AT&T, Sprint, T-Mobile, and Verizon Detail Plans for 'Next-Generation Mobile Authentication Platform'

[JRobinsonJr]

I don’t read it this way at all. The solution replaces multi factor authentication by using analytics of my phone and use. If I’m at home going about my day, but “I” try to log in to one of these authenticated apps/services several hundred or even thousands of miles away, the login will fail for the imposter. Yet I’ll still carry on normally - without the burden of mutifactor authentication. No passwords are given to carriers here.

That certainly seems laudable. Multi-factor authentication is a desperately needed layer of security, and using things like device metrics to validate identify is huge. If that's all this is, then great! My concern is the phrase [One of the main reasons the carriers created the "Mobile Authentication Taskforce" was to help users who have to manage "dozens of difficult-to-remember passwords" for numerous apps.] There are many great multi-platform password tools available that consumers don't use without resorting to something that could be leveraged for data mining.

I don't see this as anything more that the carriers trying to insert themselves into the authentication process. But as they say... the devil is in the details, and no matter how good the platform is at protecting an individuals security, the carriers will likely have a trust issue... as in "we don't trust them".
[doublepost=1519929553][/doublepost]

Don’t forget, this might combat fraud within the carriers too. Reducing fraud saves the carriers money. That could be one of the motivations behind this idea.

Maybe, but in what use case scenario would this prevent carrier fraud? The only thing I can see is using the mobile account for purchases, and I haven't seen anyone do that in years.

 

[H3LL5P4WN]

Thanks Apple!

Because of your asinine privacy policy - that's now becoming an illogical ideology *and* excuse for poor product/services - iOS users lack a proper identity management platform, and are forced to expose our data to more risk, less security, and less privacy - with 2 consequences:

1. Use simple passwords and reuse the same password everywhere
2. forced to rely on Google Single-Sign-on, Amazon ID, Facebook ID, or now their mobile carriers


Same for no system-level iOS SPAM call filters:
1. live with it and suffer
2. force to use an inferior and fragmented solution (giving others our data) from risky 3rd party apps, or carrier specific service

I agree. There seems to be a lot of FUD in these comments. This isn't using AT&T in the place of LastPass.

Many of us already use our phones as a method of multi-factor authentication. This seems to me to be the next iteration of that only easier to use and more secure for the end user.

This is exactly it. And the reason they're doing it, is because Apple refuses. And identity management on iOS is a really big sore spot.

Between Apple's baked-in password management and 2FA, and my password manager app, I really only have to remember a single password or two. On top of that, my carrier doesn't have any say in it and as others have pointed out, aren't going to be able to NSA me quite so easily. The password I have to remember is over 20 characters long and the only time I need it is on my Mac or PC; on either iOS or Android I can get in via biometrics.

With this proposed datamining system, I think it very much is:

a chance to lock a user to a carrier
a chance for carriers to block devices not sold by the carrier
a chance to prevent people from switching phones when they please
an obvious affront to net neutrality (thanks Idjit "PunchMyFace" Pai)

And what if you want to Jailbreak or Root & ROM?

All of that being said, I think you're both off base here. Either that or employees of carriers.

 

[elvisimprsntr]

All I want from my mobile carrier right now is for them to be able to detect when caller ID has been spoofed to be the same area code and prefix as my cell number and then prevent that call from reaching my phone. That nonsense has gone on long enough.

That would be nice

 

[Apple_Robert]

This doesn't read we want to protect you security, as much as it reads we want to better control what you do and how you do what you do on our network security, even when you are using privacy based apps.
[doublepost=1519933115][/doublepost]

Not sure I fully understand all the tech involved in this, but there’s no way I’m letting the carriers have my passwords.

Also, ironic name for the taskforce - MAT, as in what we’ll feel like when the carriers and NSA walk all over our rights to privacy.

Technically speaking, your right to privacy is not absolute, especially when you enter into an agreement with the carrier.

 

[urnotl33t]

Thanks Apple!

Because of your asinine privacy policy - that's now becoming an illogical ideology *and* excuse for poor product/services - iOS users lack a proper identity management platform, and are forced to expose our data to more risk, less security, and less privacy - with 2 consequences:

1. Use simple passwords and reuse the same password everywhere
2. forced to rely on Google Single-Sign-on, Amazon ID, Facebook ID, or now their mobile carriers

But #1 simply is not true anymore. Safari can and will suggest passwords to use when hitting up a new site, and store it in Keychain, synced over to other iPhones, iPads, and Macs. Safari can even remember existing passwords when you visit a site it didn't already know about it.

A small part of #1 is true, tho, in that Safari isn't going to go back through old passwords and analyze them for suitability. But if you go changing your passwords on the site, then Safari will suggest and remember a new one.

This also extends to apps now, if they use the new API (since iOS 9? iOS 10? i forget) that allows the app login details to access Keychain for its own credential cache. Apple has done a decent job at this for the base users (but I still prefer my 1Password).

 

[collegitdept]

But #1 simply is not true anymore. Safari can and will suggest passwords to use when hitting up a new site, and store it in Keychain, synced over to other iPhones, iPads, and Macs. Safari can even remember existing passwords when you visit a site it didn't already know about it.

A small part of #1 is true, tho, in that Safari isn't going to go back through old passwords and analyze them for suitability. But if you go changing your passwords on the site, then Safari will suggest and remember a new one.

This also extends to apps now, if they use the new API (since iOS 9? iOS 10? i forget) that allows the app login details to access Keychain for its own credential cache. Apple has done a decent job at this for the base users (but I still prefer my 1Password).

