US Carriers Introduce Project Verify To Replace Individual App Passwords

Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.

Wrong

All those are identification, not authorization. They can replace username only. The same as biometrics. Not only they do not verify and intent, they do not allow for distinguishing if the user is real. If I get your phone, I am you...
Moronic.
You can't substitute a machine identity for the user identity. These are two complete distinct identities.

Re:Wrong

I am currently working on a rectal ID probe that would attach via bluetooth to the phone. It could be used when needed, or left in place all day. It would be difficult if not impossible to spoof, and if you lose your phone it's not a big deal. I have a patent filed on this.

Re:Wrong

[CastrTroy]

Even password systems are vulnerable to this. If I get your phone, I have access to your email. If I have access to your email, I can reset your password. Your email basically a master key to all your online accounts.

Re: Wrong

I have one email address for accounts of various kinds. I have another email address for actual correspondance.

Want to guess which email address my phoneâ(TM)s mail app is configured to use?

Re: Wrong

Iâ(TM)ve been testing my rectal probe on your mom every night.

Re: Wrong

We know it's some broken Apple email app that probably phones everything important back to the Cupertino mothership.

Re:Wrong

[jellomizer]

There isn't any way to insure that a User is really the real user. Even if it is a person to person validation, they are ways to fool the system.
You seem to be stuck in semantics. Most security problems happen when someone impersonates someone else. They know their login and password, or could guess it in a reasonable amount of time. Now with these additional form of identification such as biometrics, personal key, or unique phone id. Really turns the tide to getting people to impersonate your connection without your permission. Other then downloaded a hacked login and password database from a major site, that didn't handle security as well as they thought. Your identity needs to be directly targeted. They will need to find ways to copy your face or your fingerprints, steal your phone (and get past your phones own biometric or pw logins). The Hackers tend not to make too much money form their hacks, but being that it can be done in bulk without much risk to them, it is still easy money. If they are going to be all sneaky finding a mark trying to get their phone and their fingerprints to fake a system their better off using such time to get an honest job.

Re:Wrong

"They will need to find ways to copy your face or your fingerprints, " - Stop spreading fud
All that is needed is for this service to say "YES". If security worked, my ATM would not have been "hijacked". Yes money withdrawn from ATM from my account.

Hmm. ATM card, in my possession, PIN# only known to me.

FUD!

Re: Wrong

You're holding it wrong, and that's not my mom that's YOUR DAD!

I trust US Mobile Carriers as far as I can spit

[MisterSquid]

The moment US mobile carriers are able to positively identify individuals by their mobile devices is the moment they resell user data to advertising affiliates.

Re:I trust US Mobile Carriers as far as I can spit

The moment US mobile carriers are able to positively identify individuals by their mobile devices is the moment they resell user data to advertising affiliates.

So, how exactly did you get to that rock on another planet to hide under for the last decade? Was the air really thin? Low oxygen levels?

I mean, something had to contribute to your accelerated ignorance to assume US mobile carriers haven't been doing this for years. You can't be that stupid naturally.

Re:I trust US Mobile Carriers as far as I can spit

[q4Fry]

They're starting out by giving it to retailers. Excerpts from Krebs's article, quoting the general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T. Emphasis mine.

“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” [Johannes Jaskolski] said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing [lots of data via a mobile device].”

Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.

Definitely no kickbacks from these retailers, no siree.

Re:I trust US Mobile Carriers as far as I can spit

[Dragonslicer]

It looks like it's just third-party authentication, similar to how many sites, including Slashdot, allow authentication using a Google or Facebook account. So in theory, the general idea isn't any less secure than other third-party authenticators, but it's going to depend a lot on the technical details.

Re:I trust US Mobile Carriers as far as I can spit

[surfdaddy]

Yes, especially Verizon is about the worst possible company you would ever want to trust on this.

As long as it is not mandatory...

[mi]

So long as the usage of this is not mandated by the government — neither directly nor indirectly, such as, for example: "must sign up to get unemployment benefits" — it is Ok. May be a good thing even.

Re: As long as it is not mandatory...

LOL. Where did the left touch you. Show us on the doll.

