Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications Security United States

US Carriers Introduce Project Verify To Replace Individual App Passwords (theverge.com) 92

Four major US carriers -- AT&T, Sprint, T-Mobile, and Verizon -- are joining forces to launch a single sign-on service for smartphones. From a report: The service, called Project Verify, authenticates app logins so that users don't need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof. Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn't listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted. Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone's home screen and apps. More details on Krebs on Security blog.
This discussion has been archived. No new comments can be posted.

US Carriers Introduce Project Verify To Replace Individual App Passwords

Comments Filter:
  • Wrong (Score:5, Insightful)

    by Anonymous Coward on Thursday September 13, 2018 @11:11AM (#57306694)

    All those are identification, not authorization. They can replace username only. The same as biometrics. Not only they do not verify and intent, they do not allow for distinguishing if the user is real. If I get your phone, I am you...
    Moronic.
    You can't substitute a machine identity for the user identity. These are two complete distinct identities.

    • Even password systems are vulnerable to this. If I get your phone, I have access to your email. If I have access to your email, I can reset your password. Your email basically a master key to all your online accounts.

      • by Anonymous Coward

        I have one email address for accounts of various kinds. I have another email address for actual correspondance.

        Want to guess which email address my phoneâ(TM)s mail app is configured to use?

    • There isn't any way to insure that a User is really the real user. Even if it is a person to person validation, they are ways to fool the system.
      You seem to be stuck in semantics. Most security problems happen when someone impersonates someone else. They know their login and password, or could guess it in a reasonable amount of time. Now with these additional form of identification such as biometrics, personal key, or unique phone id. Really turns the tide to getting people to impersonate your connection

  • by MisterSquid ( 231834 ) on Thursday September 13, 2018 @11:12AM (#57306712)

    The moment US mobile carriers are able to positively identify individuals by their mobile devices is the moment they resell user data to advertising affiliates.

    • by q4Fry ( 1322209 )

      They're starting out by giving it to retailers. Excerpts from Krebs's article, quoting the general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T. Emphasis mine.

      “We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” [Johannes Jaskolski] said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing [lots of data via a mobile device].”

      Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.

      Definitely no kickbacks from these retailers, no siree.

      • It looks like it's just third-party authentication, similar to how many sites, including Slashdot, allow authentication using a Google or Facebook account. So in theory, the general idea isn't any less secure than other third-party authenticators, but it's going to depend a lot on the technical details.
    • Yes, especially Verizon is about the worst possible company you would ever want to trust on this.

  • So long as the usage of this is not mandated by the government — neither directly nor indirectly, such as, for example: "must sign up to get unemployment benefits" — it is Ok. May be a good thing even.

  • Encryption.....sure.....go ahead!

  • by kalpol ( 714519 ) on Thursday September 13, 2018 @11:18AM (#57306798)
    For the same reason the ubiquitous Facebook and Google login integrations exist, the only purpose of this is to track what apps you're using and when, and do we really trust they won't also know what you're doing in them? If they have the authentication, they have everything.
  • Yeahhh.... (Score:5, Insightful)

    by the_skywise ( 189793 ) on Thursday September 13, 2018 @11:19AM (#57306816)
    I'm going to go ahead and... uh... disagree with you there...
    I'll stick with my password manager thankyouverymuch.
    I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.
    • I'm sure 5 years from now Amazon and Google will join forces to help me secure my house by "securely" storing my digitial keys to my house and only unlocking it with my phone making me oh-so-much more secure.

      I think you're vastly overestimating how secure a regular door lock is.

  • by Anonymous Coward

    US carriers are Nimitz, Dwight D. Eisenhower, Gerald R. Ford, etc.

  • Oh hell no ... (Score:2, Informative)

    by Anonymous Coward

    Essentially, your phone serves as the verification method with details that are hard to spoof

    Oh, hell no ... because somehow there is the assumption you should be trusting the assholes at a cell carrier.

    No, sorry, you don't get to be the gatekeeper for my authentication.

    Sorry, they're just trying to grab more control, and there is no way that should happen.

    With this, they could login to any account they want, because they pretty much have everything they need to.

    And, I'm sure they'd never do anything like a

    • Yeah, and it also means I can't log into my phone's apps elsewhere if I want to or need to--I have an Android phone, and I can (and do) have it overlapping with a tablet and will occasionally use an emulator as well. (Nox, if you're wondering.) And I've had phones die abruptly.

      So, basically, not only is it requiring you trust them with your login credentials, it's an inherently insecure and too-secure system all at once--somebody can both steal your phone to get access and you will be blocked from doing a

  • benevolence (Score:5, Interesting)

    by PopeRatzo ( 965947 ) on Thursday September 13, 2018 @11:21AM (#57306844) Journal

    Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

    Aren't they nice?

    • Those helpful souls at AT&T, Sprint, T-Mobile, and Verizon don't want to see you bothered by those troublesome passwords any more, so now they'll take care of all that for you.

      Aren't they nice?

