Passwordless verification API turns every mobile phone into a security token for zero trust access

What’s small, tamper-proof, cryptographically secure, and already in use by 6.37 billion people?

The SIM card. We carry this compact secure technology everywhere without thinking about it as such, taking for granted the way it connects us to the mobile network to make phone calls, send SMS, browse, buy and send / receive payments.

But behind the apparent ease of allowing customers to use the GSM network lies a formidable security architecture that authenticates, encrypts, connects and invoices. You don’t need to connect to the network to use the phone – it happens in the background through the SIM card.

Additionally, mobile subscriber identity is one of the most widely used forms of digital identity. The combination of mobile phone number and SIM card provides strong credentials for pairing the device, so much so that some governments are adopting it as a form of digital identification.

Now companies can adopt it too. This latest MFA innovation – SIM-based authentication – is now available as an API for mobile web or app-based authentication of customers and employees.

The security dilemma

User authentication, in its most basic form, usually consists of a username and password, with all the associated issues. To reinforce this vulnerable approach, multi-factor authentication (MFA) methods are added to provide greater security. But they add more friction and are often just as vulnerable.
The choice of technology for Identity and Access Management (IAM) involves an ongoing assessment of tradeoffs between security, deployability, usability, and cost.

But, if SIM-based authentication provides strong identity verification that works like magic, why aren’t more businesses using it? Simply put, it wasn’t possible – until now.

Louder than SMS

SIM authentication should not be confused with one-time access codes sent by SMS. Although SMS OTP has become the de facto standard for two-factor authentication, especially in consumer applications, SMS 2FA is flawed.

First, it just proves that the user has access to a phone number, potentially through social engineering, and not possession of a physical security token / device. As a result, SMS OTP can be used for account takeover fraud. Second, it creates an interrupted user experience which can lead to delays and frustration.

SIM-based authentication is impervious to man-in-the-middle attacks as it cannot be intercepted and provides an invisible and transparent user experience.

Simpler than hardware

On the other side of the MFA spectrum is the dedicated hardware token – expensive equipment typically delivered to a few high-risk people in an organization or to VIP clients.

The token solution doesn’t scale for cost and support reasons, and users don’t like it.

In contrast, SIM-based authentication turns every existing mobile phone into a hardware security token – a token that users already have on them – with a seamless experience that thrills.

Trust BYOD with Passwordless SIM Authentication

SIM-based authentication is finally available as an API (and soon to be an authenticator app), which easily integrates with existing IAM platforms through OIDC.

With tru.ID passwordless verification, businesses can turn every mobile phone into a hardware security token for IAM, reducing additional hardware costs and finally bringing confidence to Bring-Your-Own-Device (BYOD) environments. ).

How it works: login without password

A great use case for the tru.ID APIs is to build a password-less solution for remote login, using a companion app to access an enterprise system. Here is an example of a workflow:

SIM based authentication

Preface: The end user either has an enterprise app on their phone or uses the tru.ID authenticator app. Both include tru.ID SDKs to enable SIM based authentication.

1. User attempts to log into a corporate system (email, data dashboard, etc.). This can be on desktop or mobile.
2. The system identifies the user trying to log in and sends a push notification.
3. The mobile device and corporate app receive the push notification and the user is prompted to confirm or reject the connection attempt.
4. When the user approves, a request is made to the tru.ID API through a backend to create a verification URL for that user’s registered phone number.
5. The company app will then ask to verify the URL over the mobile data connection using a tru.ID SDK. This is the step where the mobile network operator and tru.ID verify that the phone number of the current device matches the phone number that the user has registered on the login system. Note that no PII is exchanged. This is purely a URL-based search.
6. After the request is completed, the system will be informed by tru.ID whether the request for URL verification and phone number match was successful. This is done via a webhook.
7. If the phone number verification was successful, the user is logged in.

Although there are a number of steps in this approach, it is important to note that the user only has an action : to confirm or reject the connection.

To start

tru.ID covers more than 2 billion mobile subscriber identities in 20 markets, in partnership with Vodafone, Telefonica, KPN, Orange Mobile, among others.

tru.ID can’t wait to hear from the community – just visit the website for a demo, or start testing for free and make your first API call within minutes.

About Geraldine Higgins

Check Also

Vote now: do you answer calls from unknown numbers?

Let me tell you a story. Last year, a young man disappeared in the mountains …