Telcos Gear Up To Fight Facebook and Google Over How You Log Into Websites

Mashable has an interesting article that talks about the penetration of "social authentication" services: There are two ways to log in on websites: try to recall the email address and password you registered with -- or simply hit the "Facebook Login" button. The convenience of the latter underscores the popularity of social authentication options. You'll see Facebook and Google login buttons on popular sites including Netflix, Uber, Spotify, Imgur and Linkedin, just to name some. Facebook itself estimates that some 350 million people log into a new app or site with their Facebook credentials every month. Olga Kuznetsova, Engineering Manager at Facebook told us that the Facebook Login button ranks in the top three of consumer account creation and sign-in preferences worldwide. More than 85 of the top 100 apps in the U.S. market use Facebook's Login gateway as a login, she added. For years, Google and Facebook have assumed control over the social authentication space, the article adds, citing numbers from companies and analysts. But interestingly, telecom operators are prepping to fight for a slice of the space. So-called mobile identity is one of several projects being developed in the industry to reinforce the position of network operators, which have already suffered an erosion of their traditional communications businesses by the rise of large US technology groups such as Facebook and Google, analysts say. The article adds: Mobile Connect is an authentication solution that the GSMA, the global telecoms industry trade organisation, has been working on for over three years. Through Mobile Connect, GSMA is offering users a much more convenient and "more secure" sign-in option, Jaikishan Rajaraman, global head of technology at GSMA said. The authentication service only requires users to enter their phone number when signing in. There is no password box. When a customer enters her phone number, her carrier (telecom operator, in this case) vouches for her identity. Incredibly, over 42 operators in 22 nations are on-board with Mobile Connect, and the service is already live to over 3.1 billion people. The article adds that GSMA is in talks with governments to add Mobile Connect on their websites and apps. Interestingly, banks, that have long resisted the idea of having Google's and Facebook's authentication service, are also showing interesting.

Single User Per Hosuehold?

[sanosuke001]

So, this requires that there's a single user per phone number? And if you only have a landline then this equates to a per household login? And if you use your mobile number how is your ISP going to vouch for that unless they're your mobile carrier, too?

Re: Single User Per Hosuehold?

[fubarrr]

Anybody with low level access to phone network can intercept anybody's messages and steal anybody's phone number with ease

Pass...

[FatdogHaiku]

Because SPAM is not doing well enough in the email space, it must be moved to into SMS and RoboCalls as well!

Re:

[camperdave]

Spam is going to go wherever human attention goes.

"underscores"

[sacrilicious]

or simply hit the "Facebook Login" button. The convenience of the latter underscores the popularity of social authentication options.

Sure, the same way that putting on clothes underscores being warmer, and having sex underscores feeling good.

I don't think "underscore" means what you apparently think it means.

Why?

[Gravis Zero]

Why are people still using Facebook?

Re:

[meatspray]

The unwashed masses wish to speak with each other in a public format. 80% of the unwashed masses are already on Facebook, so it's quite difficult for other social, semi-open services to get a foothold.

It's a massive social network

[rsilvergun]

if you want people in your life it's a good way to do it, especially if you're an extroverted nerd. Yeah, they exists (and they're among the most unfortunate folks in a modern world). There's tons of D&D, Warhammer, Overwatch and general gaming/meetup forums built around them.

Re:

[dugancent]

Because it's the only way my (rather large) family communicates.

Re: Why?

[dugancent]

I don't know they chose it, they just did. They use it to share pictures of family events and RSVP for get-togethers, otherwise you find out the information second or third hand.

I don't particularly like Facebook and only use it to keep in touch (I never post anything and I keep their trackers blocked), but they are pushing 2 billion users. If only 25% of them are active and legit, that's still more than the population of the U.S., so I guess the reason is because most people are using it.

For mobile

[110010001000]

Sure, that works for mobile (I guess). Although at that point why have the user enter their phone number at all? It is already known, presumably they can map the IP (or whatever they use), to the mobile phone number automatically. We do have a Open Standard for auth, oauth. Unfortunately it doesn't generate revenue for the various conglomerates that track your every move.

Re:For mobile

[dgatwood]

The only thing I want less than Facebook vouching for my identity (and thus being able to impersonate me, see everything I do, etc.) is my ISP doing so. We're already in a situation where the privacy protections that prevented ISPs from horribly abusing that power just got shot down by Congress. And many ISPs have a long history of treating privacy as an afterthought (at best).

What we need is not federated logins. We do not need a single password on a server somewhere to be the keys to the kingdom. This is a breach of proper security design at a fairly fundamental level.

