US Carriers Introduce Project Verify To Replace Individual App Passwords

Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.

benevolence

[PopeRatzo]

Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

Aren't they nice?

SIM Locked?

[Nkwe]

So when your SIM card changes do does it count as new identity and do you have to re-authorize applications to use the new identity? The summary lists "SIM card details" as a factor, but doesn't specify if the changing of a SIM invalidates exiting identity / registrations with applications. This is important because without it, you still have the issues of social engineering attacks where the attacker calls up the phone company and says "I have lost my phone, can you activate my replacement phone with this new SIM?", granting the attacker access to your email, text messages which also grants the attacker access to your second factor and password reset procedures.

Setting aside the scary privacy and tracking implications of a common ID baked into the phone, if the identity is locked to the SIM, it would help alleviate the social engineering attacks and make your phone a viable second factor for security operations.