Mobile Carrier Authentication

Zero Trust is increasingly being adopted as the best strategy to maintain application security and prevent data breaches. To help achieve progress on Zero Trust, there is now a new, easy way to implement continuous user verification by connecting directly to the authentication systems used by mobile operators – without the overhead of processing or storing user data.

Before we show you how it works and how to integrate it, let's start with the fundamental challenge.

Zero Trust and Authentication

The Zero Trust model of identity verification essentially means never trusting that a returning user is whom they claim to be, regardless of their location or previous successful attempts. Zero Trust is a strategic approach to access management that is vital for keeping out bad actors.

As the world moves to the cloud, with an increasingly distributed network of employees, partners, and clients, tighter auth journeys become even more important.

But with greater security comes greater friction – users have to invent intricate passwords, remember security questions, and interrupt their workflows with authenticator app codes, SMS PINs, and other multi-factor authentication (MFA) methods.

The Trade-off Between Security and UX

We know that knowledge factors like passwords are less than ideal. Compromised passwords are behind the majority of data breaches and attacks, and Forrester Research estimates that in the enterprise environment, each employee password reset costs $70 in help desk support. That's without taking into account the overall frustrating user experience.

Biometrics, on the other hand, is unrealistic as Zero Trust requirements for the average user. You also don't need to request such personal information for all types of access.

Possession factors provide a solid middle ground, and proof of possession of a mobile device is more universal. Plus, mobile phone numbers aren't overly personal.

However, possession checks which use codes – even authenticator apps – are vulnerable to man-in-the-middle (MITM) and SIM swap attacks, as well as creating UX problems – from SMS codes that never arrive to the pressure of typing numbers from an authenticator app against a countdown.

A simpler and safer form of checking possession factor while maintaining Zero Trust is already in users' hands – it's the mobile phone and the SIM card inside it.

How to Verify Users by Connecting Directly to Mobile Networks

The SIM card within the phone is already authenticated with the Mobile Network Operator (MNO). It is SIM authentication that allows mobile customers to make and receive phone calls and connect to data. Now you can use this same powerful authentication method for your own website or mobile app, using tru.ID.

tru.ID partners directly with global carriers to offer three kinds of APIs that integrate with the network's authentication infrastructure, using the data connection and without collecting any personally identifiable information (PII). The tru.ID API verifies whether the SIM card associated with the phone number has recently changed, providing silent, continuous verification.

Zero Friction, Zero Trust, Zero-Knowledge

SIM-based authentication is invisible to the user – the check of the SIM happens in the background once the user inputs their mobile number. If your site or app already has the mobile phone number stored, even better - there's no user action required at all. This improved UX creates seamless account experiences without compromising security.

No personally identifiable user data or application information is exchanged during the MNO number and SIM lookup – the check is over a data connection and validates official carrier information.

How to Get Started

For continuous Zero Trust authorization in the background using the SIM, SIMCheck is recommended, having the additional benefit of being a quick, easy, and server-side integration. Should the lookup return recent changes to the SIM, you may choose to implement additional step-up verification.

How is all this achieved programmatically? With one API call. When something happens on the client side which requires a step up or security check, the client informs the server, which makes this API call to check if the SIM has changed for the user's phone number:

curl --location --request POST '' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Token>' \
--data-raw '{"phone_number": "<PhoneNumber>"}'

The SIMCheck API response will look something like this, where the `no_sim_change` property is the key to tell us whether the SIM card has changed recently:

{ "check_id": "<CHECK_ID>", "status": "COMPLETED", "no_sim_change": true, "charge_amount": 1.00000, "charge_currency": "API", "created_at": "2021-07-13T23:44:19+0000", "snapshot_balance": 10.000

After this, the server informs the client whether the transaction or request can proceed. If it fails, your site or app can either deny access, or require an additional, non-telephonic form of authentication.

Want to try it for yourself? You can start testing for free and make your first API call within minutes – just sign up with tru.ID or check the documentation. tru.ID is keen to hear from the community to discuss case studies.

To learn more about how SIM-based authentication works, you can read about authenticating users with SubscriberCheck here.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.