Request for FIDO2 Standard Support

Dear Verizon Security Team and Mobile Application Development Team,

I am writing to request that Verizon adopt the FIDO2 standard for secure authentication.

While Verizon provides its own proprietary authentication within the mobile app, the app itself still requires prior authentication. The mobile app requires PSTN-based TOTP authentication.

Industry Standards Highlight PSTN Risks

• ISO-27001 Annex A.9.4.2 requires organizations to implement appropriate security controls for user identification and authentication. PSTN-based methods fail to meet these expectations.
• NIST Special Publication 800-63B (Section 5.1.3.3) explicitly restricts PSTN for out-of-band authentication, citing vulnerabilities including SIM swapping.

FIDO2 as the Secure Authentication Standard

The FIDO2 standard offers a recognized, secure solution that eliminates these limitations, and:

• Enables passwordless, phishing-resistant authentication.
• Eliminates the need to transmit passwords or rely on proprietary app-based, email-based, or PSTN-based methods.
• Is natively supported by major operating systems and platforms.

Recommendations for Verizon

• Adopt the FIDO2 standard to enable strong, passwordless authentication within the Verizon mobile app.
• Should OTPs still be used, allow TOTP/HOTP from independent authenticator apps, e.g., 1-Password, Google Authenticator, Microsoft Authenticator, etc.
• Eliminate reliance on insecure PSTN-based authentication methods.

Supporting Evidence: Rise of SIM Swapping Attacks Alone

The following timeline highlights FBI statistics, PSAs, and other high-profile SIM swapping incidents, demonstrating the increasing importance of secure authentication methods:

• February 8, 2022: FBI Alert Number I-020822-PSA
  • https://www.ic3.gov/PSA/2022/PSA220208
  • January 2018 - December 2020: 320 complaints, adjusted losses ~$12M.
  • 2021: 1611 complaints, adjusted losses >$68M.
• FBI Internet Crime Report 2022
  • https://www.ic3.gov/AnnualReport/Reports/2022_IC3Report.pdf
  • "SIM swap" added as a distinct class of crime.
  • 2026 complaints, adjusted losses >$72M.
• November 16, 2023: FBI Cybersecurity Advisory
  • https://www.ic3.gov/CSA/2023/231116.pdf
  • Page 4: "In most instances, ... threat actors conduct SIM swapping attacks."
• FBI Internet Crime Report 2023
  • https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf
  • 1075 complaints, adjusted losses >$48M.
• January 9, 2024: Official @SECGov Twitter Account Compromised by SIM Swapping
  • https://www.sec.gov/secgov-x-account
• FBI PSA April 11, 2024
  • https://www.ic3.gov/PSA/2024/PSA240411

Why This Matters

By adopting FIDO2, Verizon will:

• Provide phishing-resistant, passwordless authentication that protects customer accounts.
• Align with industry-leading security standards (NIST, ISO).
• Deliver robust and reliable authentication across all platforms, improving customer confidence and security.

Verizon has the opportunity to lead the way in secure authentication and provide customers with the modern, reliable protection they deserve.

Thank you for considering this improvement, and I look forward to your update.