The password-less future of AT&T, Verizon, and T-Mobile is gone


Originally announced as “Project Verify” in 2018, ZenKey was intended to be a single sign-on system, similar to the Google or Apple sign-in buttons you see on various websites. The idea was that each carrier would offer an app that could verify your identity and then act as a pass when you signed up to a supported website or made something like a bank transfer. In theory, it could be more secure as it used data from your SIM card and location to make sure it was really you trying to log in.

It doesn’t seem like ZenKey got very far though, and now it’s mostly gone. LightReading reports that the website for it is down, AT&T stopped last year, and the “ZenKey powered by Verizon” app is no longer available in app stores (at least in the US). T-Mobile’s website seems to contain almost no references to the system as far as Google can find, although there is one article from mid-2020 the company site that mentions it.

For those familiar with the history of multi-carrier joint ventures, this outcome is not necessarily a surprise. LightReading mentioned it when the service was announced in 2019, walk head “Meet ZenKey: Telco’s Doomed Single Sign-On Service.” The edgeDieter Bohn called ZenKey “the right idea from the wrong companies” when writing about the Cross-Carrier Messaging Initiative attempting to replace SMS with the then nascent RCS. He based his opinion on past products, such as SoftCard, which competed with Google Wallet and Apple Pay. (It succeeded about as well as CCMI, that is, not at all – though it probably didn’t help that it was called “ISIS” when it launched in 2013, a name that was about to mean something really bad for a lot of people).

Ultimately, the usefulness of a service like ZenKey will depend on how much third-party support it gets – even if your app is great, most people won’t bother if they can only use it to log into three or four locations. And why would developers add ZenKey to their sites when there are other options from Google, Apple, Amazon, and Meta, all of which have their own single sign-on solution with accounts people already use? Those would probably also have much better brand recognition when a user lands on a login page.

Example: Here are all the sites and apps that ZenKey said were working in July 2022 a Wayback Machine archive from the now defunct website:

Screenshot of a page with the text

Realistically, how many of these services would one person have signed up for?
Image: ZenKey via the Wayback Machine

A press release from the end of 2020 mentions that other companies like Proctorio and DocuSign had “plans to test or go live” with support for the service, but it doesn’t seem to have quite worked out.

Even if the mobile carriers were (predictably) unable to get rid of passwords, I hope they will eventually become a thing of the past. But to get rid of them, a much larger group will have to exert much greater pressure; perhaps passkeys, a FIDO-powered passwordless authentication system pushed by Apple, Google, Microsoft and the like, will eventually become the thing. But unless it’s widely adopted (which isn’t entirely certain), we’ll probably be stuck with the patchwork of successful single sign-on options, password managers, and scattered sticky notes that we know we shouldn’t use, but do anyway.