It’s time to replace username and password with mobile number and SIM – here's why

August 31, 2021
Thomas Hull
Content Specialist

Photo by Caroline on Unsplash

Try out tru.ID

Make your first phone check in 1 minute. No app required to test. Get started for free.
Sign up

Follow us on

Github iconTwitter iconLinkedIn icon

If your identity management is still based around usernames and passwords, you’re doing attackers’ jobs for them.

How do you keep track of your users? If ‘username and password’ seems like the obvious answer, unfortunately, there are some risks you may not have considered – for both your customers and your business. 

Even if you encourage two-factor or multi-factor authentication (2FA or MFA), the username itself is a critical vulnerability. Fortunately, there are alternatives, from stronger step-up security to completely passwordless verification. 

We’ve already outlined the problem with password-based security. Now we’ll explain what makes usernames an easy target for attackers, and the secure alternative that’s easier to implement than you think… 

Usernames remove anonymity

By now, we all know we’re supposed to use a different password for each account and make them difficult to guess. But the same is rarely said for usernames. The trouble is that usernames are also useful to attackers, helping them to build a profile and compromise victims across different platforms, especially if the same username is reused. 

Because usernames are meant to be the public part of an online identity, people don’t consider making them secure in the same way – in fact, it seems more convenient to do just the opposite, using simple details the user can remember and that will identify them to their contacts across platforms. 

As a result, people are casually including their real name, date of birth, and other personal information in their usernames without a thought. Attackers are able to take advantage of this, using such personal details to build a profile in targeted account takeover attacks such as SIM swap fraud and other criminal activity. 

Repeat usernames are a link to other accounts

Even when they’re not revealing personal information, the fact that usernames are public and knowledge-based – meaning they can be entered by anyone, anywhere – is a vulnerability.

For example, let’s say John Doe has an account on a cryptocurrency service. He keeps it separate from his real identity, using the username Fluffy100 and a strong password, a combination he’s used across a few different accounts. 

Attackers trying to breach random crypto accounts don’t know who Fluffy100 is, and aren’t able to guess the password – but they do have access to leaked databases full of credentials all over the dark web. They search the database for Fluffy100, find the strong password associated with a breach from a less secure site last year, and they’re in.

Even with a low success rate, attackers are still able to profit considerably from this connection of information, and publicly visible usernames allow them to connect the dots.  

In an era where we all have hundreds, if not thousands, of online accounts, this is a very real problem – you can check if your own credentials have been compromised at HaveIBeenPwned?.

Get this article in your inbox - get The Dot.

The Dot is our regular email about digital identity and news we're certain you'll find interesting.

Who is the user behind the name? 

As well as threats to your real users, reliance on usernames is a problem from a business perspective. To keep out spambots and fraudsters, and for reliable analytics, you need to know that each user is a unique individual. But allowing them to make up a username doesn’t guarantee that. 

The security risk for real users is an advantage for malicious actors: JohnDoe1985 could be using their real details and exposing personal information… but it could also be a bot-generated username, tied to a bot-generated email address. Nowhere in this process is the user linked to a singular, unique identity which can’t be easily faked. 

A stronger, more secure alternative

Luckily, there’s an answer, and it’s simpler than you might think: authenticate users with their mobile phone number and SIM card. This solution provides both anonymity for users and confidence in their identity for your platform.

A phone number is a unique identifier, but doesn’t require the user to set a password, which can be compromised and linked to other accounts. Once you’ve verified a phone number, it can be linked to your own profile identifiers as appropriate for your service, and never shared with any other users. 

There are still risks with a phone number alone: virtual numbers can be generated online, meaning a phone number doesn’t guarantee a unique device. Additionally, SIM swap fraudsters can hijack a legitimate user’s phone.

That’s why tru.ID checks the phone number against the SIM card in the device to solve this issue. For SIM swap fraud to work, the criminal must possess a newly-issued SIM card with the victim’s mobile number mapped to it. 

Each SIM card also has a unique identity number (called the International Mobile Subscriber Identity, or IMSI) – so a new SIM card issued to a criminal will have a different IMSI to the user’s original. With SIM-based authentication, you can now spot this difference and stop SIM swap fraudsters from gaining further access.

SIM-based authentication ensures that the user possesses a unique physical device, but feels like magic. It provides stronger security, but with no need to memorise yet another username and password.

How to get started

tru.ID products easily integrate into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs. 

Developers can find all they need to get started in our documentation, including integration guides for all our products. Simply sign up to start integration, and test for free, today – or contact Sales to find out how tru.ID can help your business.