      What this is, is an attempt to assuage those in the government that are pushing for mandatory "backdoors". If they can convince a sufficient number of users to breach their own security voluntarily, they hope that will persuade the government not to enact mandatory access which would put those carriers in the middle between an authoritarian regime and an outraged populace. Of course, that this centralized authentication plan also would allow them to collect & sell even more customer data doesn't hurt, e

  • All that info can be spoofed with off the shelf equipment and a few kiddie scripts. I don't see this being the most secure thing. And if the phone can be unlocked by force (fingerprints) or otherwise then all those apps are unlocked as well. No thanks.

  • Social Engineering (Score:4, Insightful)

    by Luthair ( 847766 ) on Thursday September 13, 2018 @11:23AM (#57306878)
    Haven't we already discovered that SMS was an insecure 2FA method because carrier customer service can trivially be convinced to switch someone's phone number to an arbitrary SIM. Wouldn't this attacker then be able to use their phone with Verify.
  • Isn't that what would happen if someone steals your phone with this type of authentication? Dumb as dirt question I am sure, but still want to know the answer.
    • If you lock your phone, then nothing would happen because they don't have access to any of the data.Even with password based systems, if they get access to your phone, and your phone is unlocked, then they can read your email. If they can read your email, they can do a password reset on all you online accounts that have that feature.

  • I'll keep using my inexpensive unlocked phone, and change it, and the carrier, whenever I like. Thanks all the same.
  • SIM Locked? (Score:4, Interesting)

    by Nkwe ( 604125 ) on Thursday September 13, 2018 @11:29AM (#57306950)
    So when your SIM card changes do does it count as new identity and do you have to re-authorize applications to use the new identity? The summary lists "SIM card details" as a factor, but doesn't specify if the changing of a SIM invalidates exiting identity / registrations with applications. This is important because without it, you still have the issues of social engineering attacks where the attacker calls up the phone company and says "I have lost my phone, can you activate my replacement phone with this new SIM?", granting the attacker access to your email, text messages which also grants the attacker access to your second factor and password reset procedures.

    Setting aside the scary privacy and tracking implications of a common ID baked into the phone, if the identity is locked to the SIM, it would help alleviate the social engineering attacks and make your phone a viable second factor for security operations.
    • SIM locked would have its own problems--what do you do when a SIM card dies a horrible death? Any solution here would be open to social engineering attacks, or not work very well since I doubt most people know (or wish to need to know) how to back up their SIM cards and even if that worked, that'd still not necessarily block people from just stealing a phone. It'd also likely mean that you'd be having to buy your phones straight from the carrier or one of the carrier's resellers.

      • by Nkwe ( 604125 )
        I probably should not have used the term "SIM Locked" as its usual meaning is that there is a locked relationship between the SIM and the phone which requires carrier assistance to change. I was thinking about "locking" the relationship between the SIM and your federated or second factor identity. Meaning if your phone got a new SIM (or you got a new phone and SIM), that all the external applications / websites would no longer recognize the phone has an identity factor. In this case you would have to re-est
        • Think through what you just said from the perspective of having to quickly move all those security eggs to a new basket because your old phone, with its SIM card, has been stolen and you are needing to get everything onto your new phone and SIM card--or at least revoke the permissions from the old set, but that usually takes moving them onto the new if you want access ever again. That should get you to what I'm trying to point out: Any solution to the general issue of being able to recover from even merely

  • by elrous0 ( 869638 ) on Thursday September 13, 2018 @11:50AM (#57307178)
  • I was expecting a list like Nimitz, Eisenhower, Vinson, Roosevelt, Washinton, Stennis, Ford, Truman, Reagan, Bush....

  • by CaptainDork ( 3678879 ) on Thursday September 13, 2018 @12:16PM (#57307460)

    ... and we had no use for this.

    The Navy band was great, though.

  • Just use 1password everywhere. I've used it since 2010 and it works beautifully on phones

  • 'Nuff said.

    Will never be used by me, and forcibly removed from any device I use, if it cannot be removed, the device will be destroyed.

    Hah - captcha karma does exist "protests"

  • by fahrbot-bot ( 874524 ) on Thursday September 13, 2018 @01:43PM (#57308350)
    Access to your phone grants access to all your accounts. Just great.
    • by Anonymous Coward

      Access to your phone grants access to all your accounts. Just great.

      They don't need your phone, they can just go straight to the carriers who would now have everything required to sign you into everything, and demand that.

      They could do all of this without you ever knowing it has happened.

      This would literally put the entirety of your authentication into someone else's hands, and they'd roll over in a heartbeat if asked for it.

      And don't forget all of the people who work for these companies could also gain acc

  • by organgtool ( 966989 ) on Thursday September 13, 2018 @03:50PM (#57309352)
    These clowns can't even figure out how to use a three-way handshake to verify Caller ID and we're supposed to trust them with authentication that supplants passwords?
  • Maybe I'm missing something, but if one gets hacked?
  • I buy prepaid SIM cards when I travel as it's a lot cheaper than buying an international travel plan/allowance from an American carrier. With this system in place I wouldn't be able to access any of my apps or accounts.

    I'm pretty sure the execs are rubbing their greedy hands together with sly smiles expecting us all to get even more locked into our overpriced American mobile service plans, which will become more expensive once this identification mechanism achieves general acceptance.

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...