A media buzz is building around an initiative by the “big 4” US mobile phone carriers (AT&T, Verizon, Sprint, T-Mobile) to replace mobile app passwords with a universal authentication service that leverages mobile phone data. Dubbed “Project Verify,” it promises to provide “peace of mind” by freeing mobile users from the need to remember different app username/password combinations or even use a password manager.
Your mobile phone (or, more correctly, the SIM card in your phone) contains a lot of personal data that your carrier already manages, including the phone number, the 15-digit International Mobile Equipment (IMEI) number, and various account data associated with you and the device. Project Verify will use this sensitive data to authenticate you with participating mobile apps, such as banking apps, social media apps and so on—effectively replacing the traditional username/password combination.
While this might sound like a big win for users, Project Verify scares me for three reasons:
- Assuming your phone is under your control, this system in theory should offer security on a par with what we have today with username/password authentication, and with greater ease of use for those who prefer not to manage passwords. But that’s a big assumption! Phone theft is commonplace and SIM card swapping is already on the rise. If fraudsters get control of your phone or SIM card data, they could potentially wreak havoc across multiple apps, stealing your money, your identity and who knows what else as you scramble to notify both the carrier and the app providers.
- Major US mobile phone carriers aren’t known to have strong security records. T-Mobile was breached VERY recently, and Verizon was very publicly hacked in July 2017. Now a cryptocurrency investor is suing AT&T over $24 million he lost when hackers scammed the carrier to steal his phone number. Concentrating this much data protection responsibility in carriers’ hands feels like a very bad move. Not only will they soon be passing the personal data they already struggle to keep secure across the cellular networks, but also they’ll have sensitive data regarding all those accounts on third-party sites and apps.
- Mobile service providers already know a lot about their customers, including where they go and how long they stay there (via location services). The four Project Verify collaborators were recently called out for sneakily selling customers’ location data to third-party brokers. Now they’re about to know a lot more. Never mind all the ways that cybercriminals may find to exploit these concentrated sources of data.
With username/password authentication, a hacker needs your credentials. In two-factor authentication, they’d need not only those credentials but also something physical/biometric or an out of band code.
Project Verify reduces your entire mobile security posture to a single “factor”—the mobile device itself—thus creating a significant risk exposure and making smartphones and SIM cards an even more attractive target for hackers.
Yes, some apps will be able to combine the Project Verify authentication with an additional factor, like your credentials. Hopefully that will reduce exposure for those whose devices are stolen or whose mobile phone accounts are compromised by social engineering.
Concerned about authentication risks for your users, mobile apps or web apps? Contact Pivot Point Security to talk over your specific situation and goals.
More Project Verify Information
- The Verge on Project Verify
- Engadget’s take on the story
- A critical review of the project on ArsTechnica.com