Large US mobile companies to test new authentication initiative - "Project Verify"

The project has been announced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon. The new authentication initiative is called “Project Verify” and it is being pitched as a way to give consumers a more streamlined method of proving one’s identity when creating a new account at a given Web site. Also it aims to replace passwords and one-time codes for logging in to existing accounts at participating sites.

Project Verify could improve online authentication because the mobile companies have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.

The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers, according to security expert Brian Krebs. The basic idea is that third-party Web sites could let the app handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.

Moreover, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercriminals.