0 6 min 3 mths
Mobile operator authentication

Zero Trust is increasingly adopted as the best strategy to maintain application security and prevent data breaches. To help move forward on Zero Trust, there is now a new, easy way to implement continuous user verification by logging directly into the authentication systems used by mobile operators – without the overhead of processing or storing customer data. users.

Before we show you how it works and how to integrate it, let’s start with the fundamental challenge.

Zero trust and authentication

The Zero Trust Identity Verification Model essentially means never believing that a returning user is who they say they are, regardless of their location or previous successful attempts. Zero Trust is a strategic approach to access management that is vital to preventing bad actors.

As the world moves to the cloud, with an increasingly distributed network of employees, partners and customers, tighter authentication paths become even more important.

But with greater security comes greater friction – users have to invent complex passwords, memorize security questions, and interrupt their workflows with authenticator app codes, SMS PINs, and other multi-factor authentication (MFA) methods.

The trade-off between security and UX

We know that knowledge factors like passwords are far from ideal. Compromised passwords are the root cause of the majority of data breaches and attacks, and Forrester Research estimates that in the enterprise environment, each employee password reset costs $ 70 in support. technical. That’s ignoring the frustrating user experience overall.

Biometrics, on the other hand, is unrealistic as Zero Trust requirements for the average user. You also do not need to request such personal information for all types of access.

Possession factors are strong common ground, and proof of mobile device ownership is more universal. In addition, cell phone numbers are not too personal.

However, possession controls that use codes – even authenticator apps – are vulnerable to Man-in-the-Middle (MITM) and SIM card exchange attacks, as well as creating UX problems – SMS codes that never arrive with the pressure of typing numbers from an authenticator app against a countdown.

A simpler and safer form of possession factor verification while maintaining Zero Trust is already in the hands of users – it’s the mobile phone and the SIM card inside.

How to verify users by connecting directly to mobile networks

The SIM card in the phone is already authenticated with the mobile network operator (MNO). It is SIM authentication that allows mobile clients to make and receive phone calls and connect to data. You can now use this same powerful authentication method for your own website or mobile app, using tru.ID.

tru.ID partners directly with global operators to provide three types of APIs that integrate with the network’s authentication infrastructure, using the data connection and without collecting any Personally Identifiable Information (PII). The tru.ID API checks if the SIM card associated with the phone number has recently changed, providing silent and continuous verification.

Zero friction, zero trust, zero knowledge

SIM-based authentication is invisible to the user – the SIM card verification takes place in the background after the user enters their mobile phone number. If your site or app already contains the mobile phone number, that’s even better: no user action is required. This enhanced UX creates seamless account experiences without compromising security.

No personally identifiable user data or app information is exchanged when searching for MNO number and SIM card – verification is done through a data connection and validates official carrier information.

How to start

For continuous zero trust authorization in the background using the SIM card, SIMCheck is recommended, having the added benefit of being quick, easy, and server-side integration. If the search returns recent changes to the SIM card, you can choose to implement additional verification.

How is all this done programmatically? With an API call. When something happens on the client side that requires escalation or a security check, the client notifies the server, which makes this API call to check if the SIM card has changed to the user’s phone number:

curl --location --request POST 'https://eu.api.tru.id/sim_check/v0.1/checks' 
--header 'Content-Type: application/json' 
--header 'Authorization: Bearer <Token>' 
--data-raw '{"phone_number": "<PhoneNumber>"}'

The response from the SIMCheck API will look like this, where the `no_sim_change` property is the key to tell us if the SIM card has changed recently:

    "check_id": "<CHECK_ID>",
    "status": "COMPLETED",
    "no_sim_change": true,
    "charge_amount": 1.00000,
    "charge_currency": "API",
    "created_at": "2021-07-13T23:44:19+0000",
    "snapshot_balance": 10.000

After that, the server informs the client if the transaction or the request can proceed. If this fails, your site or app may either deny access or require some additional non-telephone form of authentication.

Want to try it out for yourself? You can start testing for free and make your first API call in minutes – just sign up with tru.ID or verify the Documentation. tru.ID would like to hear from the community to discuss case studies.

To learn more about how SIM-based authentication works, you can read about User Authentication with SubscriberCheck here.

Leave a Reply

Your email address will not be published. Required fields are marked *