LOS ANGELES—Verizon, AT&T, T-Mobile and Sprint announced further details about their Project Verify effort to create a more effective and efficient identification and authorization system. The companies said the ultimate goal of the project would be to eliminate the need for customers to enter passwords to access information from their phones.
“Developed collaboratively by the four largest U.S. wireless carriers, the prototype reveals the taskforce’s approach to multi-factor authentication, which combines the carriers’ proprietary, network-based authentication capabilities with other methods to verify a user’s identity,” the companies wrote in a release, noting they’re working in part through the GSMA. “Once the user signs up and provides consent, the solution then generates a device-based ID that serves as the user profile at the center of the authentication process.”
Specifically, the carriers said the service would likely be delivered through an application installed on consumers’ smartphones. After registering with the service, users would be able to skip the login process on other apps that make use of the Project Verify authentication system.
The carriers said the setup is better than passwords because it uses “multiple points of unique, verifiable data to connect customers” including phone numbers, account tenure, phone account type, SIM card details and IP addresses. Further, the operators noted customers would be able to control the type of information they provide for authentication.
The carriers announced the effort on the sidelines of this year's MWC Americas show here.
The goal of Project Verify in part is to address password hacking and identity theft, including through SIM-hacking and SIM-swapping techniques. Such techniques are used when a criminal fraudulently obtains a victim's phone number by having that number transferred to a SIM card in their possession.
Not surprisingly, some experts in the field questioned whether the nation's wireless network operators would be able to provide a secure and reliable system. Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at the University of California, Berkeley, told Krebs on Security that “The carriers have a dismal track record of authenticating the user,” he said. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”