Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Carriers Introduce Project Verify To Replace Individual App Passwords (theverge.com)

Posted by msmash on from the interesting-moves dept.

Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.

43 of 92 comments (clear)

  1. Wrong by Anonymous Coward · · Score: 5, Insightful

    All those are identification, not authorization. They can replace username only. The same as biometrics. Not only they do not verify and intent, they do not allow for distinguishing if the user is real. If I get your phone, I am you...
    Moronic.
    You can't substitute a machine identity for the user identity. These are two complete distinct identities.

    1. Re:Wrong by CastrTroy · · Score: 1

      Even password systems are vulnerable to this. If I get your phone, I have access to your email. If I have access to your email, I can reset your password. Your email basically a master key to all your online accounts.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re: Wrong by Anonymous Coward · · Score: 1

      I have one email address for accounts of various kinds. I have another email address for actual correspondance.

      Want to guess which email address my phoneâ(TM)s mail app is configured to use?

    3. Re:Wrong by jellomizer · · Score: 1

      There isn't any way to insure that a User is really the real user. Even if it is a person to person validation, they are ways to fool the system.
      You seem to be stuck in semantics. Most security problems happen when someone impersonates someone else. They know their login and password, or could guess it in a reasonable amount of time. Now with these additional form of identification such as biometrics, personal key, or unique phone id. Really turns the tide to getting people to impersonate your connection without your permission. Other then downloaded a hacked login and password database from a major site, that didn't handle security as well as they thought. Your identity needs to be directly targeted. They will need to find ways to copy your face or your fingerprints, steal your phone (and get past your phones own biometric or pw logins). The Hackers tend not to make too much money form their hacks, but being that it can be done in bulk without much risk to them, it is still easy money. If they are going to be all sneaky finding a mark trying to get their phone and their fingerprints to fake a system their better off using such time to get an honest job.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. I trust US Mobile Carriers as far as I can spit by MisterSquid · · Score: 3, Informative

    The moment US mobile carriers are able to positively identify individuals by their mobile devices is the moment they resell user data to advertising affiliates.

    --
    blog
    1. Re:I trust US Mobile Carriers as far as I can spit by q4Fry · · Score: 1

      They're starting out by giving it to retailers. Excerpts from Krebs's article, quoting the general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T. Emphasis mine.

      “We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” [Johannes Jaskolski] said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing [lots of data via a mobile device].”

      Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.

      Definitely no kickbacks from these retailers, no siree.

    2. Re:I trust US Mobile Carriers as far as I can spit by Dragonslicer · · Score: 1

      It looks like it's just third-party authentication, similar to how many sites, including Slashdot, allow authentication using a Google or Facebook account. So in theory, the general idea isn't any less secure than other third-party authenticators, but it's going to depend a lot on the technical details.

    3. Re:I trust US Mobile Carriers as far as I can spit by surfdaddy · · Score: 1

      Yes, especially Verizon is about the worst possible company you would ever want to trust on this.

  3. NSA Approved! by Zorro · · Score: 1

    Encryption.....sure.....go ahead!

  4. The only reason this exists is for tracking by kalpol · · Score: 4, Insightful

    For the same reason the ubiquitous Facebook and Google login integrations exist, the only purpose of this is to track what apps you're using and when, and do we really trust they won't also know what you're doing in them? If they have the authentication, they have everything.

    --
    12:50 - press return.
  5. Yeahhh.... by the_skywise · · Score: 4, Insightful

    I'm going to go ahead and... uh... disagree with you there...
    I'll stick with my password manager thankyouverymuch.
    I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

    1. Re:Yeahhh.... by Dragonslicer · · Score: 1

      I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

      I think you're vastly overestimating how secure a regular door lock is.

  6. US telecoms? by Anonymous Coward · · Score: 1

    US carriers are Nimitz, Dwight D. Eisenhower, Gerald R. Ford, etc.

    1. Re:US telecoms? by reboot246 · · Score: 2

      As crazy as it sounds, that's exactly what I thought the first time I read the headline.

  7. Oh hell no ... by Anonymous Coward · · Score: 2, Informative

    Essentially, your phone serves as the verification method with details that are hard to spoof

    Oh, hell no ... because somehow there is the assumption you should be trusting the assholes at a cell carrier.

    No, sorry, you don't get to be the gatekeeper for my authentication.

    Sorry, they're just trying to grab more control, and there is no way that should happen.

    With this, they could login to any account they want, because they pretty much have everything they need to.

    And, I'm sure they'd never do anything like access your account for marketing purposes ... nosiree.

    This is just a bit fat 'nope'.

