Major US mobile carriers want to be your password

If password-only security is reaching its end of days, what will replace it?
For years, many have assumed that some form of new authentication must be the answer without being able to agree on which.
Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has added a new possibility to the mix under the banner of Project Verify.
Using Project Verify, users will access a supported website simply by clicking on a special icon which will verify them by communicating with a mobile app on their device.
The impressive bit is that’s it – no passwords, no usernames, no special codes – just one click on an icon. Alternatively, users will still enter passwords but use Project Verify as a second factor for two-factor authentication.
The eagle-eyed will have spotted that this sounds a bit like the push verification technology already offered by Google through its codeless Prompt system for Android and iOS.
Under that scheme, when users log in to Google they are sent a message via a mobile app asking them to confirm their action from the registered device.
Of course, unlike Prompt, Project Verify is intended for any website but it also works a bit differently below the surface.
According to early reports, the app carries out authentication by looking at the user’s IP address, physical location (from GPS and perhaps Wi-Fi data), the unique device IMEI, and of course, information from the SIM card such as the telephone number and its unique international mobile subscriber identity (IMSI) number.
This is clever because it turns the smartphone and how it is being used at that moment into a sort of hardware token that would be extremely difficult to spoof.
Project Verify’s USP is that only mobile networks can do this because only they can verify that the SIM chip inside the smartphone is the correct one.

Authentication overdose

A confusing issue with authentication is that there’s already a lot of it around, so how does Project Verify compare?
One alternative – authentication codes sent to users via SMS – is already considered obsolete because it can be defeated by SIM swap attacks. In theory, Project Verify isn’t vulnerable to SIM swaps because changing the registered SIM would immediately show up as a verification change.
A better comparison might be with the W3C’s WebAuthn, which will be integrated inside browsers using an API through which users will authenticate using a range of options, including encryption keys held in its integrated Trusted Platform Module (TPM), a biometric identifier such as a face or fingerprint, or by presenting a physical token such as a YubiKey.
This sounds more involved than Project Verify but as an open standard it might be easier to implement as a universal authentication system.
For both, it’s still early days – Project Verify is barely in the pilot phase yet while WebAuthn is still ironing out reported weaknesses in its underlying cryptographic algorithms.
A possible issue with Project Verify is that it puts authentication in the hands of individual carriers (who reportedly won’t share that with each other). Although this is not that dissimilar to how users can already log in to some sites using their Google or Facebook IDs, it raises a question of trust.
One possible weakness is the process for onboarding users, or when they change handsets or SIMs, typically done in-store or by call centres. Criminals will surely target this link in the chain, which is why Project Verify prospects will require this layer of checking to be tightened up.