Re: As long as it is not mandatory...

[mcrbids]

If be very curious about your evidence to support the conclusion that the left is trying to filter your communication.

One Stop Shop

So, a one stop-shop for data compromise then? Awesome!

Their APPS?

You mean those surveillance programs that require nigh-on full access to everything on your phone for no reason whatsoever?

Real reason

US Carriers (and US Spy agencies): Please give us access to all of your data whenever we feel like we need it (or want it).

Re: Real reason

Ppl need to stand up and say enough is enough.

We're at the point where government feels entitled to people information and that it's a foregone conclusion that you will comply...

NSA Approved!

[Zorro]

Encryption.....sure.....go ahead!

The only reason this exists is for tracking

[kalpol]

For the same reason the ubiquitous Facebook and Google login integrations exist, the only purpose of this is to track what apps you're using and when, and do we really trust they won't also know what you're doing in them? If they have the authentication, they have everything.

Re:The only reason this exists is for tracking

No, that's not the only reason. The primary reason this exists, is so the government agencies can have easy access to your data with a single key, and bypass all that annoying encryption...

Someone Steals my phone and.....

gets access to my home screen they can open any App I have linked to this "Verify Program" without knowing the individual password for said account. This must be a new feature for criminals and governments, not a bug.

"The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps."

Yeahhh....

[the_skywise]

I'm going to go ahead and... uh... disagree with you there...
I'll stick with my password manager thankyouverymuch.
I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

Re:Yeahhh....

[Dragonslicer]

I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

I think you're vastly overestimating how secure a regular door lock is.

Re:Yeahhh....

Your door at least requires a warrant though.

But if AT&T gives the CIA your key in bulk collection....

US telecoms?

US carriers are Nimitz, Dwight D. Eisenhower, Gerald R. Ford, etc.

Re:US telecoms?

[reboot246]

As crazy as it sounds, that's exactly what I thought the first time I read the headline.

Oh hell no ...

Essentially, your phone serves as the verification method with details that are hard to spoof

Oh, hell no ... because somehow there is the assumption you should be trusting the assholes at a cell carrier.

No, sorry, you don't get to be the gatekeeper for my authentication.

Sorry, they're just trying to grab more control, and there is no way that should happen.

With this, they could login to any account they want, because they pretty much have everything they need to.

And, I'm sure they'd never do anything like access your account for marketing purposes ... nosiree.

This is just a bit fat 'nope'.

Re:Oh hell no ...

[Cinnamon+Beige]

Yeah, and it also means I can't log into my phone's apps elsewhere if I want to or need to--I have an Android phone, and I can (and do) have it overlapping with a tablet and will occasionally use an emulator as well. (Nox, if you're wondering.) And I've had phones die abruptly.

So, basically, not only is it requiring you trust them with your login credentials, it's an inherently insecure and too-secure system all at once--somebody can both steal your phone to get access and you will be blocked from doing anything about it because your (physical) phone is required to log in. Usually you've got to work to screw up security this hard...

benevolence

[PopeRatzo]

Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

Aren't they nice?

Re: benevolence

To be fair, I know one of the biggest call issues for Netflix is login issues and in alot of cases it's not even not because of not knowing the password.. These people. Take 30 minutes or longer and need some handholding just to enter a name and password

Re:benevolence

Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

No kidding, when companies like that start co-operating, you know that it's an unholy alliance which won't be good for consumers.

This is the carriers wanting to control all of your passwords ... and nothing good can come of that. This will be about as secure as writing your passwords on a post-it note you've attached to your monitor.

The first subpoena which says "we need access to everything this person uses" will prove that.

Not on your fucking life.

Captcha: unwiser ... indeed

Re: benevolence

To be fair, I know one of the biggest call issues for Netflix is login issues and in alot of cases it's not even not because of not knowing the password.. These people. Take 30 minutes or longer and need some handholding just to enter a name and password

If the user is THAT stupid, how the hell did they ever sign up for Netflix service to begin with? If they can't even grasp how to operate a username and password, there's no way in hell they were able to confirm their billing zip code or CVV number. In fact, I would question if they could actually operate Netflix.