    1. Re:Oh hell no ... by Cinnamon+Beige · · Score: 1

      Yeah, and it also means I can't log into my phone's apps elsewhere if I want to or need to--I have an Android phone, and I can (and do) have it overlapping with a tablet and will occasionally use an emulator as well. (Nox, if you're wondering.) And I've had phones die abruptly.

      So, basically, not only is it requiring you trust them with your login credentials, it's an inherently insecure and too-secure system all at once--somebody can both steal your phone to get access and you will be blocked from doing anything about it because your (physical) phone is required to log in. Usually you've got to work to screw up security this hard...

  8. benevolence by PopeRatzo · · Score: 4, Interesting

    Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

    Aren't they nice?

    --
    You are welcome on my lawn.
    1. Re: benevolence by OYAHHH · · Score: 1

      This is 100% true, but you don't compromise everyone else due to dolts who can't type correctly or remember a password.

      --
      Caution: Contents under pressure
    2. Re:benevolence by BlueStrat · · Score: 1

      Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

      Aren't they nice?

      What this is, is an attempt to assuage those in the government that are pushing for mandatory "backdoors". If they can convince a sufficient number of users to breach their own security voluntarily, they hope that will persuade the government not to enact mandatory access which would put those carriers in the middle between an authoritarian regime and an outraged populace. Of course, that this centralized authentication plan also would allow them to collect & sell even more customer data doesn't hurt, either.

      It would not surprise me to see a similar push for "authentication centralization" among Google, FB, Amazon, etc etc in the near future and for similar reasons.

      "Just say no."

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  9. Pretty sure this is for the government by TheCastro1689 · · Score: 1

    All that info can be spoofed with off the shelf equipment and a few kiddie scripts. I don't see this being the most secure thing. And if the phone can be unlocked by force (fingerprints) or otherwise then all those apps are unlocked as well. No thanks.

  10. Social Engineering by Luthair · · Score: 3, Insightful

    Haven't we already discovered that SMS was an insecure 2FA method because carrier customer service can trivially be convinced to switch someone's phone number to an arbitrary SIM. Wouldn't this attacker then be able to use their phone with Verify.

    1. Re:Social Engineering by Luthair · · Score: 1

      If the security works as advertised, it sounds like this particular solution is designed to prevent the exact kind of attack you're describing. Even if someone was able to convince the carrier to switch a phone number and SIM to effectively "clone" a phone, I would hope one of the other validation methods (phone account type, SIM card details, etc.) would prevent unauthorized use.

      I think you're missunderstanding - to me it sounds like they're claiming their application will verify the SIM in the phone vs the account, at which point the attacker is probably also using the cellular network for the attack so their IP address matches records too.

  11. Steal my phone, have access to all my apps by pgmrdlm · · Score: 1

    Isn't that what would happen if someone steals your phone with this type of authentication? Dumb as dirt question I am sure, but still want to know the answer.

    --
    Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    1. Re:Steal my phone, have access to all my apps by CastrTroy · · Score: 1

      If you lock your phone, then nothing would happen because they don't have access to any of the data.Even with password based systems, if they get access to your phone, and your phone is unlocked, then they can read your email. If they can read your email, they can do a password reset on all you online accounts that have that feature.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  12. Ah, no by cascadingstylesheet · · Score: 1

    I'll keep using my inexpensive unlocked phone, and change it, and the carrier, whenever I like. Thanks all the same.

  13. SIM Locked? by Nkwe · · Score: 3, Interesting

    So when your SIM card changes do does it count as new identity and do you have to re-authorize applications to use the new identity? The summary lists "SIM card details" as a factor, but doesn't specify if the changing of a SIM invalidates exiting identity / registrations with applications. This is important because without it, you still have the issues of social engineering attacks where the attacker calls up the phone company and says "I have lost my phone, can you activate my replacement phone with this new SIM?", granting the attacker access to your email, text messages which also grants the attacker access to your second factor and password reset procedures.

    Setting aside the scary privacy and tracking implications of a common ID baked into the phone, if the identity is locked to the SIM, it would help alleviate the social engineering attacks and make your phone a viable second factor for security operations.

    1. Re:SIM Locked? by Cinnamon+Beige · · Score: 1

      SIM locked would have its own problems--what do you do when a SIM card dies a horrible death? Any solution here would be open to social engineering attacks, or not work very well since I doubt most people know (or wish to need to know) how to back up their SIM cards and even if that worked, that'd still not necessarily block people from just stealing a phone. It'd also likely mean that you'd be having to buy your phones straight from the carrier or one of the carrier's resellers.

