Security Experts:

ZenKey: How Major Mobile Carriers Are Teaming Up to Eliminate Passwords

ZenKey Links Mobile Phones Directly to Carrier APIs and Avoids Users Having to Use Passwords After Authenticating a Phone

Four major U.S. carriers are developing a new single sign-on variant they believe will do away with the need for passwords. Their solution is new mobile app called ZenKey that securely ties the user's device to the carrier, and the carrier logs on to the service. Once set up, no passwords or additional third party are are involved -- it's as simple as 'log on with Facebook' without involving Facebook.

Online business faces two competing demands: more secure authentication to fight the booming cyber fraud industry, and more friction-free authentication to attract and keep increasingly fickle customers. The difficulty is that 'enhanced security' and 'friction-free' are two mutually exclusive concepts. It is a circle that needs to be squared -- those companies that succeed will thrive; those that fail will languish.

ZenKey login via mobile deviceThe basic problem is the current password. First, it is too easily stolen, and second, the sheer quantity used in modern life (mobile phone owners use an average of 90+ passwords each) persuades users to choose simple passwords or reuse the same one across multiple accounts. The main industry solutions are to either increase security by adding additional authentication factors (multi-factor authentication -- MFA), to reduce reliance on multiple passwords through single-sign on (SSO) solutions, or both.

None of these solutions have been welcomed wholeheartedly by users. MFA increases friction and is not generally liked. SSO generally requires an additional cost and involves a third-party that must be trusted. The primary 'free' versions of SSO involve the use of Facebook or Google log-in facilities and the willingness to give more information to organizations whose business model is to collect and sell user information.

Philosophically, both solutions suffer from being bolt-on security in an age when 'built-in' is acknowledged to be the best solution. Four major carriers (AT&T, Sprint, T-Mobile and Verizon) in the U.S. believe they have the solution by building authentication into the fabric of mobile communications. 

ZenKey is just another sophisticated single sign-on solution. In this case, however, the provider is already known and trusted (else the user would choose an alternative carrier) and already holds as much user information as is required. As a carrier, this sign-on provider also has access to the deepest parts of the phone in order to secure the app.

User set-up simply involves downloading and installing the app, authenticating with the carrier, verifying basic data attributes, and creating a ZenKey PIN. Once this has been done, a secure and verified connection is established between the phone and the carrier. The carrier then becomes the sign-on provider between the user and all service providers that have signed up to the process. The user is presented with a 'sign in with ZenKey' button similar to existing 'sign in with Facebook' or 'sign in with Google' buttons.

When the user accesses one of these services, the carrier does the authentication. The user is not required to enter a password but may (depending on the service) still be asked for an additional factor.

The advantage of this approach is that it eliminates the need for passwords while increasing security -- it squares the circle. But the four carriers still have many hurdles ahead. Not the least is the chicken and egg between users and service providers. Providers won't sign up until there are consumers using ZenKey, but there won't be users until there are service providers signed up.

It would be useful if phones arrived pre-configured with ZenKey, but neither Android nor iOS -- who offer their own SSO variants, are likely to rush to do so. Although the concept seems attractive, there are many who doubt that it will succeed. Jack Mannino, CEO at application security firm nVisium sees the technical advantages that the carriers can bring to the authentication problem. "Having access to hardware, SIM cards, location information, usage patterns, and other data accessible to service providers gives mobile service providers an advantage," he told SecurityWeek; but still thinks it will be difficult for ZenKey to supplant the existing solutions.

The incumbent giants are also highlighted by Shahrokh Shahidzadeh, CEO at behavioral authentication firm Acceptto. "The first challenge is the lack of a robust ecosystem in identity space sourced from many long-existing, disjointed solutions. The second challenge is competing with other giants in this space, including Google, Facebook and even Apple," he added. He also notes that this solution provides authentication at log-in only -- not the continuous authentication that behavioral biometric authentication can provide. However, continuous authentication by the carrier that is involved in the conversation between user and service provider should not be impossible to attain.

Privacy issues are one of Mannino's primary concerns. "Many users would likely prefer separation between what their mobile service provider can see and what they do online," he said. "However, this would be increasingly hard as more of the websites and apps you use integrate with their platform." This is echoed by Joseph Carson, chief security scientist and advisory CISO at privileged access management (PAM) firm Thycotic.

"ZenKey is an interesting project," he told SecurityWeek. "However, it lacks transparency on how it actually works and appears to have increased overhead as it requires verification from your wireless provider to authenticate, leaving many questions around privacy. Somewhere a key is being exchanged in the background which still usually needs to be managed. Realistically, it appears to be reducing the need for a user to type a password but not entirely eliminate them."

ZenKey is a new approach to solving a major problem that already has many existing and different solutions. It is late to the market (it's still in beta) and has many difficulties ahead. Nevertheless, the final arbiters will be the users. If the existing problems can be solved, and the criticisms answered, ZenKey could easily prove popular among users.

Related: The More Authentication Methods, the Merrier 

Related: Major U.S. Mobile Carriers Vulnerable to SIM Swapping Attacks 

Related: Japan's Largest Mobile Provider to Ditch Passwords 

Related: Apple Unveils Privacy-Focused Authentication System 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.