Keychains are *NOT* identity management systems. Nor are they single-sign-on

It's very hard for iOS users to understand how identity management is *supposed* to work - because iOS is so broken on purpose by Apple

This is not a problem (nor are constant password prompts over & over for email services, FaceTime reauthentication, etc..) on other platforms

Don't think about Apple's broken Keychain as a solution to identity management. It's not

Think about how Amazon ID/checkout, Facebook login, and Google accounts work. This has been solved *years* ago by others.

 

[tennisproha]

EFF Provides Evidence to Courts of Verizon Wireless, Sprint and AT&T Participation in NSA Spying

The only question is whether anyone will be dumb enough to participate in this. You might as well skip the middlemen and just mail a list of your logins directly to the US government.

The carriers can do way more harm with your data then the government can. Your fear is misplaced.

 

[Crzyrio]

This sounds like something I would have written in university to hit the word count.

 

[macduke]

If somebody is dumb enough to sign up for this crap, I bet it plays out like this:

“I’ve never been to Arizona. Maybe I should visit Arizona.”

*goes to Arizona*

ERROR: Unauthorized access.

“And now I have lost access to all of my passwords.”

That’s essentially what you should expect from the carriers: a half-baked solution that is actually somehow less secure and more frustrating.

 

[Isidore]

This has got to be a joke? These 4 companies do realise that they cover quite a small proportion of world mobile phone subscribers? How is such a parochial solution going to do anything useful, even if it wasn’t such avery bad idea in the first place? How about all the people that use different sims in different countries to prevent being ripped off by roaming charges? The only benefit from such a scheme is to the 4 providers who have put the idea forward.

 

[Dimwhit]

For me, this could be solved with a simple setting. If a call rings through, and that phone number is not in my contacts, send it straight to voicemail without it even hitting my phone. I've been hoping for that setting for a long time.

 

[lederermc]

All I want from my mobile carrier right now is for them to be able to detect when caller ID has been spoofed to be the same area code and prefix as my cell number and then prevent that call from reaching my phone. That nonsense has gone on long enough.

So you're okay if the caller-ID says Bank of America instead of Diamond Resorts International? Every phone call needs to be completed as if it is a call back. If the caller-ID ph. No. can't be called and the hardware ID doesn't match then the original call is dropped.

 

[avanpelt]

So you're okay if the caller-ID says Bank of America instead of Diamond Resorts International? Every phone call needs to be completed as if it is a call back. If the caller-ID ph. No. can't be called and the hardware ID doesn't match then the original call is dropped.

Huh? What does the name being displayed on the caller ID have to do with what I said? I think perhaps you misunderstood the point of my original post.

I'm sick of caller ID being able to be spoofed to other legitimate phone numbers and the carriers are seemingly unable to recognize when caller ID has been spoofed and then prevent those spoofed calls from reaching my phone. I receive at least a dozen calls per month where the caller ID shows as the same area code and prefix as my cell number but the last four digits of the phone number are unique with every call. Judging by the amount of likes my original post received, it appears that I am not the only one experiencing this issue. It's been going on for close to two years now.

 

[Dave FL]

Last September, AT&T, Verizon, Sprint, and T-Mobile announced a team-up with the mission of developing a mobile authentication solution for both businesses and consumers. One of the main reasons the carriers created the "Mobile Authentication Taskforce" was to help users who have to manage "dozens of difficult-to-remember passwords" for numerous apps.

Today at Mobile World Congress, the taskforce has revealed more details about its upcoming platform, and set a launch date for later in 2018. AT&T said the solution will create a cryptographically verified phone number and "unique profile" that's specific to the user's smartphone or tablet, strengthened by processing attributes such as a network verified mobile number, IP address, SIM card attributes, phone number tenure, phone account type, and more. The solution will only work with apps authorized by the taskforce, and at the consent of the user.

The companies' combined resources will further analyze data and activity patterns on a mobile network to predict, "with a high degree of certainty," whether the user is who they say they are. To confirm a user's identity and allow them entry into their own secure data, the solution will also use machine learning, advanced analytics, and run a risk assessment engine with AI to confirm that all of this data matches -- or doesn't match -- the main user's identity. VentureBeat reported that the Mobile Authentication Taskforce's platform is expected to be "simpler and more secure" than current heavy-duty password and data protection solutions, like two-factor authentication.

According to the GSM Association, which represents the interests of mobile operators worldwide, the solution will not only provide mobile device owners with an easier way to manage passwords, but also help to "decrease fraud and identity theft, and increase trust in online transactions." With the four largest U.S. network carriers working together, AT&T said that the taskforce will bring "significant capabilities and insights" to build a modern security and identity protection system.
Ahead of the launch, registered developers will be able to submit to the taskforce and begin ensuring that their applications will be compatible with the new mobile authentication platform. This submission process itself will be highly secure as well, using "private and permissioned blockchain technology to help ensure application integrity."

Developers and other service providers will be able to sign up to participate as an application developer when the taskforce's website launches "later this year," and in the next few weeks internal trials of the system will begin.

Article Link: AT&T, Sprint, T-Mobile, and Verizon Detail Plans for 'Next-Generation Mobile Authentication Platform'

And gee, the carriers are always so easy for the NSA and PDs to get information from it almost seems like a government idea....

 

[Septembersrain]

I might like my carrier but that doesn't mean I trust them. Trusting a huge company? That is always a sure way to get screwed.

 

[I7guy]

I might like my carrier but that doesn't mean I trust them. Trusting a huge company? That is always a sure way to get screwed.

What would change if you didn’t trust a company vs trusted a company? To me, nothing.

 

[Septembersrain]

What would change if you didn’t trust a company vs trusted a company? To me, nothing.

Well I guess I should specify. Trusting any business is risk. They became a business to make money. You are a number on a screen.