    2. Re:SIM Locked? by Nkwe · · Score: 1

      I probably should not have used the term "SIM Locked" as its usual meaning is that there is a locked relationship between the SIM and the phone which requires carrier assistance to change. I was thinking about "locking" the relationship between the SIM and your federated or second factor identity. Meaning if your phone got a new SIM (or you got a new phone and SIM), that all the external applications / websites would no longer recognize the phone has an identity factor. In this case you would have to re-establish your identity with your applications (relying parties) via some external process. While this would be inconvenient, it would raise the social engineering bar from simply convincing the carrier that you were who you are trying to impersonate, to convincing the carrier *and* all of the applications. Of course social engineering is still a threat, but by "locking" the SIM to your common identity, you would not have all of your security eggs in one basket as we do now when using the phone / SMS as a single security factor.

    3. Re:SIM Locked? by Cinnamon+Beige · · Score: 1

      Think through what you just said from the perspective of having to quickly move all those security eggs to a new basket because your old phone, with its SIM card, has been stolen and you are needing to get everything onto your new phone and SIM card--or at least revoke the permissions from the old set, but that usually takes moving them onto the new if you want access ever again. That should get you to what I'm trying to point out: Any solution to the general issue of being able to recover from even merely having the SIM card die is likely to have issues with being too secure--and we're talking about a single security factor that is supposed to let you straight into the accounts, so you need to be able to revoke permissions fast if it gets stolen & if it's your sole means of access you are likely to be up a certain infamous creek without a paddle.

      There is such a thing as too secure. It's probably quite safe to say that a permanently and completely bricked system is very secure--and that this is about the only nice thing to be said for it.

  14. Obligatory XKCD by elrous0 · · Score: 2

    https://xkcd.com/927/

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  15. US Carriers?? by maroberts · · Score: 2

    I was expecting a list like Nimitz, Eisenhower, Vinson, Roosevelt, Washinton, Stennis, Ford, Truman, Reagan, Bush....

    --

    Donte Alistair Anderson Roberts - hi son!
    Karma: Chameleon

    1. Re:US Carriers?? by phantomfive · · Score: 1

      More appropriately, Enterprise because this plan is grounded.

      --
      "First they came for the slanderers and i said nothing."
  16. I was on a carrier ... by CaptainDork · · Score: 2

    ... and we had no use for this.

    The Navy band was great, though.

    --
    It little behooves the best of us to comment on the rest of us.
  17. This is wrong by sjgman9 · · Score: 1

    Just use 1password everywhere. I've used it since 2010 and it works beautifully on phones

    1. Re:This is wrong by nitehawk214 · · Score: 2

      Why not use hunter2?

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  18. This is the FBI/NSA/CIA/TSA backdoor they wanted.. by Anonymous Coward · · Score: 1

    'Nuff said.

    Will never be used by me, and forcibly removed from any device I use, if it cannot be removed, the device will be destroyed.

    Hah - captcha karma does exist "protests"

  19. Re:Hurricane hitting by nitehawk214 · · Score: 1

    I am sure it will be handled just as well as Puerto Rico.

    Oh, wait, they are Americans.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  20. Law enforcment will love this ... by fahrbot-bot · · Score: 2

    Access to your phone grants access to all your accounts. Just great.

    --
    It must have been something you assimilated. . . .
    1. Re:Law enforcment will love this ... by Anonymous Coward · · Score: 1

      Access to your phone grants access to all your accounts. Just great.

      They don't need your phone, they can just go straight to the carriers who would now have everything required to sign you into everything, and demand that.

      They could do all of this without you ever knowing it has happened.

      This would literally put the entirety of your authentication into someone else's hands, and they'd roll over in a heartbeat if asked for it.

      And don't forget all of the people who work for these companies could also gain access to your accounts.

      The number of ways in which this represents terrible security are hard to convey .. but having a consortium of phone carriers having full control of users to arbitrary websites would be an incredibly stupid idea.

      People who signed up for this would likely not be savvy enough to understand that they've now essentially given all of their passwords to a 3rd party.

  21. Re: As long as it is not mandatory... by mcrbids · · Score: 1

    If be very curious about your evidence to support the conclusion that the left is trying to filter your communication.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  22. No Thanks by organgtool · · Score: 2

    These clowns can't even figure out how to use a three-way handshake to verify Caller ID and we're supposed to trust them with authentication that supplants passwords?

  23. All your eggs in one basket? by p51d007 · · Score: 1

    Maybe I'm missing something, but if one gets hacked?

  24. Can't use apps while traveling by locketine · · Score: 1

    I buy prepaid SIM cards when I travel as it's a lot cheaper than buying an international travel plan/allowance from an American carrier. With this system in place I wouldn't be able to access any of my apps or accounts.

    I'm pretty sure the execs are rubbing their greedy hands together with sly smiles expecting us all to get even more locked into our overpriced American mobile service plans, which will become more expensive once this identification mechanism achieves general acceptance.

    --
    Think globally but act within local variable scope.