In the near future, your smartphone may become the master key to unlocking your online accounts.
That's the idea behind a new project from the big four mobile carriers in the US, which are trying to push the whole industry to move beyond password-only logins. On Wednesday, they unveiled Project Verify, a new "multi-factor authentication" system that proposes protecting your most important online accounts with the help of your handset.
The project — which comes from AT&T, Sprint, T-Mobile, Verizon — proposes using a mobile app on your phone as an extra step to unlocking your accounts. Not only will the password be needed to get in, but also access to the phone, which can confirm the login request through the Project Verify app.
The goal is to get major websites, like banks and e-commerce providers, onboard the platform, and then roll out the Project Verify app to consumers as a free install.
"This is technology we could've just deployed for ourselves, but we felt this was something really valuable for the consumer. And everybody has been looking for that ubiquitous authenticator," said AT&T assistant vice president Johannes Jaskolski, who is helping to lead the Project Verify effort.
Using your smartphone to protect your online account isn't new. A few top websites such as Google have been offering "two-factor authentication" for years as a way to stop hackers from infiltrating your online accounts. The system generally works by getting your smartphone to generate an additional one-time passcode that's needed upon login.
Yahoo, on the other hand, began phasing out passwords in favor of a mobile app that lets you sign into your account. When you log in, the app will generate a push notification to your phone and ask you to click yes.
Unfortunately, not every website offers these security solutions. Many continue to rely on basic password logins, which can be easy for cybercriminals to beat. Certain implementations of two-factor authentication can also be hacked. For instance, some websites like to send the one-time passcodes over SMS messages, which can actually be intercepted. This can be done through "SIM swapping scams," like when a crook uses identity theft to trick a mobile phone carrier into giving access to a victim's phone account.
To help address the drawbacks of two-factor authentication and stop unauthorized SIM swapping, the four mobile carriers came together to create Project Verify. The SMS-based one-time passcodes have been replaced with an app that can securely generate the authentication requests on board the phone.
But what sets Project Verify apart from other security solutions is how the mobile carriers are using their telecommunication infrastructure to verify that the customer — and not someone else — is indeed attempting to log in. They can do this by looking at the handset's phone number, the IP address, the SIM card, and even location details to the phone during the sign in process. Any inconsistent activity — like a recent SIM swap — can prompt the system to flag it as malicious, and tell the website providers and carriers to consider cutting access to the account.
Right now website providers are often blind to how users are logging in, but Project Verify intends to changes this, Jaskolski said in an interview.
"We can basically do that analysis and help create a risk score that they (the website provider) can use to make decisions on their side," he added. "And that brings a lot of security to the entire ecosystem."
Still, not everyone may like the idea of the mobile carriers acting as a gatekeeper to your online accounts. The carriers recently faced some controversy over exposing customer location data to third-party companies. A prison IT vendor was later found to be using that data to help police conduct warrantless searches for cell phone locations across the US.
The carriers also don't have a stellar record in stopping SIM swapping scams. Both AT&T and T-Mobile have recently faced accusations that they're existing safeguards did nothing to stop hackers from stealing access to people's phone accounts. According to one entrepreneur, the fault partly lies on company employees ignoring the rules, like checking for official ID when someone requests access to an account.
How Project Verify stands up to real use will be tested in the first half of 2019 when the carriers kick off public trials for the new system. But Jaskolski said the security solution is entirely opt-in. Consumers who do will also have full control over what accounts they wish to link to it and when the login requests will be sent. "We're not creating something where we're then aggregating the data from all four carriers together," Jaskolski said. "We're not sharing (the subscriber data) with each other. We're not centralizing them. "
However, to encourage industry adoption, the companies are centralizing the onboarding process for Project Verify, so that website providers can easily integrate the security system without the need to go from carrier to carrier. Websites that adopt Project Verify can implement it as two-factor authentication or they can use it to replace the traditional password login entirely. Signing in will simply occur when the user clicks on a window in the Project Verify app, confirming they wish to log in.
Website providers and users can also add extra security on login requests by requiring a fingerprint scan on the phone or a special pin code. This can prevent account takeovers in the event you lose your phone, or a crook steals it and has access to the app.
The plan is to eventually introduce Project Verify as both a free app download and as pre-installed software on carrier-sold Android phones. This week, the carriers are demoing their solution at the Mobile World Congress Americas trade show with the goal of seeking feedback.
No compatible source was found for this media.