Let My Phone Company Be My Online Identity – Are You Kidding?
The four largest mobile phone carriers recently announced a plan to eliminate passwords, login IDs, captchas, text-messaged codes and other secondary authentication factors. Instead, visitors to a web site would be authenticated by an encrypted string of data drawn from the visitor’s phone, carrier account, and other sources known to his phone company. Read on to understand what this “Project Verify” is all about, and what I think it means to all of us. There’s a hint in this article’s headline...
The End of Passwords - Hooray?
In theory, it sounds great. No more remembering logins, managing passwords, and dealing with the hassles of captcha or two-factor authentication. How many times do I have to prove that I'm not a robot? Why does my password have to be 10 digits long, with a combination of capital letters, numbers, and a hieroglyphic symbol?
Project Verify would be the answer to many a frustrated Internet user’s dreams. It would eliminate tedious typing of personal data on tiny virtual keyboards to create a new account on a site, with many a re-do when mistakes are made. It would make logging in to existing accounts as easy as visiting the home page of a site; your phone would handle sign-ins invisibly and instantly. And yes, provision is made for desktop PC users as well. Sounds like something we should all welcome with open arms, doesn’t it?
“If you should see someone approaching you with the obvious intention of doing you good you should run for your life,” Henry David Thoreau certainly never wrote as the Internet claims he did. But in this case, he would have been right if he did.
The Mobile Authentication Task Force, which consists of AT&T, T-mobile, Verizon, and Sprint – put together a short animation that shows all the good things their Project Verify offers. The details get a bit geeky, but here they are:
Public-private key encryption, similar to Pretty Good Privacy, is at the heart of the scheme. You and your carrier will each have a pair of encryption keys, one public to be shared with the other and one private to be kept to yourself (or itself, in the carrier’s case). These keys are unique to each user’s account. That is, the carrier has its private key for each customer and each customer has the public key of his carrier. Both keys are needed to decrypt a message encrypted with the same keys.
Each time a customer visits a site, the carrier generates and a very long string of random characters, called a “nonce” in cryptographic circles, which is unique to each customer at that point in time. The nonce’s characters are based upon many sets of user data: name, address, phone number, device ID, approximate location (Are your eyebrows rising?), and even billing status such as “current,” “past due” or “delinquent.” Some of these datasets are known and accessible only by the carrier, such as the cryptographic key to a SIM card. Given the vast amount of data that large corporations can acquire about everyone, the length of a nonce is more than enough for its intended purpose.
That purpose is to provide a subset of a nonce that is used to generate a unique encrypted key for each site a user visits, every time he visits. Each nonce-derived encrypted key is effectively a user’s password to a site, and can include much more.
The Key to Everything
The key can include all the data that a site needs to know about a user in order to provide its services to that user, from screen resolution to billing info, shipping and billing addresses, etc. It can also include optional data that a user may or may not choose to provide to a site, such as current location, favorite color, birthday, gender, income bracket, credit card number, etc., etc.
So now your carrier can send your authentication credentials and everything a site needs to know about you to the site the instant you visit the site, at your click or tap of a digital button. If you check the “remember me” box you will never have to click or tap that button at that site again; you will be logged in automatically when you open the site, and it will “know” you.
This magical log-in happens only if you visit the site using a device on which your private encryption key resides. The customer’s public/private keys must first be generated using a mobile device, but they can then be shared with any of your other devices including desktop PCs, smart TVs, and other things you may authorize to log in to a site, even light fixtures. (Don’t let light fixtures log in to anything, please!)
Traditional log-in methods will be maintained so that you can log in to your bank account from a public library’s terminal if you wish, for instance. But it is anticipated that most people will prefer the easier method of Project Verify.
You will be able to edit certain parts of your profile data; not your SIM card’s crypto key, obviously, but should your shipping address or credit card number change you can change them in your profile.
You will also be able to choose which datasets can be shared with each site you visit; the more you share, the better customized to your needs and easier to use the site will become.
Refusing to use the magic key for a site at all means you will be no worse off than you are today, clicking on “each square that contains a traffic light” in order to prove you are a human being and getting it wrong.
The question posed in this article’s headline is, who is going to trust their carrier to safeguard their online identity? Who is going to put all of their personal data eggs into that leaky, broken basket? Not I, and I suspect not many of my readers.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 14 Sep 2018
|For Fun: Buy Bob a Snickers.|
Announcing iPhone XS and Apple Watch 4
The Top Twenty
[ALERT] SIM Swapping Scams
There's more reader feedback... See all 42 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Let My Phone Company Be My Online Identity – Are You Kidding? (Posted: 14 Sep 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved