Login With Facebook, Google or… AT&T? Thanks, but No Thanks
The nation's four largest wireless network operators are in the final stages of testing a technology that will essentially allow them to offer a single sign-on (SSO) service like Facebook and Google do.
However, based, on their privacy and security track record so far, I think it's fair to steer clear of this initiative.
But before I explain just how bad of an idea this is, let me start at the beginning. In 2017, AT&T, Verizon, Sprint and T-Mobile announced the Mobile Authentication Taskforce to "develop a mobile authentication solution for enterprises and customers." The initiative is basically a US version of the GSMA's "Mobile Connect" program for digital authentication, which is currently used by 52 operators in 29 countries. The US task force, made up of a handful of employees from each operator, said it would release the service sometime in 2018.
It's clear that the group missed that deadline, but nonetheless they're still working on it. At the recent Mobile World Congress trade show in Barcelona in February, the task force (now called "Project Verify") showed off its progress in a small display inside the GSMA's booth. Importantly, streaming music provider Slacker, banking company Fidelity and AT&T's DirecTV all supported a testing version of the Project Verify single sign-on service.
So why would anyone want to use Project Verify? The argument behind Project Verify goes like this: Are you tired of trying to remember all your logins and passwords? Fear not! You can create yet another password with Project Verify, and then use that account to sign into your other accounts. It's exactly like the "sign in with Facebook" or "sign in with Google" buttons you see on sites like Dropbox or Evernote.
But wait! There's more: Project Verify is better than the Facebook and Google SSOs because it's going to be checked against your mobile SIM card, phone number, user credentials, account tenure and phone account type (info only your wireless carrier has). Meaning, hackers won't be able to steal your Project Verify account because AT&T, Verizon, Sprint and T-Mobile will be able to check the hacker's phone and see that it's not yours. Or, if it is yours, they'll be able to tell that it's not you. Because they're going to use "advanced analytics" to make authentication "simple, silent, and strong."
Well, Project Verify's first problem is of the chicken-and-egg variety. When the carriers do commercially launch the service (there's no word on when they'll do that) they'll have to convince the likes of Evernote and Dropbox to add the Project Verify option alongside the "sign in with Facebook" and "sign in with Google" options. If Project Verify can't generate a significant user base, there's no reason for Dropbox or Evernote to go through the hassle of adding the button for the service -- and if they don't add the button for the service, there's no reason for users to sign up for Project Verify.
Further, the carriers don't have a good track record with these kinds of initiatives -- consider their their failed Softcard/Isis service for mobile payments.
But the real sticking point here is around privacy and security. You know, the issues at the very heart of Project Verify. The four big US wireless network operators simply don't have a very good story to tell here. For example, remember the bug on LocationSmart's website that could be hacked so that pretty much anyone could get your location information? Or what about that Motherboard story about how it costs $300 to buy a person's current location from a bounty hunter? And we haven't even gotten into the "very, very easy" ways that some thieves are stealing money through SIM swapping.
(I'll point out here that all three of the above examples happened in just the last few months.)
Are these the companies that you want to trust your logins to?
Some experts say no.
Project Verify is "asking us to allow the same mobile carriers responsible for enormous, and intentional, privacy failures to become the gatekeepers of identity authentication in an attempt to combat a real problem with a solution that's both concerning and conveniently beneficial to them," wrote Gennie Gebhart and Starchy Grant of the Electronic Frontier Foundation, concluding it's a "verifiably bad idea."
"I am not likely to ever take the carriers up on this offer," wrote security researcher Brian Krebs of Project Verify. "I'm not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service."
Just like Facebook
The mobile network operators in the US aren't the only ones facing privacy concerns, of course. Facebook -- one of the big SSO providers -- faces much steeper privacy issues. That's not a surprise considering the company's entire business model revolves around knowing what its customers like, tracking their every movement, and then sending them the right advertisements at the right time to make them do something or buy something.
Facebook apparently is somewhat concerned about this. Facebook's Mark Zuckerberg recently disclosed the company's plans to roll up Instagram, WhatsApp and Facebook Messenger into one privacy-focused platform -- actions that appear to have forced the departure of some top executives.
And here is where I'm going to pick on AT&T specifically, because AT&T is building an advertising business that's very similar to Facebook's. Meaning, AT&T's new Xandr advertising business is designed around tracking what customers are doing and then sending them advertisements.
"AT&T has access to expansive datasets on customer behavior and preferences," boasted Xandr's Brian Lesser in comments last year. "170 million direct-to-consumer relationships across its wireless video and broadband businesses, 40 million set-top boxes, 20 million connected cars, and that's just for starters. But data needs to be activated to have value. We're building targeting and measurement capabilities that will bring greater value to consumers, advertisers and publishers."
AT&T's Xandr today remains pretty forthright about all this tracking: "Mobile, TV and broadband customer relationships create a holistic view of consumers and their various touchpoints. By continually cleansing and normalizing IDs across channels we maintain a high-quality data set. This process provides deterministic household and device mapping with the ability to add probabilistic scoring to expand reach," the company said on its website.
Meaning, AT&T's Xandr can see what people are doing on their TVs, their phones and on their Internet connection. And it wants to sell that info to advertisers.
...Again, this is a company that wants me to trust it with my logins? No thanks.