US Carriers Introduce Project Verify To Replace Individual App Passwords

Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.

Wrong

All those are identification, not authorization. They can replace username only. The same as biometrics. Not only they do not verify and intent, they do not allow for distinguishing if the user is real. If I get your phone, I am you...
Moronic.
You can't substitute a machine identity for the user identity. These are two complete distinct identities.

I trust US Mobile Carriers as far as I can spit

[MisterSquid]

The moment US mobile carriers are able to positively identify individuals by their mobile devices is the moment they resell user data to advertising affiliates.

The only reason this exists is for tracking

[kalpol]

For the same reason the ubiquitous Facebook and Google login integrations exist, the only purpose of this is to track what apps you're using and when, and do we really trust they won't also know what you're doing in them? If they have the authentication, they have everything.

Yeahhh....

[the_skywise]

I'm going to go ahead and... uh... disagree with you there...
I'll stick with my password manager thankyouverymuch.
I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

Oh hell no ...

Essentially, your phone serves as the verification method with details that are hard to spoof

Oh, hell no ... because somehow there is the assumption you should be trusting the assholes at a cell carrier.

No, sorry, you don't get to be the gatekeeper for my authentication.

Sorry, they're just trying to grab more control, and there is no way that should happen.

With this, they could login to any account they want, because they pretty much have everything they need to.

And, I'm sure they'd never do anything like access your account for marketing purposes ... nosiree.

This is just a bit fat 'nope'.

benevolence

[PopeRatzo]

Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

Aren't they nice?

Social Engineering

[Luthair]

Haven't we already discovered that SMS was an insecure 2FA method because carrier customer service can trivially be convinced to switch someone's phone number to an arbitrary SIM. Wouldn't this attacker then be able to use their phone with Verify.

SIM Locked?

[Nkwe]

So when your SIM card changes do does it count as new identity and do you have to re-authorize applications to use the new identity? The summary lists "SIM card details" as a factor, but doesn't specify if the changing of a SIM invalidates exiting identity / registrations with applications. This is important because without it, you still have the issues of social engineering attacks where the attacker calls up the phone company and says "I have lost my phone, can you activate my replacement phone with this new SIM?", granting the attacker access to your email, text messages which also grants the attacker access to your second factor and password reset procedures.

Setting aside the scary privacy and tracking implications of a common ID baked into the phone, if the identity is locked to the SIM, it would help alleviate the social engineering attacks and make your phone a viable second factor for security operations.

Obligatory XKCD

[elrous0]

https://xkcd.com/927/

US Carriers??

[maroberts]

I was expecting a list like Nimitz, Eisenhower, Vinson, Roosevelt, Washinton, Stennis, Ford, Truman, Reagan, Bush....

I was on a carrier ...

[CaptainDork]

... and we had no use for this.

The Navy band was great, though.

Re:US telecoms?

[reboot246]

As crazy as it sounds, that's exactly what I thought the first time I read the headline.

Re:This is wrong

[nitehawk214]

Why not use hunter2?

Law enforcment will love this ...

[fahrbot-bot]

Access to your phone grants access to all your accounts. Just great.

No Thanks

[organgtool]

These clowns can't even figure out how to use a three-way handshake to verify Caller ID and we're supposed to trust them with authentication that supplants passwords?