication or authorisation, which can then be exchanged for tokens (ID Token and Access Token).|
|Basic Authentication||A method of authentication using BASE 64 encoded credentials. This is described in RFC 2617.|
|Claim||A piece of asserted information about an end-user, such as a name, a mobile phone number, etc.|
|Consent Device||The device through which the end-user provides consent to the Mobile Connect system for sharing or validation of their personal information in order to be able to use the Mobile Connect services. There are three logical devices defined in the Mobile Connect: Consumption Device, Authentication Device, and Consent Device.|
|Consumption Device||The device connected to the Internet where the end-user consumes the service from the Service Providers, e.g. a PC, a laptop, a tablet, a mobile phone, a smart TV, etc. This may also be the Authentication Device. Please see also: Consent Device.|
|Device Initiated mode||DI mode, a communication between the Service Provider's application and the Identity Gateway in which a user-agent (e.g., a web browser) initiates the Mobile Connect service requests.|
|Discovery||The process of identifying the end-user's Mobile Network Operator and retrieving the necessary details to make a request to that Mobile Network Operator.|
|Discovery API||A Mobile Connect product that provides service of identifying user’s Mobile Network Operator and retrieving the necessary details to make a request to that Mobile Network Operator.|
|Endpoint||A node or device that sends and accepts communications across the network. As far as the endpoint is one end of a communication channel, often the endpoint is represented as the URL of a server or service. See API Endpoint for more about endpoints implemented in Mobile Connect.|
|E.164||E.164 is the international telephone numbering plan that ensures each device has a globally unique number. This is what allows phone calls and text messages can be correctly routed to individual phones in different countries. E.164 numbers are formatted [+] [country code] [subscriber number including area code] and can have a maximum of fifteen digits. A full|
|End-user||A person consuming Mobile Connect services. They are an end-user of the Mobile Network Operator and Service Provider.|
|Explicit Consent||An agreement given by the end-user with the collection, use, or disclosure of personal information provided to the Mobile Network Operator.|
|The Fido Alliance||The Fido Alliance is an industry consortium defining a protocol for interoperability for strong authentication.|
|Grant type||A method by which the Service Provider obtains an Access Token from the Identity Gateway.|
|Identity Gateway||IDGW, the connector between OIDC request coming from Service Providers and the Mobile Network Operator platform.|
|ID Token||Contains important security information about the authentication of the particular end-user. This includes the authenticator used, Level of Assurance, etc. ID Token in Mobile Connect is always have a JSON Web Token (JWT) format.|
|JSON Web Algorithm||RFC 7518 defines cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications.|
|JSON Web Key Set||JWKS, a JSON object that represents a set of JSON Web Keys (cryptographic keys used to encrypt or decrypt JWT and Request Objects).|
|JSON Web Token||JWT, a JSON-based standard that defines compact and self-contained way for securely transmitting information between parties as a JSON object. Within Mobile Connect JWT format is implemented for the ID Token allowing client applications receive end-user's identity encoded in a secure format.|
|JWKS URI Endpoint||An API Endpoint used by Service Providers to obtain a key for decrypting the ID Token.|
|Level of Assurance||LoA, the degree of assurance that the end-user who presents a digital credential for asserting theirs identity, in fact, that person.
Specifically, the LoA represents a degree of certainty that:
More details can be found here.
|Login hint||A parameter sent to the Identity Gateway in any Mobile Connect product requests, used in both the Server Initiated and the Device Initiated Modes.
The Service Provider may use this parameter to allow the end-user to avoid re-entering their mobile phone number in the subsequent authentications once they logged in.
