09 May 2013

How To Switch From AT&T to T-Mobile

Just recently I made the switch from AT&T wireless to T-Mobile using my own iPhone 4s. Beyond some administrativa, all I had to do was purchase a T-Mobile SIM card and I was ready to go.

Somewhere back around 1999 or 2000, I switched to Voicestream Wireless (switching away from Airtouch Wireless). Sometime after that, T-Mobile acquired Voicestream and I stuck with this service until 2008 when I switched to AT&T so that I could get an iPhone. I always had great customer service from T-Mobile and I had excellent roaming in Europe where I traveled often at the time. Now that T-Mobile is supporting the iPhone I have decided to switch back. Given that T-Mobile recently announced its lack of requirement for a contract and better rates than AT&T, this only made it easier to drop AT&T.

I did experience some headache with the whole iPhone unlocking requirement, but it only cost me about two hours of time. Given that my iPhone from AT&T was a GSM phone, there was no requirement for me to purchase a new phone. I could have purchased a new iPhone 5 but based on some friends telling me that the battery life on it is pretty miserable, and the fact that there is not a compelling reason to upgrade, I decided that I don't really need it. (In fact, I have been toying with the idea of switching from an iPhone to an old school cell phone. The cost savings to be had by doing this is amazing. But, in the end, I opted to stay with my iPhone 4s.) Once the iPhone starts providing an embedded NFC chip, I might consider upgrading.

Here are the necessary steps to switch from AT&T to T-Mobile:

  1. Unlock your phone - You must submit a request to AT&T to unlock your phone. This can take a few days so make sure to allow for ample time. This is where I had trouble but because I was outside of any contract with AT&T and I was in good standing, the operator I dealt with was able to unlock my iPhone 4s instantly while I was on the phone with him.
  2. Unlock your account - Remove any password from your AT&T account so T-Mobile can take it over.
  3. Transfer your phone number - If you plan to keep your phone number, then just transfer it to T-Mobile.
  4. Purchase a T-Mobile SIM card - If you are utilizing the BYOD plan (Bring Your Own Device), then you need to purchase a SIM card from T-Mobile. The cost is only US$10 so no big deal.
  5. Sync your iPhone - Before making the SIM card change, make sure to sync your iPhone with iTunes so that everything is backed up.
  6. Swap the AT&T SIM card for the T-Mobile SIM card - Pop out the SIM card slot and swap the SIM cards.
  7. Re-sync your iPhone - After inserting the T-Mobile SIM card, a message popped up on the iPhone stating that the card was not activated. After re-syncing the iPhone via iTunes, this went away and I immediately received a welcome SMS message from T-Mobile.
  8. Set up your voicemail - The last thing to do is set up your voicemail and you should be good to go.
  9. Request to have visual voicemail enabled - For whatever reason, visual voicemail must be manually enabled by T-Mobile and you need to call in to request that this take place.
Now I'm on the T-Mobile network and I have no contract whatsoever. Furthermore, the plan I signed up for is only US$50/month with unlimited talk and text + 500mb of data. I can upgrade to unlimited data at any time for an additional US$20/month which I will probably do (and it provides tethering capability). I'm just curious to know if I will actually exceed 500mb of usage/month before I make that change.

I'm hopeful that this information will help others understand the steps to making this switch.

07 May 2013

On Eliminating Passwords

It seems to me that authentication in general needs to change. The requirement to remember a password for every online service you use has proven to be a daunting task not only for users but also for businesses that must store the credentials to authenticate those users. Considering the dramatic increase in data security breaches in recent years, it's no wonder that the competition amongst password management software continues to increase.

Personally, I use a password manager that supports all the devices I use (MacOS X, iOS and Android) and has the ability to sync across them. Not only does a password manager store your username/password pairs in a secure file, but it also has the ability to generate passwords with a high entropy to guard against a brute force attack. But even this is a game of chase. Just like in the world of anti-virus software, it's kind of a reactionary game. That is, only as new viruses are discovered can the signatures of those viruses be added to the anti-virus software. The same applies to passwords -- as the ability to crack stronger passwords only becomes easier, the requirements for passwords become more strict. At some point the whole idea of passwords will become a counterintuitive exercise. Many services also require the use of security questions for password recovery but this is also a losing game given that most of the security questions offered are largely the same across many unrelated services. It makes me wonder if eventually the use of a text based password is simply an invitation for a security breach (e.g., 'Oh this person is using a text-based password only, no problem we'll just crack it').

Beyond the cracking of passwords, consider how much companies spend to support usernames and passwords. Just the other day I was locked out of a system and had to actually call the help desk for assistance because there was no online password recovery offered. Now think about the fact that the help desk I contacted supports many thousands of users all over the world. In fact, my need for support with a password is such a common request that there is a category in the phone tree dedicated to password support. I hazard a guess that the investment to provide this support alone is probably fairly high.

To protect against simple password cracking we've seen the rise of multi-factor authentication (MFA) whereby a password plus some other out-of-band methods are used for authentication such as a text sent to your mobile device, a phone call to your phone number of choice, etc. Financial institutions typically provide this capability and even Amazon provides a MFA feature to secure an AWS environment. Many companies provide employees with a small two-factor authentication device -- I'm sure you've seen a SecureID token from RSA, a similar device from Symantec or smart cards from various companiesj, but even these have been breached and/or have been proven to be flawed. Furthermore, these solutions are aimed at the SMB and enterprise markets for distribution to employees, not at the general consumer market. And beyond that, I've even been locked out of a SecurID token before which required a phone call to a help desk!

Earlier this year, a new group named Fast IDentity Online Alliance (FIDO) launched to bring forth a new type of multi-factor authentication and new usage models. From the FIDO website's description of What Makes FIDO Different?:

The range of technologies supported by the FIDO protocol will include biometrics such as fingerprint scanners, voice and facial recognition, as well as existing authentication solutions such as Trusted Platform Modules (TPM), Near Field Communication (NFC), One Time Passwords (OTP) and many others.
To learn more about FIDO, check out the How FIDO Works page describing the protocol, here's an image about it:

The short story is that a three-way binding occurs between the user, the device and the vendor's back-end system and it requires all three need to be present to use the system. What is intriguing to me is that this protocol is aimed at end users/consumers -- people like you and me.

The first company to be considered FIDO certified is Nok Nok Labs in Palo Alto, CA. This company provides a commercial solution to implement the FIDO protocol and is currently testing it at about 15 companies. What's really needed is adoption of such a solution by popular online services and Nok Nok Labs is already testing it's solution with PayPal.

Not only would it be more comforting to know that my payments and my funds are secured by more than a username/password pair, but it would also be more convenient not to have to remember a password for every website I use. But until something like the FIDO protocol becomes ubiquitous, we must continue to live with what we've got today.