Hacker News new | comments | ask | show | jobs | submit login
AT&T and Verizon want to manage your identity across websites and apps (arstechnica.com)
29 points by xref 5 months ago | hide | past | web | favorite | 13 comments

Meanwhile, the W3C is working on an open standard for simple public key authentication to websites: https://www.w3.org/TR/webauthn/

I'd much rather authenticate to websites with a key stored in my phone's secure element than I would with an auth service provided by my carrier.

Why can't this be done today? Back when startssl was a thing and giving out free ssl certs, they didn't have you authenticate with a username/password, they generated a cert that was stored in your browser and used that to authenticate you.

It can be done today, but the browser UX around X.509 client cert auth is poor, and especially setting up your browser to use hardware tokens is more than could be expected of a nontechnical user.

I don't know for sure why they decided to do something new rather than improving the UX of client certs, but what they came up with for Webauthn seems to work with pretty well.

Excellent! Thanks for mentioning this.

The headline could have been rewritten as:

"Four companies that nobody trusts want to manage your identity across websites and apps."

Seriously from the T mobile data breaches affecting millions[1], to Verizon's injecting of X-UIDH headers[2], to AT&Ts work with the NSA[3] to the selling of location data by all four mentioned in the article, there is absolutely nothing trusty-worth about any of these companies. It's like cognitive dissonance. Maybe they could include credit monitoring by the 3 completely untrustworthy credit reporting agencies and the service would be feature complete in its' absurdity.

[1] https://www.usatoday.com/story/tech/2015/10/01/t-mobile-brea...

[2] https://www.eff.org/deeplinks/2014/11/verizon-x-uidh

[3] https://theintercept.com/2018/06/25/att-internet-nsa-spy-hub...

I still trust T-Mobile more than the other two, despite the breach. AT&T and Verizon are NSA toadies. Maybe I’m näive but it doesn’t seem like T-Mobile is so much in bed with the fed. NSA surveillance is a constant breach, no?

I don't think that T-Mobile turns over any less data though:


At any rate the bar seems pretty low in that group.

Am I the only one who's terrified of giving control of my authentication to a carrier? They have had so many absurd security breaches. Not to mention it's so easy to walk into any store and get a SIM card for someone else's account with nothing more than a phone number. They rarely check your id.

Resurrect the original promise of OpenID! I want this capability, but I definitely don't want it controlled by big companies, and poor stewards of consumer best interests at that.

You mean like Google do already? See also this discussion from earlier in the week about automatically logging in to Gmail when you start chrome. https://news.ycombinator.com/item?id=17942252

For reference, this is an implementation of GSMA's Mobile Connect[1]


So, yet another SSO options, but implemented by companies that are infamous for poorly-implemented software, screwing customers for a few more cents, and security breaches?

seriously, why don't we he have a fido/u2f supporting simcard and phones that can expose it? what are the downsides? phone being hacked?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact