Login With Facebook, Google or… AT&T? Thanks, but No Thanks

Mike Dano
3/19/2019
50%
50%

The nation's four largest wireless network operators are in the final stages of testing a technology that will essentially allow them to offer a single sign-on (SSO) service like Facebook and Google do.

However, based, on their privacy and security track record so far, I think it's fair to steer clear of this initiative.

But before I explain just how bad of an idea this is, let me start at the beginning. In 2017, AT&T, Verizon, Sprint and T-Mobile announced the Mobile Authentication Taskforce to "develop a mobile authentication solution for enterprises and customers." The initiative is basically a US version of the GSMA's "Mobile Connect" program for digital authentication, which is currently used by 52 operators in 29 countries. The US task force, made up of a handful of employees from each operator, said it would release the service sometime in 2018.

It's clear that the group missed that deadline, but nonetheless they're still working on it. At the recent Mobile World Congress trade show in Barcelona in February, the task force (now called "Project Verify") showed off its progress in a small display inside the GSMA's booth. Importantly, streaming music provider Slacker, banking company Fidelity and AT&T's DirecTV all supported a testing version of the Project Verify single sign-on service.

So why would anyone want to use Project Verify? The argument behind Project Verify goes like this: Are you tired of trying to remember all your logins and passwords? Fear not! You can create yet another password with Project Verify, and then use that account to sign into your other accounts. It's exactly like the "sign in with Facebook" or "sign in with Google" buttons you see on sites like Dropbox or Evernote.

But wait! There's more: Project Verify is better than the Facebook and Google SSOs because it's going to be checked against your mobile SIM card, phone number, user credentials, account tenure and phone account type (info only your wireless carrier has). Meaning, hackers won't be able to steal your Project Verify account because AT&T, Verizon, Sprint and T-Mobile will be able to check the hacker's phone and see that it's not yours. Or, if it is yours, they'll be able to tell that it's not you. Because they're going to use "advanced analytics" to make authentication "simple, silent, and strong."

Right?

Verifiable challenges
Well, Project Verify's first problem is of the chicken-and-egg variety. When the carriers do commercially launch the service (there's no word on when they'll do that) they'll have to convince the likes of Evernote and Dropbox to add the Project Verify option alongside the "sign in with Facebook" and "sign in with Google" options. If Project Verify can't generate a significant user base, there's no reason for Dropbox or Evernote to go through the hassle of adding the button for the service -- and if they don't add the button for the service, there's no reason for users to sign up for Project Verify.

Further, the carriers don't have a good track record with these kinds of initiatives -- consider their their failed Softcard/Isis service for mobile payments.

But the real sticking point here is around privacy and security. You know, the issues at the very heart of Project Verify. The four big US wireless network operators simply don't have a very good story to tell here. For example, remember the bug on LocationSmart's website that could be hacked so that pretty much anyone could get your location information? Or what about that Motherboard story about how it costs $300 to buy a person's current location from a bounty hunter? And we haven't even gotten into the "very, very easy" ways that some thieves are stealing money through SIM swapping.

(I'll point out here that all three of the above examples happened in just the last few months.)

Are these the companies that you want to trust your logins to?

Some experts say no.

Project Verify is "asking us to allow the same mobile carriers responsible for enormous, and intentional, privacy failures to become the gatekeepers of identity authentication in an attempt to combat a real problem with a solution that's both concerning and conveniently beneficial to them," wrote Gennie Gebhart and Starchy Grant of the Electronic Frontier Foundation, concluding it's a "verifiably bad idea."

"I am not likely to ever take the carriers up on this offer," wrote security researcher Brian Krebs of Project Verify. "I'm not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service."

Just like Facebook
The mobile network operators in the US aren't the only ones facing privacy concerns, of course. Facebook -- one of the big SSO providers -- faces much steeper privacy issues. That's not a surprise considering the company's entire business model revolves around knowing what its customers like, tracking their every movement, and then sending them the right advertisements at the right time to make them do something or buy something.

Facebook apparently is somewhat concerned about this. Facebook's Mark Zuckerberg recently disclosed the company's plans to roll up Instagram, WhatsApp and Facebook Messenger into one privacy-focused platform -- actions that appear to have forced the departure of some top executives.

And here is where I'm going to pick on AT&T specifically, because AT&T is building an advertising business that's very similar to Facebook's. Meaning, AT&T's new Xandr advertising business is designed around tracking what customers are doing and then sending them advertisements.

"AT&T has access to expansive datasets on customer behavior and preferences," boasted Xandr's Brian Lesser in comments last year. "170 million direct-to-consumer relationships across its wireless video and broadband businesses, 40 million set-top boxes, 20 million connected cars, and that's just for starters. But data needs to be activated to have value. We're building targeting and measurement capabilities that will bring greater value to consumers, advertisers and publishers."

AT&T's Xandr today remains pretty forthright about all this tracking: "Mobile, TV and broadband customer relationships create a holistic view of consumers and their various touchpoints. By continually cleansing and normalizing IDs across channels we maintain a high-quality data set. This process provides deterministic household and device mapping with the ability to add probabilistic scoring to expand reach," the company said on its website.

Meaning, AT&T's Xandr can see what people are doing on their TVs, their phones and on their Internet connection. And it wants to sell that info to advertisers.

...Again, this is a company that wants me to trust it with my logins? No thanks.

Mike Dano, Editorial Director, 5G & Mobile Strategies, Light Reading | @mikeddano

(1)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
GypsumFantastic
50%
50%
GypsumFantastic,
User Rank: Light Beer
3/22/2019 | 12:04:41 PM
trust no one
Hmmm...a cross-platform SSO being mooted on the other side of the Atlantic just as the ridiculous nanny state cross-platform age verification for accessing 'porn' websites is about to get rolled out in the UK. Which I'm sure of course is not something they will expand into accessing other types of websites...'porn' sites are being used as an excuse to test this out.

Governments would love people to have only one account sign on to access the entire internet...
More Blogs from DanoVision
AT&T said that '5G+ speeds, where available, will be capped at 2Gbps.' Why? Because "it helps provide a consistent experience" and "doesn't limit" its future options. Or something like that.
The arguments around the merger of Sprint and T-Mobile are increasingly plunging into the political morass – but that might be part of John Legere's ultimate plan.
Amazon is reportedly interested in purchasing the assets that might be divested from the merger of Sprint and T-Mobile. But what exactly does the Internet giant want to do with those assets?
AT&T has promised to offer 5G nationwide by 2020, but how exactly the operator might do that has remained a mystery. One industry analyst has a solid theory: AT&T will use 700MHz to take 5G nationwide.
The proposed merger of Sprint and T-Mobile took a big step forward with support from the chairman of the FCC, but plenty of questions remain, including whether a Boost divestiture would create competition in the US market and whether anyone would buy it.
Featured Video
Flash Poll
Upcoming Live Events
September 17-19, 2019, Dallas, Texas
October 1-2, 2019, New Orleans, Louisiana
October 2-22, 2019, Los Angeles, CA
October 10, 2019, New York, New York
November 5, 2019, London, England
November 7, 2019, London, UK
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
All Upcoming Live Events