Login hint may contain one of the following values:
|Mobile Connect ATP||ATP stands for Account Takeover Protection. Mobile Connect ATP is a Mobile Connect product which provides a mechanism for a Trusted Service Provider to spot potentially fraudulent behaviour from the side of an end-user's mobile device account. This mechanism is based on a request to Mobile Network Operator for a feedback on key parameters associated with this account. The Trusted Service Provider compares the information given by the Mobile Network Operator and information from the user and if the hit ratio does not reach a certain level, the transaction is considered potentially fraudulent.|
|Mobile Connect Attributes||Mobile Connect product group which allows Service Providers retrieve specific attributes about the end-user, their device or the transaction they want to make. Mobile Connect Attribute products are aimed at verification of the end-user's identity and fraud mitigation.|
|Mobile Connect Authenticate||Mobile Connect product aimed at simple, passwordless and secure end-user authentication using a mobile device as an authentication device. The product is a characterised by a default one-factor authentication which ensures a basic authentication of the end-user.|
|Mobile Connect Authenticate Plus||Mobile Connect product aimed at simple, passwordless and secure end-user authentication using a mobile device as an authentication device. The product is a characterised by a default two-factor authentication which ensures a strong authentication of the end-user.|
|Mobile Connect Authentication||Mobile Connect product category which represents a simple, passwordless and secure log-in mechanism, where a device with a SIM card (i.e. mobile phone, tablet) is used as the authentication device. This product category comprises two products: Mobile Connect Authenticate and Mobile Connect Authenticate Plus offering both basic and strong authentication of the end-user.|
|Mobile Connect Authorisation||Mobile Connect product category which offers contextual authorisation of the end-user with the help of a device with a SIM card (i.e. mobile phone, tablet) used as an authorisation device.|
|Mobile Connect Authorise||Mobile Connect product which allows the end-user to authorise any request from Service Provider's application / web service directly from their mobile phone in a simple, passwordless and secure way. The product is a characterised by a default one-factor authentication which ensures a basic authentication of the end-user.|
|Mobile Connect Authorise Plus||Mobile Connect product which allows the end-user to authorise any request from Service Provider's application / web service directly from their mobile phone in a simple, passwordless and secure way. The product is a characterised by a default two-factor authentication which ensures a strong authentication of the end-user.|
|Mobile Connect Identity||Mobile Connect product category which allows Service Provider to retrieve end-user’s personal data after a successful consent capture.|
|Mobile Connect KYC Match||KYC stands for Know Your Customer. Mobile Connect KYC is a Mobile Connect product which provides a mechanism for a Trusted Service Provider to check the information about the end-user against that held by the Mobile Network Operator in order to assure the end-user's identity or to check that the current information is up-to-date and relevant.|
|Mobile Connect National ID||Mobile Connect product which enables the end-user to share some core information (such as name, date of birth and national identifier) in order to reveal their identity to the Service Provider.|
|Mobile Connect Phone Number||Mobile Connect product which enables the end-user to share their MSISDN with the Service Provider in order to reveal their identity.|
|Mobile Connect Sign-up||Mobile Connect product which enables the end-user to share some of some core information about them (such as name and address) with the Service Provider.|
|Mobile Country Code||MCC, a 3 digit code used in combination with Mobile Network Code to identify a mobile network operator uniquely.|
|Mobile Network Code||MNC, a 2 digit code used in combination with Mobile Country Code to identify a mobile network operator uniquely.|
|Mobile Network Operator||MNO, Serving Operator, Operator, a telecommunications service provider that offers services of wireless voice and data communication for its subscribed mobile users.|
|MSISDN||Stands for Mobile Station International Subscriber Directory Number. A number uniquely identifying a mobile phone number internationally. It serves for the mapping of the telephone number to the SIM card in a mobile phone. This number includes a Country Code, a National Destination Code, and a Subscriber Number, and doesn't include the '+'. A Country Code together with a National Destination Code identify the end-user's Mobile Network Operator. The end-user's MSISDN is always associated with the end-user's Mobile Connect account.|
|Multi-factor Authentication||MFA, a method of confirming an end-user's claimed identity in which an end-user is granted access only after successfully presenting 2 or more pieces of evidence to an authentication mechanism.
Evidence may be of three different types: - “Something you know” (e.g. a password) - “Something you have” (e.g. a bank card,) - “Something you are” (e.g. an iris reading, a MAC address).
The authentication mechanism where 2 evidence are required for successful authentication is also called two-factor authentication (2FA).
