What is small, tamper-proof, cryptographically secure, and already used by 6.37 billion people?
The SIM card. We carry this compact piece of secure tech everywhere without thinking of it as such, taking for granted how it connects us to the mobile network to make phone calls, send text messages, browse, buy and send/receive payments.
But behind the apparent effortlessness of enabling customers to use the GSM network lies a formidable security architecture that authenticates, encrypts, connects, and bills. You don’t have to log into the network to use the phone – it happens in the background via the SIM.
Moreover, the mobile subscriber identity is one of the most widely used forms of digital identity. The pairing of the mobile number and SIM card provides strong authentication credentials for device binding, so much so that some governments are adopting it as a form of digital ID.
Now businesses can adopt it too. This latest innovation in MFA – SIM-based authentication – is now available as an API for either mobile web, or app-based authentication of customers and employees.
The security dilemma
User authentication, at its most basic, typically consists of a username and password – with all the associated problems. To strengthen this vulnerable approach, multi-factor authentication (MFA) methods are added to provide greater security. But they add more friction and are often equally vulnerable.
The choice of technology for identity and access management (IAM) involves a continuous assessment of the trade-offs between security, deployability, usability, and cost.
But, if SIM-based authentication provides strong identity verification that works like magic, why aren’t more businesses using it? Put simply, it wasn’t possible – until now.
Stronger than SMS
SIM authentication must not be confused with one-time passcodes sent over SMS. Although SMS OTP became the de facto standard for two-factor authentication, particularly in consumer apps, SMS 2FA is flawed.
Firstly, it merely proves the user has access to a phone number, potentially through social engineering, not possession of a physical security token / device. As a result, SMS OTP can be used in account takeover fraud. Secondly, it creates an interrupted user experience that can cause delays and frustration.
SIM-based authentication is impervious to man-in-the-middle attacks as it cannot be intercepted, and provides an invisible, seamless user experience.
Simpler than hardware
On the other side of the MFA spectrum is the dedicated hardware token – a costly piece of equipment usually issued to a few high risk individuals in an organisation, or VIP customers.
The token solution doesn’t scale for cost and support reasons, and users don’t love it.
In contrast, SIM-based authentication turns every existing mobile phone into a hardware security token – one that users already have on them – with a seamless experience that delights.
Trust in BYOD with passwordless SIM authentication
SIM-based authentication has finally become available in the form of APIs (and soon an authenticator app), which integrates easily into existing IAM platforms via OIDC.
With tru.ID passwordless verification, businesses can transform every mobile phone into a hardware security token for IAM, saving costs on extra hardware, and finally bringing trust to Bring-Your-Own-Device (BYOD) environments.
How it works: passwordless login
A great use case for tru.ID APIs is to build a passwordless solution for remote login, using a companion app to access an enterprise system. Here’s an example workflow:
Preface: The end user has a company app on their phone, or is using the tru.ID authentication app. Both include the tru.ID SDKs to enable SIM-based authentication.
1. User attempts to login to a company system (email, data dashboard etc.). This can be on desktop or mobile.
2. The system identifies the user attempting to login and sends a Push Notification.
3. The mobile device and the company app receive the Push Notification and the user is prompted to Confirm or Reject the login attempt.
4. When the user approves, a request is made to the tru.ID API via a backend to create a Check URL for that user’s registered phone number.
5. The company app will then request that Check URL over the mobile data connection using a tru.ID SDK. This is the stage when the mobile network operator and tru.ID verify that the phone number for the current device matches the phone number the user has registered on the login system. Note that no PII is exchanged. This is purely a URL-based lookup.
6. Once the request has completed, the system will be informed by tru.ID whether the Check URL request and phone number match was successful. This is achieved via a webhook.
7. If the phone number verification was successful, the user is logged in.
Although there are a number of steps in this approach, it’s important to note that the user only has one action: to Confirm or Reject the login.
tru.ID covers over 2 billion mobile subscriber identities in 20 markets, in partnership with Vodafone, Telefonica, KPN, Orange Mobile, amongst others.
tru.ID is keen to hear from the community – just visit the website for a demo, or start testing for free and make your first API call within minutes.