This is still the header! Main site

Logging Into Things

(... in which we're returning to the practice of plentiful but not overly high quality posts.)

There is that alternate universe where everyone knows what public key cryptography is. Where you can identify yourself without remembering 23 different passwords that you need to type into various custom text boxes on websites. Where phone numbers aren't a reasonable way of identifying people.

a phone, a sim card, and a cloud in the background with google logos
(please don't insist on finding deep meaning in this image.)

Then, there is our current world, where... well, if you want to prove you're a unique user, you're using one of 3-4 big authentication providers... or you go back to the telcos, and have them demonstrate that you have a phone number. It... kind of makes sense, from a spam filtering perspective, but it's still not too great.

Wouldn't it be cool if we had Actual Infrastructure that handed out physical devices to people, which they could then use to identify themselves?

... actually, could it turn out that we do have such infrastructure already?

SIM cards exist.

If there is a sort of opposite to a cypherpunk utopia with holding your own keys, it's probably looking a lot like telcos. There is an impressive cultural difference between them and freedom-minded internet people: in telco-land, things are directed by central authorities, the fancy application logic is in the network itself (vs. the smart endpoint model of the internet), and of course, you're going to be charged for this by the minute. However, despite them resisting the idea of becoming dumb pipes, this eventually happened, so we're now in the world of...

... using either Google or Facebook as authentication providers.

Who then require you to have a phone number.

But then there is something else here. If you think back of the concept of having a physical device, carefully handed out to everyone, to prove their identity in a cryptographic way...

... this is actually what SIM cards are.

Of course, in a true telco fashion, we can't actually use them for crypto; we have to go through the circuitous route of phone numbers & text messages. I do find it remarkably ironic though, that...

... phones do VoIP?

(disclaimer: don't take me up too much on the technical details)

Once upon a time, mobile phones did voice as an Actual Thing. If you wanted to call someone, you'd get a digital channel, end to end, allocated by the network, which you could push bits through at a given bitrate. You add an audio codec and you gloss over some details; you get a voice call!

Eventually, people wanted mobile internet. The kind where you aren't charged by the minute. So... with 3G, we had circuit switched voice calls still (with pre-allocated pipes), plus packet networking. Very different. See, that's why we, the telco, charge you by the minute for voice calls!

By the time we got to 4G / LTE though, things have changed. The amount of data traffic exceeded voice by a lot & got up to pretty good quality / latency levels too; why even add dedicated infrastructure for voice calls? Especially if... we can switch back to 3G whenever someone calls you. (... this was seriously happening at some point.) Or... since 3G networks are being phased out already too... here is the idea: just do voice calls over the LTE packet network!

(Like everyone else started doing on the internet somewhat earlier.)

This is VoLTE, a.k.a. Voice over LTE. It sounds like Advanced Telco Magic (of which there is still a decent amount; it's not like we can reuse open standards in a simple way that doesn't give us opportunity to add our own patents). On the other hand: what's underneath is really just SIP calls, behind a VPN.

(Mostly. Yet again glossing over some details.)

Given how all this works, the existence of "wifi calling" is not even that surprising. The basic scheme is the same: you have a packet network connection already, through which you run a VPN (IPSec actually) connection. The trick is that you use the SIM card as the root of the crypto that lets you log into the VPN! From that on, the network already knows who you are; the rest is just plain VoIP calls.

The point is... we do have a neat, distributed authentication mechanism that almost everyone has an instance of, distributed between multiple companies, which can (could!) be used to log into things & sign stuff. It's doable.

Why are we then still relying on things like... credit card numbers?