When connecting to the Internet via Dial-Up, why did ISPs require a username/password to authenticate the session?

Question

It's been many years now, but when I used to connect to the Internet via Dial-Up back in the day I noticed at the time that as well as entering the phone number for my Dial-Up provider, a username/password were also required. Why did Dial-Up providers use this method of authentication - could the identity of the connecting party not simply be identified by their phone number?

A login also allowed a parent to more easily control a child's access to the internet. — Tim Locke, Apr 10 '20 at 18:27
If there was no password, how would the ISP keep people who hadn't paid for internet from using the network? Most people had a phone line and anyone could buy a computer and a modem. — Tim Locke, Apr 10 '20 at 18:28
Was this perhaps a US thing? I don't remember having to do it when I first encountered the internet which would have been via Demon in the UK in the early 1990s. — Alan B, Apr 10 '20 at 18:55
@AlanB It wasn't only a US thing. I had dial-up in the UK in the mid 90s, and we definitely needed a username and password. Worked flawlessly in Windows, of course, but finding the right incantation to get it just so on Linux was a chore. — Dranon, Apr 10 '20 at 21:25
Note that it is not only for dial-up but username/password is still used today for DSL and fiber internet - only most people never bother to know what their username or password is and both username and password is often set up by the installer/cable guy — slebetman, Apr 11 '20 at 04:04
I remember, at the sunset of the dialup technology we (in Bulgaria) actually did have dialup without authentication. The Internet fee went to the phone bill. — fraxinus, Apr 11 '20 at 11:53
My assumption was that as @fraxinus mentioned, charges for the service were simply added onto the bill of the originating phone number - and that was how ISPs were paid for the service. Was this in fact not the case - was a monthly fee or similar charged? — elliott94, Apr 11 '20 at 17:56
@elliott94 originally ISPs charged for dial up accounts and then gave you a local number to call to keep the call costs low. Only relatively late in the day for dial up did the model change to be supported by the call revenue itself only in some markets. — Flexo, Apr 11 '20 at 18:01
In our case the ISPs registered as a phone companies and lived only on "termination fees" (it was shortly after the billing for local calls changed from connection-based to duration-based). — fraxinus, Apr 11 '20 at 18:36
They still do. One reason is non-repudiabilty. They need some proof that it was you to be able to charge you without you being able mot repudiate by saying it wasn't you, — user207421, Apr 11 '20 at 23:01
In Argentina, in the late 90s and early 00s, there were several free dial up providers, and they all required a password. — Martin Argerami, Apr 12 '20 at 06:07
Thank you for the info - so in that case, did payment work in a similar way to today in that a monthly fee was paid to the ISP? What kind of fees were charged in those days? — elliott94, Apr 12 '20 at 18:16
@elliott94 This (the prices and billing schemes of the dial-up Internet) is a new question — fraxinus, Apr 12 '20 at 21:22
@elliott94 here it was both: you could use some default login/pwd (e.g. abc/abc) and you'd connected via your ISP and be billed with the regular land line. Or you could use a prepaid card which'd include unique login/pwd for you to use. — Dan M., Apr 13 '20 at 11:02
@slebetman not in my experience. When I had a CableCo ISP, the company knew that a specific wire went to my address (which just so happened to be my CableCo billing address. Now I use ATT Fiber with a vendor-supplied router; the installer most certainly updated their system with my router's MAC address. — RonJohn, Mar 01 '23 at 14:22
@RonJohn I've never seen a router that didn't require Username/Password setup for access to the ISP. For example this is my router setting connected to a fiber network: https://static.rcgroups.net/forums/attachments/2/6/7/7/4/4/a17029599-138-Screenshot%20from%202023-03-02%2007-24-24.png . There are modes such as static IP setup or DHCP that doesn't use username/password but a lot of ISPs still use PPPoE or L2TP to manage subscriber accounts. My internet package also include public (paid) wifi access at malls, train stations etc. so the username/password is also used for that. — slebetman, Mar 01 '23 at 23:31
@slebetman you need to move into the First World, where broadband ISPs know what's connected to their network... :D — RonJohn, Mar 02 '23 at 01:24
@RonJohn It's off topic but I'd rather develop my own country than be a foreigner in my own home/house/apartment. In any case. I never said all ISPs do this. I just said a lot of ISPs configure their systems this way but most people don't realise it. I'd even wager that this is the majority of ISPs globally but I don't have statistics either way. Only that all ISPs around here do it this way. The upside is when you move house you can still use your old account with your old router - you only need to pay for connecting the fiber if it's not yet connected. — slebetman, Mar 02 '23 at 01:53
@slebetman as shockingly as it seems, Cox and ATT must be more competent than the average ISP. For example, I moved a few years ago: called up Cox and told them I was moving on a specific day; on that day, I disconnected my cable modem from my old home, plugged it in at my new home, and viola, I had service. I'm certain that it would be just the same with ATT. — RonJohn, Mar 02 '23 at 16:41

score 59 · Accepted Answer · answered Apr 10 '20 at 18:29

59

No, the identity of the customer couldn't be confirmed by the phone number alone, for a number of reasons:

