Let My Phone Company Be My Online Identity – Are You Kidding?
The four largest mobile phone carriers recently announced a plan to eliminate passwords, login IDs, captchas, text-messaged codes and other secondary authentication factors. Instead, visitors to a web site would be authenticated by an encrypted string of data drawn from the visitor’s phone, carrier account, and other sources known to his phone company. Read on to understand what this “Project Verify” is all about, and what I think it means to all of us. There’s a hint in this article’s headline... |
The End of Passwords - Hooray?
In theory, it sounds great. No more remembering logins, managing passwords, and dealing with the hassles of captcha or two-factor authentication. How many times do I have to prove that I'm not a robot? Why does my password have to be 10 digits long, with a combination of capital letters, numbers, and a hieroglyphic symbol?
Project Verify would be the answer to many a frustrated Internet user’s dreams. It would eliminate tedious typing of personal data on tiny virtual keyboards to create a new account on a site, with many a re-do when mistakes are made. It would make logging in to existing accounts as easy as visiting the home page of a site; your phone would handle sign-ins invisibly and instantly. And yes, provision is made for desktop PC users as well. Sounds like something we should all welcome with open arms, doesn’t it?
“If you should see someone approaching you with the obvious intention of doing you good you should run for your life,” Henry David Thoreau certainly never wrote as the Internet claims he did. But in this case, he would have been right if he did.
The Mobile Authentication Task Force, which consists of AT&T, T-mobile, Verizon, and Sprint – put together a short animation that shows all the good things their Project Verify offers. The details get a bit geeky, but here they are:
Public-private key encryption, similar to Pretty Good Privacy, is at the heart of the scheme. You and your carrier will each have a pair of encryption keys, one public to be shared with the other and one private to be kept to yourself (or itself, in the carrier’s case). These keys are unique to each user’s account. That is, the carrier has its private key for each customer and each customer has the public key of his carrier. Both keys are needed to decrypt a message encrypted with the same keys.
Each time a customer visits a site, the carrier generates and a very long string of random characters, called a “nonce” in cryptographic circles, which is unique to each customer at that point in time. The nonce’s characters are based upon many sets of user data: name, address, phone number, device ID, approximate location (Are your eyebrows rising?), and even billing status such as “current,” “past due” or “delinquent.” Some of these datasets are known and accessible only by the carrier, such as the cryptographic key to a SIM card. Given the vast amount of data that large corporations can acquire about everyone, the length of a nonce is more than enough for its intended purpose.
That purpose is to provide a subset of a nonce that is used to generate a unique encrypted key for each site a user visits, every time he visits. Each nonce-derived encrypted key is effectively a user’s password to a site, and can include much more.
The Key to Everything
The key can include all the data that a site needs to know about a user in order to provide its services to that user, from screen resolution to billing info, shipping and billing addresses, etc. It can also include optional data that a user may or may not choose to provide to a site, such as current location, favorite color, birthday, gender, income bracket, credit card number, etc., etc.
So now your carrier can send your authentication credentials and everything a site needs to know about you to the site the instant you visit the site, at your click or tap of a digital button. If you check the “remember me” box you will never have to click or tap that button at that site again; you will be logged in automatically when you open the site, and it will “know” you.
This magical log-in happens only if you visit the site using a device on which your private encryption key resides. The customer’s public/private keys must first be generated using a mobile device, but they can then be shared with any of your other devices including desktop PCs, smart TVs, and other things you may authorize to log in to a site, even light fixtures. (Don’t let light fixtures log in to anything, please!)
Traditional log-in methods will be maintained so that you can log in to your bank account from a public library’s terminal if you wish, for instance. But it is anticipated that most people will prefer the easier method of Project Verify.
You will be able to edit certain parts of your profile data; not your SIM card’s crypto key, obviously, but should your shipping address or credit card number change you can change them in your profile.
You will also be able to choose which datasets can be shared with each site you visit; the more you share, the better customized to your needs and easier to use the site will become.
Refusing to use the magic key for a site at all means you will be no worse off than you are today, clicking on “each square that contains a traffic light” in order to prove you are a human being and getting it wrong.
The question posed in this article’s headline is, who is going to trust their carrier to safeguard their online identity? Who is going to put all of their personal data eggs into that leaky, broken basket? Not I, and I suspect not many of my readers.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 14 Sep 2018
For Fun: Buy Bob a Snickers. |
Prev Article: Announcing iPhone XS and Apple Watch 4 |
The Top Twenty |
Next Article: [ALERT] SIM Swapping Scams |
There's more reader feedback... See all 42 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Let My Phone Company Be My Online Identity – Are You Kidding? (Posted: 14 Sep 2018)
Source: https://askbobrankin.com/let_my_phone_company_be_my_online_identity_are_you_kidding.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Let My Phone Company Be My Online Identity – Are You Kidding?"
(See all 42 comments for this article.)Posted by:
Lady Fitzgerald
14 Sep 2018
Lessee... Data harvesting in the name of security by entities known to have been hacked at sometime or another on poorly secured devices with plans I have to pay through the nose ford. What a wonderful idea, right up there with openly publishing all my personal details on every internet site. like, what could go wrong?
Oh, wait. I don't have a smart phone. Does this mean they will give me one and pay for my data plan? Gee, what a kind offer!
Posted by:
Lady Fitzgerald
14 Sep 2018
Lessee... Data harvesting in the name of security by entities known to have been hacked at sometime or another on poorly secured devices with plans I have to pay through the nose ford. What a wonderful idea, right up there with openly publishing all my personal details on every internet site. like, what could go wrong?
