
AT&T and Verizon want to manage your identity across websites and apps - xref
https://arstechnica.com/information-technology/2018/09/att-and-verizon-want-to-manage-your-identity-across-websites-and-apps/
======
ryukafalz
Meanwhile, the W3C is working on an open standard for simple public key
authentication to websites:
[https://www.w3.org/TR/webauthn/](https://www.w3.org/TR/webauthn/)

I'd much rather authenticate to websites with a key stored in my phone's
secure element than I would with an auth service provided by my carrier.

~~~
compsciphd
Why can't this be done today? Back when startssl was a thing and giving out
free ssl certs, they didn't have you authenticate with a username/password,
they generated a cert that was stored in your browser and used that to
authenticate you.

~~~
ryukafalz
It can be done today, but the browser UX around X.509 client cert auth is
poor, and especially setting up your browser to use hardware tokens is more
than could be expected of a nontechnical user.

I don't know for sure why they decided to do something new rather than
improving the UX of client certs, but what they came up with for Webauthn
seems to work with pretty well.

------
bogomipz
The headline could have been rewritten as:

"Four companies that nobody trusts want to manage your identity across
websites and apps."

Seriously from the T mobile data breaches affecting millions[1], to Verizon's
injecting of X-UIDH headers[2], to AT&Ts work with the NSA[3] to the selling
of location data by all four mentioned in the article, there is absolutely
nothing trusty-worth about any of these companies. It's like cognitive
dissonance. Maybe they could include credit monitoring by the 3 completely
untrustworthy credit reporting agencies and the service would be feature
complete in its' absurdity.

[1] [https://www.usatoday.com/story/tech/2015/10/01/t-mobile-
brea...](https://www.usatoday.com/story/tech/2015/10/01/t-mobile-breach-may-
have-exposed-15-million-records/73171066/)

[2] [https://www.eff.org/deeplinks/2014/11/verizon-x-
uidh](https://www.eff.org/deeplinks/2014/11/verizon-x-uidh)

[3] [https://theintercept.com/2018/06/25/att-internet-nsa-spy-
hub...](https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/)

~~~
unstatusthequo
I still trust T-Mobile more than the other two, despite the breach. AT&T and
Verizon are NSA toadies. Maybe I’m näive but it doesn’t seem like T-Mobile is
so much in bed with the fed. NSA surveillance is a constant breach, no?

~~~
bogomipz
I don't think that T-Mobile turns over any less data though:

[https://www.cnet.com/news/t-mobiles-transparency-report-
reve...](https://www.cnet.com/news/t-mobiles-transparency-report-
reveals-352000-customer-data-requests/)

At any rate the bar seems pretty low in that group.

------
kichik
Am I the only one who's terrified of giving control of my authentication to a
carrier? They have had so many absurd security breaches. Not to mention it's
so easy to walk into any store and get a SIM card for someone else's account
with nothing more than a phone number. They rarely check your id.

------
aklemm
Resurrect the original promise of OpenID! I want this capability, but I
definitely don't want it controlled by big companies, and poor stewards of
consumer best interests at that.

------
retox
You mean like Google do already? See also this discussion from earlier in the
week about automatically logging in to Gmail when you start chrome.
[https://news.ycombinator.com/item?id=17942252](https://news.ycombinator.com/item?id=17942252)

------
ofcrpls
For reference, this is an implementation of GSMA's Mobile Connect[1]

[1][https://www.gsma.com/identity/mobile-
connect](https://www.gsma.com/identity/mobile-connect)

------
nkkollaw
So, yet another SSO options, but implemented by companies that are infamous
for poorly-implemented software, screwing customers for a few more cents, and
security breaches?

------
compsciphd
seriously, why don't we he have a fido/u2f supporting simcard and phones that
can expose it? what are the downsides? phone being hacked?