|Native application||An application program that has been developed for use only on a particular platform or device.|
|Notification URI||A URI used by the Identity Gateway to return responses with Access Tokens to the Service Provider's asynchronous Server Initiated requests. This endpoint is provided by the Service Provider and is registered at the Developers Portal.|
|OAuth2||An open authorisation protocol that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account, and authorising applications to access the user account. OAuth provides authorisation flows for web and desktop applications, and mobile devices.|
|One-factor Authentication||1FA, a method of conforming an end-user's identity in which an end-user is granted access when a person matches one credential to verify themselves online. One of the most common examples is matching a password to a user name.|
|OpenID Connect||OIDC, a simple identity layer on top of the widely used OAuth 2.0 protocol for authorisation. This allows Service Providers (i.e. applications and web services) to authenticate their end-users based on the authentication performed by an Authorisation server, as well as to receive information about end-users.|
|PCR||Stands for Pseudonymous Customer Reference. A unique customer reference that allows a developer to match a Mobile Connect end-user with a service account. It is a unique identifier that replaces an individual's mobile phone number and may be used to distinguish one individual from another thus allowing to protect the privacy of an individual seeking to authenticate and access the services of a third party Service Provider.|
|PremiumInfo Endpoint||An API Endpoint used by Service Providers to make requests to obtain information about the end-user (e.g. name, e-mail, etc.) in Device Initiated Mode or Server Initiated Mode.|
|Private Key||A part of a cryptographic key pair, used to either encrypt or decrypt data, which remains confidential to its respective owner. Whatever is encrypted with a Private Key may only be decrypted by its corresponding Public Key and vice versa.|
|Prompt||A question displayed to the end-user's Authentication Device to approve or deny the transaction.|
|Provider Metadata Endpoint||An API Endpoint used by Service Providers whenever they need to know some details about a particular Identity Gateway (all endpoints, possible scopes, versions, prompts, URLs, encryption algorithms, etc.), for example, while implementing and debugging the software.|
|Public Key||A part of a cryptographic key pair, used to either encrypt or decrypt data, which is publicly accessible. Whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa.|
|Redirect URI||URI of the application or service where the Discovery API sends responses. The redirect URI is set when you register your application on the Developer Portal.|
|Request Object||An encrypted part of the request which contains some core data about the end-user and the login session. The request object is used only in the Server Initiated mode and is characterised by a higher level of the data protection.|
|Resource Endpoint||See API Endpoint|
|Scope||The parameter which defines the Mobile Connect product and gives permission to access specific resource endpoints (or claims). For further information please refer to Scope values page.|
|Sector Identifier URI||This is a URI that points to a JSON document that lists any Redirect URLs, Notification URIs and JWKS URIs that the SP uses in Mobile Connect API calls. The URI is sent to operators when an application is registered. As part of the application onboarding process the JSON document will be validated by the operator. For more information see the Sector Identifier URI page.|
|Server Initiated Mode||SI mode, SI communication, a communication between a pair of servers in which the Service Provider's Server initiates the Mobile Connect service requests to the Identity Gateway. The end-user's agent (e.g., a web browser) is not involved in this type of communication.|
|Service Provider||SP, Developer Operator, Service Operator, the organisation, owner of an application that provides access to Mobile Connect products to end-users.|
|Something I Have||Specific item that allows the user to confirm who they are such as a bank card or passport. For Mobile Connect this is the Mobile Device/SIM registered with their Mobile Connect account.|
|Something I Know||Specific knowledge that allows the user to confirm who they are such as a password or previously registered personal details. For Mobile Connect this is normally a PIN registered with their Mobile Connect account.|
|Something I Am||Specific details that allows the user to confirm who they are such as an iris reading or fingerprint. This is not yet supported by Mobile Connect.|
|Token||Is a software object which represents the right to perform some operation. There are two types of tokens in Mobile Connect - ID Token and Access Token. Both of these are granted by an operator Identity Gateway.|
|Token Endpoint||An API Endpoint used by Service Providers to obtain tokens in exchange for Authorization code in Device Initiated Mode.|
|Trusted Service Provider||TSP, a Service Provider that is trusted by Mobile Network Operators to initiate Mobile Connect API calls or request data directly from end-users. There are two types of Trusted Service Providers.
TSP Level 2: in addition to what TSP Level 1 can do, can capture consent directly from the end-user.
|Two-factor Authentication||2FA, a method of confirming an end-user's claimed identity in which an end-user is granted access only after successfully presenting 2 pieces of evidence to an authentication mechanism.|
|Uniform Resource Identifier||URI, a set of characters that identifies a resource by its name or location.|
|Uniform Resource Locator||URL, a specific type of URI used as a reference to a web source that specifies its location on a computer network and a mechanism for retrieving it.|
|Userinfo Endpoint||An API Endpoint used by Service Providers to make requests to obtain information about the end-user (e.g. name, e-mail, etc.) in Device Initiated mode version 1.1 or Server Initiated mode.|
|User-agent||A software agent that is acting on behalf of a Mobile Connect end-user in Device Initiated mode E.g. a web browser, a native application, etc.|