How well can your smartphone identify you?

Tired of remembering passwords and proving your identity when on the go? Mobile carriers in the US are pitching a new solution: Let them do it for you.

All it would take is an app preloaded into your smart phone and they will take care of the rest. After all, they already know a lot about you thanks to your phone and account: they know your location, device, and payment history. And, as a mobile carrier, they have additional data such as the cryptographic signatures tied to your device’s SIM card. What could possibly go wrong?

Let’s verify your phone

Welcome to Project Verify, a product of the Mobile Authentication Task Force, a grouping of AT&T, Sprint, T-Mobile, and Verizon. The idea is to give those always online consumers a simpler way of proving their identity. Once launched, all a consumer will need is their smartphone when creating accounts online or just logging in. It could work something like those Google/Facebook/Linkedin login messages. Say goodbye to one-off passwords.

The project would work with a variety of third-party apps that previously agreed to accept the Project Verify authentication. For online retailers, the upside is that consumers will be faster and more apt to sign into a new website or account when they don’t have to do the cumbersome process of entering their private data and waiting for a confirmation email. Customers should have the ability to choose what data is shared between mobile provider, third-party apps, and websites on an individual site basis or by data category according to Johannes Jaskolski, general manager for Mobile Authentication Task Force in Krebsonsecurity.com.

Think about the trust issue

For this scheme to work, consumers are going to have to trust that their mobile provider and the apps and the websites are going to keep their data secure. And that could be a tough sell, especially when the carriers have done a dismal job of it recently. Two recent examples of this are Securus Technologies, a mobile phone location tracking company that handed over customer location data to the police or LocationSmart, a data aggregator, with a demo-page that let anyone find real-time location data on about any American with a mobile phone.

Swap your sim card, swap your identity.

It’s also not clear how Project Verify would deal with a stolen phone or is equipped to deal with SIM swapping, an increasingly popular scheme where the bad guys get control over a mobile number by pretending to be the real owner over the phone or at the retailer. Once they’ve got the number, all calls and texts go to the bad guy’s phone – including those pesky authentication messages your bank and other accounts send out.

Time will tell

There has been no mention of a European variant, but it seems unlikely that Project Verify  would meet GDPR restrictions on collecting personal data.  Project Verify is now in a private beta testing phase with an actual launch a year down the road. You can check out their website and watch a video on the project here. One would think that a authentication project would have an secure HTTPS website.

Until then, good luck remembering your passwords.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.