No, what we need is a law requiring all U.S. websites to A. allow autofill, B. always provide username and password fields on the same page (none of this "ask for the username, then click, then ask for the password" crap that breaks many password autofill systems very badly) and C. provide an HTTP(S) header containing the URL to an HTTPS endpoint that returns a form with four fields: username, old password, new password, and some standard checksum scheme to ensure that the form values were not truncated in transit. The form can, at the website's option, either use JavaScript (if the auth scheme requires client-side processing) or not (99.9% of websites), but submitting it must change the password unless the original password is wrong, and must trigger a full page load of a page containing exactly the text "403 FORBIDDEN" (in plain text, and nothing else) if the password change failed. (In the case of JavaScript-driven auth, this could be as simple as changing the location to /403.txt after getting back an error.)

As soon as all websites conform to that standard, passwords basically cease to be a problem. Your in-browser password manager (whether the one built into the browser or your choice of third-party extensions) can just have a "change all" button so that if your passwords get compromised somehow, you can change them all to random values and optionally sync them with whatever cloud password system it uses.

And any servers that are serious should also use cookies to keep a per-device token with some sort of callback-based verification (phone, text, email) before allowing the device to join. Such tokens should be automatically refreshed if needed as part of the password change mechanism so that changing a password doesn't invalidate the current device (and ideally should not invalidate other devices on the account). Such a website should provide a way to log out other devices. That sort of thing should, of course, be entirely optional, and is orthogonal to the password management issue, though perhaps such features should be required for any website that stores bank account numbers (not CC numbers) or provides access to bank accounts, stock portfolios, or retirement plans.

Re:

[messymerry]

Yup, henceforward, I will be using Tails a whole lot more often. Let them sift through all that silt... The EVIL TRINITY: Big gov, big biz, big media. I'm avoiding all this FUD as much as I can. ;-)

Re:

[Raenex]

No, what we need is a law

No. Just no.

Re:

[dgatwood]

Good luck getting broad adoption of the needed security mechanisms in any other way. Remember, even banking websites generally do the minimum security work required by law and/or their contracts with credit card companies.

Re:

[epyT-R]

No. We don't need a law. I want nothing to do with your version of the internet. What we have is bad enough as it is. The only thing protecting us from total information assault is pseudonymity.

Re:

[dgatwood]

What does requiring websites to provide browsers with a mechanism for updating passwords programmatically have to do with preventing pseudonymity? The two are completely orthogonal.

Re:

[meatspray]

This is so they can sell your browser history while telling you they're not selling your browser history. It also makes it legal to sell you out after the government revokes the right to sell that crap in 4-8 years.

So at what point does Facebook *become* the govt?

[Anonymous Coward]

At this point Google/Facebook/one or two others have at least as much power over the internet as the actual government has over the real world and aren't bound by pesky things like the constitution or diligently-enforced antitrust regulations, and as more of the real world relocates to the internet, that power will only grow. Identification, banking, censorship, surveillance, Ministry-of-Truth-ing the news, thought-policing people and businesses via their monopoly on advertising...

Eventually "It's a privat

Re:

[RotateLeftByte]

they have more power than the Government but don't tell Donald that. He won't like it.
He thinks that 'He rules the world'. When in fact, Google and Facebook do.

Reinvent identd?

[Anonymous Coward]

Sounds to me like identd, with all the same features and flaws.

Reinventing identd

[Cogline]

Looks like they've reinvented identd, with all the same features and flaws.

how long until traditional logins go away?

[Anonymous Coward]

I know plenty of people who use the Facebook form of login everywhere they can.

If these things become too common sites may find it not worthwhile to maintain their traditional login process any more, leaving those of us without Facebook out of the picture.

That is always the way these things go: first the stupidity is optional, then it is entrenched, then it is unavoidable.

Already in use in Finland

[Anonymous Coward]

We already have this or a similar technology in use in Finland. It requires to get a special sim card and then you can log in to government sites by entering your phone number. Just used it today to log in to a site where I see my medical records and drug prescriptions. It's not limited to government sites, but not really main stream yet I think, there are some accounting SaaS sites etc. that also use it.

Re: Log in manually problem solved

[Anonymous Coward]

Correct horse battery staple.

xD

Re:Log in manually problem solved

[epyT-R]

keepass..

Oh joy

[Impy the Impiuos Imp]

It isn't about security. It's about tying together your surfing on disparate web sites into one big automated database to sell you targetted advertising.

Cannot login, call telco

[Anonymous Coward]

Telco Support here. How may I help you?

I cannot login.

That's fine sire, we'll send someone over right away.

When?

In the next 2 to 7 days, between 8 a.m. and 5 p.m. Eastern.

Will that be all?

Yes. ;=(

I don't use Facebook Login

[rickb928]

And i do use Google tools to save passwords/usernames.

I maybe shouldn't trust Google, but I know i should not trust Facebook.

Method #3

[Excelcia]

There are two ways to log in on websites: try to recall the email address and password you registered with -- or ... (snip)

Or pick , door #3 [keepass.info].