Customers expected to be able to call in from different locations, using different stationary phone lines and therefore different phone numbers each time.
Caller ID wasn't that widespread in the 1990s, and wasn't available for all phone companies in all countries.
Caller ID could be faked.

answered Apr 10 '20 at 18:29

sfrey

606
6
2

10

Besides that, a landline connection can easily be hijacked with very easy methods. Especially in an apartment building. – UncleBod Apr 10 '20 at 23:03
12

Adding to your point #2: Some phone companies charged money to receive caller ID. In contrast, username/password authentication costs nothing to the ISP. – DrSheldon Apr 11 '20 at 02:44
1

@DrSheldon - some companies still do charge for Caller ID: Bell Canada, for example. – scruss Apr 11 '20 at 14:06
8

And Caller ID can still be faked (aka "spoofed") today, quite simply, easily and legally. There are literally companies out there offering this as a service. Just google them. Anyone off the street, including you and me, can use that. – Vilx- Apr 11 '20 at 20:45
2

@Vilx- Indeed, it was one of the methods commonly used in the News International phone hacking scandal, which worked exactly because some voicemail services didn't ask for a password/PIN by default! – JBentley Apr 12 '20 at 11:36
I would add: sometimes you want to dial in from somewhere other than your home. Some ISPs (uunet, psinet, concentric, adpnet) had POPs that spanned most of the USA. FWIW there's a hard-to-fake variant of caller ID called ANI, but that only applies to toll-free numbers. – fadden Apr 12 '20 at 15:26
@DrSheldon I imagine a dial-up ISP could negotiate quite good pricing for that – user253751 Apr 12 '20 at 23:30

score 21 · Answer 2 · answered Apr 10 '20 at 23:53

21

In addition to sfrey's answer, using caller ID would prevent multiple accounts logging in from the same phone number, as in a family situation or a small office.

But the real reason is probably due to technical ease. Most ISPs offering dial-up service were essentially leasing UNIX accounts and disk space (or accounts on similar multi-user systems). The username/password requirement was dictated by those systems' existing authentication mechanisms.

answered Apr 10 '20 at 23:53

Jim Nelson

3,783
1
18
34

5

The RADIUS protocol was developed in 1991, and standardized in 1997 (https://en.wikipedia.org/wiki/RADIUS). ISPs didn't purchase dozens of modems to connect them to some self-built authentication server; they bought access concentrators like this which, of course, supported radius. – Guntram Blohm Apr 11 '20 at 06:34
8

1997 was quite late in the home internet era. I walked into a local store in late 1994, and came out clutching a username, password, IP address, and list of local dialup numbers. I don't think I was on the bleeding edge of anything. – – dave Apr 11 '20 at 13:26
@another-dave - Why an IP address - what would this have been used for when connecting via dial-up? – elliott94 Apr 12 '20 at 18:11
1

@elliott94 Presumably, that was another-dave's allocated IP address, which it seems reasonable for an ISP's new customer to want to know. I guess it may have been necessary to have to hand if using a device which didn't support negotiating that with the far end, requiring manual configuration. – Carcer Apr 12 '20 at 18:24
4

Yup. It was my IP address, to be configured into my computer. DHCP wasn't a thing they needed (this was a two-men-and-a-dog ISP, before they got bought out by a regional company). Static address at no extra charge. – dave Apr 12 '20 at 19:37
As someone who traveled with some frequency and had multiple phone lines in the house, it was my expectation that billing for dialup was tied to concurrent sessions and not the physical address of my house or a specific phone line. – le3th4x0rbot Apr 13 '20 at 10:52
@elliott94 At the time, running out of ipv4 addresses would have seemed an almost comical notion. – le3th4x0rbot Apr 13 '20 at 10:54
3

