Sim Swap Certification - 3 Legged authorization implementation

[psidana1983]

As per CAMARA guidelines for Sim Swap API certification , it is mandatory to implement 3 legged authorization flow - front end or CIBA ., I have below concern in implementing it which is

In the front end flow I have to force my clients to update their mobile app customer journey to which they may or may not agree . They may not be interested to authenticate the end user in MNO system.

In the CIBA flow, it will not add value since in the SIM Swap fraud, an unauthorized user has already compromised the end-user’s SIM to get the OTP SMS, sending another OTP will not add any value.

If you are align with my understanding above then please suggest why is it mandatory to implement it for certification .

[mhfoo]

As per CAMARA guidelines for Sim Swap API certification , it is mandatory to implement 3 legged authorization flow - front end or CIBA ., I have below concern in implementing it which is

In the front end flow I have to force my clients to update their mobile app customer journey to which they may or may not agree . They may not be interested to authenticate the end user in MNO system.

In the CIBA flow, it will not add value since in the SIM Swap fraud, an unauthorized user has already compromised the end-user’s SIM to get the OTP SMS, sending another OTP will not add any value.

If you are align with my understanding above then please suggest why is it mandatory to implement it for certification .

Please share your use cases and scenarios for SIM Swap. Then the community can advise further.

[rartych]

@psidana I guess this discussion should take place in Identity And Consent Management group. Can we transfer it ?
CC: @jpengar

[jpengar]

I don't have permission to transfer issues from one WG to another. CC @hdamker Not sure he can.

@psidana But as you say, CAMARA (as per Identity & Consent WG) mandates that in cases where personal user data is processed by the API and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, and upholds the principles of transparency and user-centric data control.

So SIM Swap requires 3-legged access.

In the front end flow I have to force my clients to update their mobile app customer journey to which they may or may not agree . They may not be interested to authenticate the end user in MNO system.

This is more of a business discussion than a technical discussion, IMHO.

[hdamker]

@jpengar yes, I can ... and done.