US Carriers Introduce Project Verify To Replace Individual App Passwords (theverge.com) 92
Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.
Wrong (Score:5, Insightful)
All those are identification, not authorization. They can replace username only. The same as biometrics. Not only they do not verify and intent, they do not allow for distinguishing if the user is real. If I get your phone, I am you...
Moronic.
You can't substitute a machine identity for the user identity. These are two complete distinct identities.
Re: (Score:2)
Even password systems are vulnerable to this. If I get your phone, I have access to your email. If I have access to your email, I can reset your password. Your email basically a master key to all your online accounts.
Re: Wrong (Score:1)
I have one email address for accounts of various kinds. I have another email address for actual correspondance.
Want to guess which email address my phoneâ(TM)s mail app is configured to use?
Re: (Score:2)
There isn't any way to insure that a User is really the real user. Even if it is a person to person validation, they are ways to fool the system.
You seem to be stuck in semantics. Most security problems happen when someone impersonates someone else. They know their login and password, or could guess it in a reasonable amount of time. Now with these additional form of identification such as biometrics, personal key, or unique phone id. Really turns the tide to getting people to impersonate your connection
Re: (Score:2)
I am sure it will be handled just as well as Puerto Rico.
Oh, wait, they are Americans.
I trust US Mobile Carriers as far as I can spit (Score:4, Informative)
The moment US mobile carriers are able to positively identify individuals by their mobile devices is the moment they resell user data to advertising affiliates.
Re: (Score:2)
They're starting out by giving it to retailers. Excerpts from Krebs's article, quoting the general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T. Emphasis mine.
“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” [Johannes Jaskolski] said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing [lots of data via a mobile device].”
Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.
Definitely no kickbacks from these retailers, no siree.
Re: (Score:2)
Re: (Score:2)
Yes, especially Verizon is about the worst possible company you would ever want to trust on this.
As long as it is not mandatory... (Score:1)
So long as the usage of this is not mandated by the government — neither directly nor indirectly, such as, for example: "must sign up to get unemployment benefits" — it is Ok. May be a good thing even.
Re: As long as it is not mandatory... (Score:2)
If be very curious about your evidence to support the conclusion that the left is trying to filter your communication.
NSA Approved! (Score:2)
Encryption.....sure.....go ahead!
The only reason this exists is for tracking (Score:5, Insightful)
Yeahhh.... (Score:5, Insightful)
I'll stick with my password manager thankyouverymuch.
I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.
Re: (Score:2)
I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.
I think you're vastly overestimating how secure a regular door lock is.
US telecoms? (Score:1)
US carriers are Nimitz, Dwight D. Eisenhower, Gerald R. Ford, etc.
Re: (Score:3)
Oh hell no ... (Score:2, Informative)
Oh, hell no ... because somehow there is the assumption you should be trusting the assholes at a cell carrier.
No, sorry, you don't get to be the gatekeeper for my authentication.
Sorry, they're just trying to grab more control, and there is no way that should happen.
With this, they could login to any account they want, because they pretty much have everything they need to.
And, I'm sure they'd never do anything like a
Re: (Score:2)
Yeah, and it also means I can't log into my phone's apps elsewhere if I want to or need to--I have an Android phone, and I can (and do) have it overlapping with a tablet and will occasionally use an emulator as well. (Nox, if you're wondering.) And I've had phones die abruptly.
So, basically, not only is it requiring you trust them with your login credentials, it's an inherently insecure and too-secure system all at once--somebody can both steal your phone to get access and you will be blocked from doing a
benevolence (Score:5, Interesting)
Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.
Aren't they nice?
Re: (Score:2)
This is 100% true, but you don't compromise everyone else due to dolts who can't type correctly or remember a password.
Re: (Score:2)
Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.
Aren't they nice?
