Liaison statement
LS on the new work item on Functional requirements for the integrated authentication service of telecommunication operators

ITU-T Study Group 17 informs ISO/IEC JTC 1/SC 27/WG 2&WG 5, IETF Security OAuth
about the establishment of a new work item ITU-T X.ias (Functional requirements
for the integrated authentication service of telecommunication operators),
which was approved at the ITU-T SG17 meeting (20 February. - 1 March 2024).

The new work item would recommend an integrated authentication service provided
by telecommunication operators.

ITU-T SG17 looks forward to keeping continued collaboration and exchange with
you on the topics of authentication service and beyond.

Attachment (1):
- Scope and Summary of new work item on ITU-T X.ias, Functional requirements
for the integrated authentication service of telecommunication operators

Attachment 1

Draft Recommendation ITU-T X.ias
Functional requirements for the integrated authentication service of
telecommunication operators

Scope:
This Draft Recommendation would recommend an integrated authentication service
provided by telecommunication operators. The integrated authentication service
would utilize the published authentication standardization works to combine the
popular authentication capabilities (such as authentication factors, protocols,
etc.) so as to be secure and flexible. This recommendation would identify the
security risks on the authentication process and function required by the
enterprise customers. Then it would analyze the security and usability
requirements of an authentication service. And it would recommend functional
requirements of the integrated authentication service on framework, management,
processes, network resources, protocols and terminal characteristics,
respectively. The enterprise customers could adopt and customize the integrated
authentication service with the full consideration of security and usability.
It is important to note that the users’ identity, password, certificate and
token will be stored within and controlled by the business application, not the
integrated authentication service.

Summary:
The security of identity authentication would be the first gate to ensure
business security, and it should be one of the most basic security service. So
many other security services depend on it. Once the identity authentication
system was breached, most of security measures of a business system would
become vulnerable. At present, so many enterprises (esp. small and medium-sized
ones) have not yet been able to establish their own comprehensive identity
authentication systems with full consideration of security and protection
requirements. So that, it would be hard to resist network attack threats such
as authentication information leakage, malicious login, and password brute
force cracking, which would pose huge security risks to their businesses.
Telecommunication operators have comprehensive communication network
infrastructures and security management technology protection systems.
Currently, telecommunication operators provide users with not only large-scale
connection services, but also a large number of information services.
Furthermore, users would have convenient and unique identity labels based on
mobile phone numbers and SIM cards prvoided by telecommunication operators.
Therefore, it is necessary to establish integrated authentication service
standards for telecommunications operators to regulate the market, enhance the
quality of authentication services, and ensure the security of account systems.
This recommendation proposes an integrated authentication service framework for
telecommunications operators, outlining the security technical requirements for
the infrastructure, functions, management systems, and network architecture of
telecommunications operator integrated authentication services. This
recommendation provides standard references for the research of secure
authentication capabilities, security deployment, and security assessments for
the integrated authentication service system of telecommunications operators.