Four major US carriers — AT&T, Sprint, T-Mobile, and Verizon — are joining forces to launch a single sign-on service for smartphones. The service, called Project Verify, authenticates app logins so that users don’t need to memorize passwords for all their apps. The companies say their solution verifies users through their phone number, phone account type, SIM card details, IP address, and account tenure. Essentially, your phone serves as the verification method with details that are hard to spoof.
Users have to manually grant apps permission to use Verify, and it works similarly to how you might log into some services through Gmail or Facebook instead of using a unique account password. Of course, these apps also have to choose to work with Verify, and the program hasn’t listed any partners or when it intends to launch. The service can serve as your two-factor authentication method, too, instead of an emailed or texted code that can be intercepted.
Users might not be totally safe if their phone is stolen. The Verify program automatically logs users in, so long as they have access to their phone’s home screen and apps. Obviously, installing a PIN or other biometric data as your lock screen’s protection would keep attackers out of your phone, but assuming they passed through that point, it’s unclear how easily they could access all your apps. Certain apps can require additional verification methods beyond the Verify app, a spokesperson says. So a banking app, for example, could also require a PIN, biometric data, or behavioral data. If someone managed to gain access to your phone’s home screen, however, and the apps you use don’t require any additional verification methods, someone could likely log into all your accounts.
Single sign-on services are clearly convenient; fewer passwords is a great thing. They’re also an alternative to installing a password manager on your phone, which would still require you to remember the password to the app. Still, if someone compromises your one account (or device in this case), everything else will follow, so it could introduce some security liabilities.