@another-dave, I paid a visit to resolve a technical problem with the two-men-and-a-dog ISP serving a small company where I once worked. They had a two-room, generic rented office. When I asked to see the modems, they showed me the coat closet, which contained a couple of rack-mounted PCs, and on the floor beside the rack, a tangled heap of desktop modems, wall-wart power supplies, outlet strips, and cords. Modems showed visible signs of chronic over-heating (discoloration and warping of the plastic cases.) Cancelled our contract, and found a bigger ISP that same week. – Solomon Slow Apr 13 '20 at 11:16
2

Oh, I had the reverse experience. The service was great when I had the small ISP - I could always talk to someone possessed of clue. Alas, the small ISP grew to the point at which a regional ISP offered the founder an offer he could not refuse (and which made him rich, which he deserved), and I had to deal with the help desk thereafter. Actually, at the weekend I found online memorabilia of the company before it was sold, and it seems they'd quickly expanded to hiring many more people and perhaps more dogs (for all I know) – dave Apr 13 '20 at 17:53

score 14 · Answer 3 · answered Apr 12 '20 at 03:01

Both of the existing answers here get at the issues involved (accounts are expected to be able to roam, multiple account holders may call from the same phone number, etc.) but there was another issue at play that complicated the whole situation: Very often, the service you were connecting to didn't know your phone number — nor did they care.

A brief digression to more recent developments

When ISDN came along, and then DSL after it, you'll notice that authentication largely disappeared from the equation — at least, for a while. Eventually some providers added it back in. (I remember there being a Windows system tray app from Verizon that you had to authenticate with, after connecting to their DSL service.)

But for users with original ISDN-level service, typically it was sold by the company that physically provisioned the line (or a company partnered with them), and billed as a hardware/service package bundled with the line it was delivered over. And in those situations, one of the attractive features was that there was indeed no authentication necessary — your modem just auto-dialed the number your provider supplied, and you were online. It worked much the same way that cable modems, today, typically don't require sign-in — the modem's physical connection to the broadband drop is more than adequate to identify you as the recipient of the service, especially since most providers authenticate the hardware itself.

Prior to that, controlled chaos

But like I said, that was one of the big changes that telco-managed dialup brought. Until that point, dialup service was nearly always provided by a company with no relationship whatsoever to the one that you bought your telephone service from, which is what led to all of the things Jim and sfrey pointed out. For a company with no ties to your telco, making your access to their service dependent on the number you called from just wouldn't have made any sense. Not only is caller ID easy to spoof and unreliable, but your dialup provider wouldn't have wanted to deal with the hassle of updating your account if, say, you moved and changed your phone number. You could still use the exact same service you had before, assuming they provided a toll-free dialup in your new location.

ISPs didn't always authenticate dialup users, by the way. There were situations where they didn't bother — not because they used your phone number or any other means to identify you, but simply because they didn't need to know who you were.

Take AOL, for instance

When an AOL user dialed one of their local access numbers and connected to the service, for example, the dialup connections were typically handled by a service officially named "AOLNet", but which we referred to as "BigDial" (its original codename, when it was under development). BigDial was built and managed by ANS, a backbone network provider that eventually became an AOL subsidiary, but still an independent company which operated the service under contract to AOL.

When a call came in on one of AOL's access numbers, aside from some minor negotiation with the software itself BigDial didn't do any authentication. Not only was it unnecessary given that the software itself identified the call as an AOL connection, but there was no way for ANS to authenticate AOL users if they'd wanted to. As the network service provider, they had no access to AOL's subscription database. So, any incoming calls from AOL's software simply had their data routed to the central AOL systems in Reston, and everything from authentication onward was handled there.

AOL is only one example

The AOL situation sounds like a special case. And in the sense of it being a software-managed connection rather than a general system-wide internet connectivity service, it was. But a lot of what we think of as more traditional "dialup internet" service was provided the same way: physical connectivity provided by one company, service provided by a completely different one. Authentication was often deferred until the last link in that chain, performed by a company that had no real interest in what phone number you happened to be calling from, and plenty of incentives not to care.

How I know

For two years from 1997-1998, I was a member of the 9-person BigDial Development team at ANS.

I remember there being a Windows system tray app from Verizon that you had to authenticate with, after connecting to their DSL service. I remember that too. It was one of the stupidest things - even when the authentication was moved to the modem (or modem/router), it made no sense whatsoever as the DSL line by definition could only connect to one end customer. (Of course, there were also the times that Verizon would patch the DSL into the wrong line, but as long as it was at the correct customer premises, I'd deal with it.) — manassehkatz-Moving 2 Codidact, Apr 13 '20 at 01:56