What this is, is an attempt to assuage those in the government that are pushing for mandatory "backdoors". If they can convince a sufficient number of users to breach their own security voluntarily, they hope that will persuade the government not to enact mandatory access which would put those carriers in the middle between an authoritarian regime and an outraged populace. Of course, that this centralized authentication plan also would allow them to collect & sell even more customer data doesn't hurt, e
Pretty sure this is for the government (Score:2)
All that info can be spoofed with off the shelf equipment and a few kiddie scripts. I don't see this being the most secure thing. And if the phone can be unlocked by force (fingerprints) or otherwise then all those apps are unlocked as well. No thanks.
Social Engineering (Score:4, Insightful)
Re: (Score:2)
If the security works as advertised, it sounds like this particular solution is designed to prevent the exact kind of attack you're describing. Even if someone was able to convince the carrier to switch a phone number and SIM to effectively "clone" a phone, I would hope one of the other validation methods (phone account type, SIM card details, etc.) would prevent unauthorized use.
I think you're missunderstanding - to me it sounds like they're claiming their application will verify the SIM in the phone vs the account, at which point the attacker is probably also using the cellular network for the attack so their IP address matches records too.
Steal my phone, have access to all my apps (Score:1)
Re: (Score:2)
If you lock your phone, then nothing would happen because they don't have access to any of the data.Even with password based systems, if they get access to your phone, and your phone is unlocked, then they can read your email. If they can read your email, they can do a password reset on all you online accounts that have that feature.
Ah, no (Score:2)
SIM Locked? (Score:4, Interesting)
Setting aside the scary privacy and tracking implications of a common ID baked into the phone, if the identity is locked to the SIM, it would help alleviate the social engineering attacks and make your phone a viable second factor for security operations.
Re: (Score:2)
SIM locked would have its own problems--what do you do when a SIM card dies a horrible death? Any solution here would be open to social engineering attacks, or not work very well since I doubt most people know (or wish to need to know) how to back up their SIM cards and even if that worked, that'd still not necessarily block people from just stealing a phone. It'd also likely mean that you'd be having to buy your phones straight from the carrier or one of the carrier's resellers.
Re: (Score:2)
Re: (Score:2)
Think through what you just said from the perspective of having to quickly move all those security eggs to a new basket because your old phone, with its SIM card, has been stolen and you are needing to get everything onto your new phone and SIM card--or at least revoke the permissions from the old set, but that usually takes moving them onto the new if you want access ever again. That should get you to what I'm trying to point out: Any solution to the general issue of being able to recover from even merely
Obligatory XKCD (Score:3)
https://xkcd.com/927/ [xkcd.com]
US Carriers?? (Score:2)
I was expecting a list like Nimitz, Eisenhower, Vinson, Roosevelt, Washinton, Stennis, Ford, Truman, Reagan, Bush....
Re: (Score:2)
I was on a carrier ... (Score:3)
... and we had no use for this.
The Navy band was great, though.
This is wrong (Score:2)
Just use 1password everywhere. I've used it since 2010 and it works beautifully on phones
Re: (Score:3)
Why not use hunter2?
This is the FBI/NSA/CIA/TSA backdoor they wanted.. (Score:1)
'Nuff said.
Will never be used by me, and forcibly removed from any device I use, if it cannot be removed, the device will be destroyed.
Hah - captcha karma does exist "protests"
Law enforcment will love this ... (Score:3)
Re: (Score:1)
They don't need your phone, they can just go straight to the carriers who would now have everything required to sign you into everything, and demand that.
They could do all of this without you ever knowing it has happened.
This would literally put the entirety of your authentication into someone else's hands, and they'd roll over in a heartbeat if asked for it.
And don't forget all of the people who work for these companies could also gain acc
No Thanks (Score:3)
All your eggs in one basket? (Score:1)
Can't use apps while traveling (Score:1)
I buy prepaid SIM cards when I travel as it's a lot cheaper than buying an international travel plan/allowance from an American carrier. With this system in place I wouldn't be able to access any of my apps or accounts.
I'm pretty sure the execs are rubbing their greedy hands together with sly smiles expecting us all to get even more locked into our overpriced American mobile service plans, which will become more expensive once this identification mechanism achieves general acceptance.