Re: benevolence

[OYAHHH]

This is 100% true, but you don't compromise everyone else due to dolts who can't type correctly or remember a password.

Re:benevolence

[BlueStrat]

Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

Aren't they nice?

What this is, is an attempt to assuage those in the government that are pushing for mandatory "backdoors". If they can convince a sufficient number of users to breach their own security voluntarily, they hope that will persuade the government not to enact mandatory access which would put those carriers in the middle between an authoritarian regime and an outraged populace. Of course, that this centralized authentication plan also would allow them to collect & sell even more customer data doesn't hurt, either.

It would not surprise me to see a similar push for "authentication centralization" among Google, FB, Amazon, etc etc in the near future and for similar reasons.

"Just say no."

Strat

Pretty sure this is for the government

[TheCastro1689]

All that info can be spoofed with off the shelf equipment and a few kiddie scripts. I don't see this being the most secure thing. And if the phone can be unlocked by force (fingerprints) or otherwise then all those apps are unlocked as well. No thanks.

Social Engineering

[Luthair]

Haven't we already discovered that SMS was an insecure 2FA method because carrier customer service can trivially be convinced to switch someone's phone number to an arbitrary SIM. Wouldn't this attacker then be able to use their phone with Verify.

Re:Social Engineering

I know T-Mo support gives you the option to define a PIN that you must give them whenever you call, in order to authorize them to do anything to your account. IIRC, they added it in response to things like the aforementioned SIM switching exploits.

Re:Social Engineering

Haven't we already discovered that SMS was an insecure 2FA method because carrier customer service can trivially be convinced to switch someone's phone number to an arbitrary SIM. Wouldn't this attacker then be able to use their phone with Verify.

From TFS:

"The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof."

If the security works as advertised, it sounds like this particular solution is designed to prevent the exact kind of attack you're describing. Even if someone was able to convince the carrier to switch a phone number and SIM to effectively "clone" a phone, I would hope one of the other validation methods (phone account type, SIM card details, etc.) would prevent unauthorized use.

At least we hope it works that way.

Re:Social Engineering

[Luthair]

If the security works as advertised, it sounds like this particular solution is designed to prevent the exact kind of attack you're describing. Even if someone was able to convince the carrier to switch a phone number and SIM to effectively "clone" a phone, I would hope one of the other validation methods (phone account type, SIM card details, etc.) would prevent unauthorized use.

I think you're missunderstanding - to me it sounds like they're claiming their application will verify the SIM in the phone vs the account, at which point the attacker is probably also using the cellular network for the attack so their IP address matches records too.

Steal my phone, have access to all my apps

[pgmrdlm]

Isn't that what would happen if someone steals your phone with this type of authentication? Dumb as dirt question I am sure, but still want to know the answer.

Re:Steal my phone, have access to all my apps

[CastrTroy]

If you lock your phone, then nothing would happen because they don't have access to any of the data.Even with password based systems, if they get access to your phone, and your phone is unlocked, then they can read your email. If they can read your email, they can do a password reset on all you online accounts that have that feature.

Re:Steal my phone, have access to all my apps

You do bring up a good point.

Thankfully I don't have my e-mail attached to my phone and only use it on my desktop. Yeah I'm living in 1998.

Re: Steal my phone, have access to all my apps

Yeah never tie your information down with one email account. That creates a weak link that you have no control over

Ah, no

[cascadingstylesheet]

I'll keep using my inexpensive unlocked phone, and change it, and the carrier, whenever I like. Thanks all the same.

Hahaha - They Can Kiss My Ass

I'll bet they market it with the convenience of using the various *Pay apps.

They can kiss my ass.

SIM Locked?

[Nkwe]

So when your SIM card changes do does it count as new identity and do you have to re-authorize applications to use the new identity? The summary lists "SIM card details" as a factor, but doesn't specify if the changing of a SIM invalidates exiting identity / registrations with applications. This is important because without it, you still have the issues of social engineering attacks where the attacker calls up the phone company and says "I have lost my phone, can you activate my replacement phone with this new SIM?", granting the attacker access to your email, text messages which also grants the attacker access to your second factor and password reset procedures.

