US carriers debut new passwordless login system

Microsoft, Google, and Apple are trying to kill the password, and now cellular operators are joining the bandwagon.

The four major US mobile carriers — AT&T, Sprint, T-Mobile US, and Verizon Wireless — have banded together for a new authentication system that would manage your logins without even having to enter a password.

Called ZenKey, the system works just like any other single sign-on service (SSO), including those from Google, Facebook, Twitter, and most recently Apple, in that it lets you approve login requests from other websites and apps on a device you own, thereby entirely eliminating the need for passwords.

ZenKey was originally announced last September under the moniker Project Verify.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The passwordless mechanism leverages a combination of factors for identification, such as your phone (something you have), biometrics (something you are), and your location in place of your passwords (something you know).

Put differently, it verifies your identify through a multi-factor profile that’s tied your mobile device by taking into account the subscriber information from your cell service, including IP address, SIM card details, phone number, phone account type, and your fingerprint or face.

But this also means in order to use it, all major third-party services — banks, social media, retail, utilities, you name it — will have to support ZenKey SSO. Otherwise, this carrier-based system will be a tough sell.

Interestingly, one area where ZenKey has a leg up over its rivals is that it claims to offer users full control over the information that’s required to sign-up for each service, while giving them an opportunity to “opt out at any time to stop sharing that information.”

There’s no doubt ZenKey is trying valiantly to solve the problem of too many passwords, but the big question is whether you want your carrier managing your logins across the websites and apps you use on your phone. More importantly, adoption of this initiative will depend on how much trust consumers place with the wireless companies.

Just last year, all the four carriers were caught leaking the locations of most AT&T, Sprint, T-Mobile or Verizon phones in the US to an accuracy of within a few hundred yards. After this discovery, the companies agreed to stop selling their customers’ location information to third-party data brokers.

Another potential issue is the legitimate threat of SIM swapping attacks — a clever social engineering trick used by cybercriminals to persuade phone carriers into transferring their victims’ cell services to a SIM card under their control. If someone can get your number swapped, they could potentially access your online accounts too.

With Apple already positioning itself as a privacy-conscious alternative through “Sign in with Apple,” it will be interesting to see if “Sign in with ZenKey” can make the cut.