Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Carriers Introduce Project Verify To Replace Individual App Passwords (theverge.com)

Posted by msmash on from the interesting-moves dept.

Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.

4 of 92 comments (clear)

  1. Wrong by Anonymous Coward · · Score: 5, Insightful

    All those are identification, not authorization. They can replace username only. The same as biometrics. Not only they do not verify and intent, they do not allow for distinguishing if the user is real. If I get your phone, I am you...
    Moronic.
    You can't substitute a machine identity for the user identity. These are two complete distinct identities.

  2. The only reason this exists is for tracking by kalpol · · Score: 4, Insightful

    For the same reason the ubiquitous Facebook and Google login integrations exist, the only purpose of this is to track what apps you're using and when, and do we really trust they won't also know what you're doing in them? If they have the authentication, they have everything.

    --
    12:50 - press return.
  3. Yeahhh.... by the_skywise · · Score: 4, Insightful

    I'm going to go ahead and... uh... disagree with you there...
    I'll stick with my password manager thankyouverymuch.
    I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

  4. Social Engineering by Luthair · · Score: 3, Insightful

    Haven't we already discovered that SMS was an insecure 2FA method because carrier customer service can trivially be convinced to switch someone's phone number to an arbitrary SIM. Wouldn't this attacker then be able to use their phone with Verify.