Setting aside the scary privacy and tracking implications of a common ID baked into the phone, if the identity is locked to the SIM, it would help alleviate the social engineering attacks and make your phone a viable second factor for security operations.

Re: SIM Locked?

Just my though makes it harder to swap phones or services.

Re:SIM Locked?

[Cinnamon+Beige]

SIM locked would have its own problems--what do you do when a SIM card dies a horrible death? Any solution here would be open to social engineering attacks, or not work very well since I doubt most people know (or wish to need to know) how to back up their SIM cards and even if that worked, that'd still not necessarily block people from just stealing a phone. It'd also likely mean that you'd be having to buy your phones straight from the carrier or one of the carrier's resellers.

Re:SIM Locked?

[Nkwe]

I probably should not have used the term "SIM Locked" as its usual meaning is that there is a locked relationship between the SIM and the phone which requires carrier assistance to change. I was thinking about "locking" the relationship between the SIM and your federated or second factor identity. Meaning if your phone got a new SIM (or you got a new phone and SIM), that all the external applications / websites would no longer recognize the phone has an identity factor. In this case you would have to re-establish your identity with your applications (relying parties) via some external process. While this would be inconvenient, it would raise the social engineering bar from simply convincing the carrier that you were who you are trying to impersonate, to convincing the carrier *and* all of the applications. Of course social engineering is still a threat, but by "locking" the SIM to your common identity, you would not have all of your security eggs in one basket as we do now when using the phone / SMS as a single security factor.

Re:SIM Locked?

[Cinnamon+Beige]

Think through what you just said from the perspective of having to quickly move all those security eggs to a new basket because your old phone, with its SIM card, has been stolen and you are needing to get everything onto your new phone and SIM card--or at least revoke the permissions from the old set, but that usually takes moving them onto the new if you want access ever again. That should get you to what I'm trying to point out: Any solution to the general issue of being able to recover from even merely having the SIM card die is likely to have issues with being too secure--and we're talking about a single security factor that is supposed to let you straight into the accounts, so you need to be able to revoke permissions fast if it gets stolen & if it's your sole means of access you are likely to be up a certain infamous creek without a paddle.

There is such a thing as too secure. It's probably quite safe to say that a permanently and completely bricked system is very secure--and that this is about the only nice thing to be said for it.

With their current track record, NO!!!!

With the current track record that carriers have of not properly authenticating people who call in or visit cell phone shops to transfer a person's service to another SIM in order to steal 2FA i give this a big HELL NO!

Questionable motives

What a coincidence that list is so full of information I'm unwilling to give them. It's as if getting that information was their primary goal and replacing passwords was just a pretext.

https://tails.boum.org

Tails Linux OS. Fuck you, big money.

Americans should trust them!

It is a sound choice to trust American companies! Look, they are not Huawei or Kaspersky.

Please dear lord no.

The same companies that sell our data by default and give out our data to government agencies without a warrant want the ability to log in as us at any time.

Greaaaaat.

Re: Please dear lord no.

Or collect your password history to fish any of your accounts, or sell that password, or give it to the government

Yeah this is hilariously scary stuff

Just what I want

I would offer up my left nut for a suitable technology that basically provides, âoeIf I am logged into my phone, I am logged into the apps on the phoneâ.

Re: I trust US Mobile Carriers as far as I can spi

The servers will be maintained by the NSA so the cost to the carriers will be minimal.

Sounds fishy

Anytime competing companies come together, put your tinfoil hat on....cause it isn't just divine inspiration that they all want "what's best for the consumer"

drumpfenfuhrer

das drumpfenfuhrer will save you! he likes bigly and wet!

They can go fuck themselves.

They can seriously go fuck themselves. How many data breaches have they had?

Obligatory XKCD

[elrous0]

https://xkcd.com/927/

I like the idea, but...

As much as I like the idea of a single login for convenience, it also means there's a single point of failure which I absolutely do not like.

Re: I trust US Mobile Carriers as far as I can spi

Did you just say that? Carrier's bill by the byte, you don't think they know where u have been? Foolish child...

US Carriers??

