What is Mobile Connect?
Mobile Connect is a user authentication and identity service based on the OpenID Connect/OAuth2 standards. Mobile Connect is provided by individual mobile network operators and delivered through a standardised technical interface.
Mobile Connect uses two principal APIs:
- The Discovery API enables your application to recognise the mobile network being used and whether Mobile Connect is available for that network. It also provides your application with the various URLs for the Mobile Connect service corresponding with the user's network.
- The Mobile Connect API allows the user to authenticate themselves using their Mobile Connect user account.
The Mobile Connect APIs are based on industry standard RESTful API principles. Each API is provided over HTTP protocols so that you can incorporate Mobile Connect in your application regardless of the programming language or operating system you are using for development.
How does Mobile Connect work?
You need to include the Mobile Connect button in your application.
This will let end users know that by using their mobile number they will be able to identify themselves to your application, provided their operator supports Mobile Connect.
When users click on the Mobile Connect button, the Discovery Service behind the Discovery API will identify the user's mobile operator. The Discovery Service will try to do this without requiring input from the user, but this is not possible, the user will be brought to the Operator Selection User Interface (Shown in "Figure a”)
Here the user will be asked to enter their mobile phone number (MSISDN). The Discovery Service will use this to determine the user’s home operator. Once identified, the operator's Mobile Connect API details will be returned to you as part of the Discovery Service response. You will now be able to initiate the Mobile Connect authentication process.
Please refer to the Discovery API and Mobile Connect API sections for further information.
These interfaces are provided by the user's home operator, so the look and feel will vary depending on the operator's implementation. The fundamentals of identifying the user via the mobile network, however, are the same.
After Discovery is completed (Figure A), the Mobile Connect service notifies the user that an action is required on their mobile device. This is shown in the first screenshot image in Figure B. The screen will stay in this state until the action is completed on the mobile device. The central screenshot in Figure B shows an example of the authenticator prompt on the mobile device. By completing this action, the user proves to be in possession of their mobile device. In this case the authenticator used is SMS+URL*. Once the user responds to the prompt, the confirmation screen is loaded.
*Please refer to the Mobile Connect API for information about other Authenticators.
Once the user has authenticated, you will receive a Pseudonymous Customer Reference (PCR)* that is unique to the user and your application. The PCR should be associated to your local service account. Each time the user accesses your application, regardless of the nature of the device, the same PCR will be returned identifying this user.
*There are more steps in obtaining the PCR. Details are described under the Mobile Connect API section