Big 4 carriers are still testing Project Verify for mobile ID authentication

The GSMA first announced Mobile Connect, a global mobile identification and authentication program, at Mobile World Congress back in 2014. (Project Verify)

The top wireless carriers in the U.S. had hoped to launch a GSMA-backed mobile authentication service, dubbed Project Verify, by the end of 2018, as the GSMA's Mobile Connect gains traction across the world. But the carriers have had to delay the launch and are still testing its features.

The GSMA first announced Mobile Connect, a global mobile identification and authentication program, at Mobile World Congress in 2014. The program enables people to use their phone SIM cards and personal PINs for logging into the growing number of online and web-based services, rather than have to remember a username and password combination for each site.

At the time, the program had support from global telecom giants China Mobile, China Telecom, Etisalat, KDDI, Orange, Tata, Telefonica, Telenor, Telstra and VimpelCom. But notably, no U.S. operators had signed on to the idea at that time.

Part of the allure of Mobile Connect is that it introduces a set of standards for identification and authentication applications. The service is available for free to any carrier or company that wishes to use the technology. GSMA said it envisions the service will be so secure that users will be able to use Mobile Connect for digital signatures on legally binding documents.

Flash forward five years, and adoption of the service has steadily grown. The program is now deployed in just over 40 countries through more than 70 mobile operators and with 500 million users, according to Ana Tavares Lattibeaudiere, head of North America at GSMA. The program has also attracted 12 companies that are signed up as Mobile Connect vendors. They include Hewlett Packard Enterprise, Gemalto, Ubisecure, Huawei, Openwave Mobility and others.

Last September, the top four major wireless carriers—AT&T, Verizon, Sprint and T-Mobile—finally joined the fray. The carriers launched Project Verify, an authentication service, along with a call to app developers and websites to link their apps with the service.

Project Verify is the result of the Mobile Authentication Taskforce, formed by the Big 4 carriers in 2017 amid growing concerns among U.S consumers about data protection, SIM hacking and identity theft. The task force was established to develop a mobile authentication solution to help protect enterprises and consumers from identity theft, bank fraud, fraudulent purchases and data theft.

RELATED: Why the wireless industry should be worried about SIM hacking

As a smartphone application, Project Verify relies on the carriers' proprietary, network-based authentication capabilities. It's being built using the single sign-on OpenID Connect standard, which Mobile Connect also uses.

“Mobile Connect provides the building blocks of the Universal ID service solution by recommending a set of functions for the mobile operators,” Tavares Lattibeaudiere told FierceWireless in an email. “Our goal is to have a global universal ID service that meets the needs of service providers, offering a seamless experience for them and for their users—this is what will drive adoption of this critical service.”

After registering with the service, U.S. users would be able to skip the login process on other apps that make use of the Project Verify authentication system. App developers in the U.S. will need to partner with Project Verify to link their apps to the service.

The GSMA didn’t say when to expect a launch. “The GSMA and Project Verify are currently working with service providers to test and enhance the technology,” she said, adding that “Project Verify” is just the name for the service while it is in beta testing. The service will likely launch under a new brand. 

News of Project Verify received mixed reactions in the U.S., with some experts in the field questioning whether carriers are able to provide a truly reliable and secure system.

GSMA’s Mobile Connect, for its part, has mechanisms in place to ensure no data is transferred between apps that use the service.

“The Mobile Connect service supports a simple authentication service,” Tavares Lattibeaudiere said. “At the completion of the authentication process, the mobile network operator's identity gateway provides a pseudo-anonymous customer reference (PCR)—a unique reference to an individual user of Mobile Connect, which reveals no personal information about the user. This is then used as the unique identifier for that user.”

The Project Verify website states that consumers will be able to determine what data is shared, but doesn't offer much detail. Project Verify didn't immediately respond to a request for more details.

*After this story was published, a spokesperson for Project Verify sent us this clarification about interoperability between Mobile Connect and Project Verify:  “While interoperability discussions are ongoing, both Mobile Connect and Project Verify incorporate mobile network-based authentication as a core foundational feature for the separate mobile identity solutions.”