[maroberts]

I was expecting a list like Nimitz, Eisenhower, Vinson, Roosevelt, Washinton, Stennis, Ford, Truman, Reagan, Bush....

Re:US Carriers??

[phantomfive]

More appropriately, Enterprise because this plan is grounded.

I was on a carrier ...

[CaptainDork]

... and we had no use for this.

The Navy band was great, though.

This is wrong

[sjgman9]

Just use 1password everywhere. I've used it since 2010 and it works beautifully on phones

Re:This is wrong

[nitehawk214]

Why not use hunter2?

Thank you for simplifying my work

So now I just have to hack one place instead of four. Thank you!!! I mean seriously... all the carriers have been hacked at one point or another, some multiple times. So now we're going to collaborate (while we argue over standards) so whomever can hack me more easily. *sigh*

serious question:

Where is "the apps guy" ???

I thought he'd be all over this one.

Re:Hurricane hitting

Yes, save the americans and forget the rest. Nothing else is happening in the world.

This is the FBI/NSA/CIA/TSA backdoor they wanted..

'Nuff said.

Will never be used by me, and forcibly removed from any device I use, if it cannot be removed, the device will be destroyed.

Hah - captcha karma does exist "protests"

Re:Hurricane hitting

[nitehawk214]

I am sure it will be handled just as well as Puerto Rico.

Oh, wait, they are Americans.

What could possibly go wrong?

I don't even want to think about it.

Law enforcment will love this ...

[fahrbot-bot]

Access to your phone grants access to all your accounts. Just great.

Re:Law enforcment will love this ...

Access to your phone grants access to all your accounts. Just great.

They don't need your phone, they can just go straight to the carriers who would now have everything required to sign you into everything, and demand that.

They could do all of this without you ever knowing it has happened.

This would literally put the entirety of your authentication into someone else's hands, and they'd roll over in a heartbeat if asked for it.

And don't forget all of the people who work for these companies could also gain access to your accounts.

The number of ways in which this represents terrible security are hard to convey .. but having a consortium of phone carriers having full control of users to arbitrary websites would be an incredibly stupid idea.

People who signed up for this would likely not be savvy enough to understand that they've now essentially given all of their passwords to a 3rd party.

This is not 2FA.

It's not even as good as a password.

No Thanks

[organgtool]

These clowns can't even figure out how to use a three-way handshake to verify Caller ID and we're supposed to trust them with authentication that supplants passwords?

All your eggs in one basket?

[p51d007]

Maybe I'm missing something, but if one gets hacked?

Can't use apps while traveling

[locketine]

I buy prepaid SIM cards when I travel as it's a lot cheaper than buying an international travel plan/allowance from an American carrier. With this system in place I wouldn't be able to access any of my apps or accounts.

I'm pretty sure the execs are rubbing their greedy hands together with sly smiles expecting us all to get even more locked into our overpriced American mobile service plans, which will become more expensive once this identification mechanism achieves general acceptance.

Re:Hurricane hitting

Puerto Rico was a hell hole before the storm and is still a hell hole after the storm. The only thing that can change that is the attitude of the people who live there. The libs love to blame all the problems on GOP presidents. Hillary lied and people died!

Re:Hurricane hitting

Classic misdirection.

Blame the child for the parents' shortcomings.

They will hold your accounts hostage

Imagine for a moment that you used this service. Now imagine decided that you cannot access your accounts unless you pay more $. If you dont pay up, you loose access to everything. This is literally getting the carriers permission to access YOUR accounts. Does that sound even remotely sane?

Re:Hurricane hitting

Puerto Rico was never a hell hole. And it's the responsibility of the US Federal Government for any repairs or maintenance.

Another bad idea

This is, if anything, an even worse idea than biometrics. Many commentators have already pointed out the obvious tracking and privacy issues but what about something more basic? This is about controlling access.

I don't mean controlling access as in making sure it is you or someone else. I mean controlling access to the web, to cloud based services, to computers in general. For now this is an "option". A few years from now, it will be highly recommended, a few years after that it will be mandatory and unless you are a customer of one of the big companies, you won't be able to use any app or access the web in any way. You will HAVE to possess a phone and a customer ID with one of them in order to do anything.