Oh, wait. I don't have a smart phone. Does this mean they will give me one and pay for my data plan? Gee, what a kind offer!
Posted by:
GregK
14 Sep 2018
I am an old fart who does not get my service from one of these companies because I don't use my phone enough to warrant wasting that much money for service. And I would trust them about as much as I would trust the government saying I'm here to help you along with these companies. NO WAY!!!!
Posted by:
Chris
14 Sep 2018
About 50% of the populace will blindly dive into this. They don't read EULA's or understand the outcome of the last election. Seems the developers don't fully trust this either, since Financial Institutions will be exempt. Evidently.... they know everything is crack-able and don't want to cover H-U-G-E banking loses. Everyone is in search of the "mark of the Beast"....
Posted by:
Frank Starr
14 Sep 2018
Until Anonymous and some white hat hackers create something like an identity VPN system, with multiple identities and multiple fake data for all such sites, there's no way that I would even think of using this sort of verification.
As they always said on the X-Files: trust no one! I'd say that especially applies in this case.
Posted by:
Lajoes
14 Sep 2018
That's what Bit Coin said every time they were hacked.
That's what Experian said before and after they were hacked.
That's what x said before I was hacked....
Posted by:
Lucy
14 Sep 2018
The comments posted thus far confirm that you were correct Bob in assuming your readers would not participate, but there are so many who will blindly follow this insane, IMO, idea.
Lajoes is correct in his comments about hacking, and I cannot ever imagine handing over all our info to the phone company!
BTW, my phone company don't really "like" me because I have a flip phone, with no data plan, and won't accept their constant offers to "upgrade" so I expect they will really, really dislike me when I won't sign up for this!
Posted by:
Allan Brunner
14 Sep 2018
A stupid idea; about as unintelligent as the suggestion of putting your passport on to your mobile! If I want my identity stolen and life taken over, I'm quite capable of being stupid myself without any assistance from a mobile phone providor or ISP. Given the number of major hacks over the last few years, would you trust these people to keep you safe? The recent BA hack was 22 lines of code inserted into the baggage module - that is all it took!
Posted by:
Larry
14 Sep 2018
No way, Jose. I do not let any website, provider, etc. "remember" me. I have been a victim of data breaches and am very careful about my ID on line. These providers can go **** themselves. I'd never subscribe to this kind of stupidity.
Posted by:
jon
15 Sep 2018
It will be a cold day in Hell before I allow any company to provide a "secure" code to access any website.
Posted by:
R.S. Elam
15 Sep 2018
It's all nonce-sense. I'll show myself out.
Posted by:
SharonH
15 Sep 2018
This brilliant conception is going to go down the rabbit hole along with other ideas that seemed good at the time.
Posted by:
Nezzar
15 Sep 2018
This is an excellent example of executives who live in isolation from the rest of us normal folks. They haven't a clue as to "What could possibly go wrong?" while the majority of of us
(I hope) know exactly what could happen.
No way.
Posted by:
Richard C
15 Sep 2018
Hmmm...I wonder how well this program will work if the phone number is sourced from one of the no contract services.
Posted by:
Bev
16 Sep 2018
No "smart" phone, just a simple one to call for service if I have auto breakdown, and use a land line at home. Another "old fart" type who loves and uses computer for my own projects but see no reason to buy into the idiot fantasies of those who think all life has to be on line. At current rate of web security I may go back to mailing checks, etc. But Silicon Valley has been indoctrinating the young and intends to rule the world by making every bit of life mindless. Thanks as usual for your valuable clarifications and advice.
Posted by:
Larry S
16 Sep 2018
Looks like I'll have a huge problem! I don't have a phone. Got rid of mine when all the Telemarketers kept calling and Do Not Call never worked.
Posted by:
Charles
17 Sep 2018
My biggest question is, how long before they don't bother asking us, and just throw it into the next great "update to our site!" Since it seems not too many are keen on this, it will probably be incorporated into some FCC rulings and legislation at some point.
Posted by:
MmeMoxie
17 Sep 2018
To nicely put it ... Over my DEAD BODY!!!
I don't trust any of the cell phone companies, period. They don't care anything about me or any of us, for that matter. This is just a way to stop the Feds from making them really do something, not that the Feds really care, either!
In fact, this is just as bad as the Credit Bureau Companies. They know almost everything about you and tell anyone who inquires about your Credit Records, but they won't tell you and it doesn't matter if all of the information is a lie or not!!! The Credit Bureaus and the Cell Phone Companies are NOT under elected officials by the people.
The FCC is NOT governed by the voters who elected them. They are appointed by the President and are usually with the same party.
The Credit Bureaus are completely different, they are private businesses, who keeps records of your business and it can be easily hacked, as proven last year!!! Plus, even if you know or learn that your identity is stolen ... NONE of the Credit Bureaus believe you and it costs you thousands and thousands of dollars to prove it!!! Needless to say, I really do hate the Credit Bureaus. I do NOT see any benefits from any of the 3 main Credit Bureaus.
Considering that Cricket is under the umbrella of AT&T, all of us Cricket users are "screwed", just like the rest of you who have regular Wireless service from the main companies. I may have to go back to buying minutes as needed from from other companies not with the big 4, AT&T, Verizon, T-Mobile, and Sprint or even connected with them.
Posted by:
sirpaul2
21 Sep 2018
I'll consider giving the phone companies any data that their CEOs give me first.
You want my medical info? - give me yours.
Posted by:
Wolfgang
24 Sep 2018
No! This "leaky" system will NOT work for me! This is like the foxes guarding the chicken coop.