Author(s): Raghu Gopal
Smartphones could soon become the master key to unlocking online accounts. In a first, the four major US mobile carriers are collaborating on a system to manage customer logins on third-party websites and apps. Their goal is to get companies such as banks and online retailers supporting the new Project Verify authentication platform, and then roll out the free app to consumers.
A couple of weeks ago, the four leading US carriers, AT&T, Verizon, T-Mobile and Sprint, unveiled Project Verify at the Mobile World Congress Americas in Los Angeles. It's certainly a good opportunity to make handsets a part of multifactor authentication, given the ubiquity of smartphone usage and growing concerns about cybersecurity. Companies including Google and Facebook already use handsets for two-factor authentication, but this method can be hacked as one-time passwords sent to users through SMS can be intercepted.
To help address the drawbacks of two-factor authentication and stop unauthorised SIM swapping, the four carriers have come together to create Project Verify. Instead of sending a one-time password through a text message, the service uses an app that can securely generate authentication requests on a smartphone.
The solution is similar to other multifactor authentication systems, letting users approve or deny login requests from websites and apps and reducing the number of times users enter passwords. It validates users by taking into account their phone number, account tenure, IP address, phone account type and SIM card details. Project Verify "combines the carriers' proprietary, network-based authentication capabilities and other methods to verify a user's identity".
Companies are centralising the Project Verify process so that websites can easily integrate the security system without the need to go from carrier to carrier. Online pages can implement the initiative as two-factor authentication or use it to replace the traditional password login entirely. Signing in will be simple: users click on a window in the Project Verify app, confirming they wish to log in.
The mobile carriers may face the challenge of convincing users to embrace their system, as customer satisfaction and trust in carriers has been notoriously low. Furthermore, Project Verify makes switching carriers and smartphones significantly harder. Although there are certainly conveniences to a single sign-on solution, the risks could be huge in the event of a breach. Websites and users can add extra security to login requests by requiring a fingerprint scan on a phone or a special pin to prevent account takeovers in the event a phone is lost or stolen.
Project Verify isn't yet available for download but will be put to the test in the first half of 2019, when it appears in app stores as the mobile carriers kick off public trials.
Multifactor authentication needs improvement, but it arguably needs to be mandated to have widespread impact. Ultimately, it will be for consumers to decide if Project Verify fulfills a need that Google and others don't already meet, so demand will heavily depend on commitment from partners in the finance and e-commerce markets.