November 16, 2021

A new, improved, solution for device binding: SIM card authentication

Paul McGuire
Co-founder, CEO at tru.ID
Try out Tru.ID

Make your first phone check in 1 minute. No app required to test. Get started for free.

Follow us on

A new service from tru.ID now makes it easy for any bank or business to implement strong user authentication for device binding, using the cryptographic security of the SIM card and a simple and secure API.


This service makes it possible to quickly and securely check the SIM card in the user’s phone, check the mobile number associated with that SIM card, and then confirm with the bank that the mobile number of the SIM card matches the RMN (Registered Mobile Number) that was previously registered for that user’s account.


This new approach to device binding improves on existing solutions in several ways:

  • SIM authentication is highly secure
  • SIM authentication is very easy for the user
  • SIM authentication does not rely on SMS.

We’ll explain the RBI’s guidance on why device binding is necessary, what it is, and why these improvements are so important.


RBI guidelines – what is device binding?

When the Reserve Bank of India (RBI) published ‘Master Direction on Digital Payment Security Controls’ in February 2021, regulated businesses in FinTech, banking, payments and crypto had to take note. The guidance mandates that when authorising and processing payment transactions, apps must use at least one additional authentication method to validate the user’s action, and the MFA method must be ‘generally dynamic or non-replicable’, such as ‘device binding and SIM’. These important guidelines are designed to prevent fraud, including social engineering and other attack methods.


Specifically, it is necessary to be certain of the mobile device being used, then to associate that device with the correct user and with their bank account. Of particular note is that the guidelines recommend investigating and implementing stronger alternatives to SMS OTP (one-time passwords), which have been shown to be vulnerable to account fraud. 


Digital identity and mobile payments: why device binding is important

To avoid fraud, it is important that only the registered account owner can spend money from a specific bank account. When a transaction happens in a physical bank, it is possible to use identity documents to verify that user’s identity. But when the transaction happens online, that is no longer possible, so a different verification process is required to reliably associate the online payment transaction with the user and their bank account.


Mobile numbers are unique, making them ideal for use as digital user identity. However, the challenge is how to verify that mobile phone number in a way that is secure – cannot be compromised by fraudsters – and also easy for the user.

PIN codes sent by SMS can cause problems

Historically, PIN codes sent by SMS (also known as OTPs, or one-time passwords) have been used as a way to try and verify a mobile number. But this approach has now been recognised as insecure, because SMS PIN codes are vulnerable to several different types of fraud attack:

  • MITM (‘man-in-the-middle’) attacks: Can be committed by phishing/smishing as well as social engineering, this method can be used by criminals to steal PIN codes and commit fraud.
  • SIM swap fraud: Bad actors can fraudulently obtain a different SIM card with the same mobile number, intercept the SMS PIN code, and steal a user’s money.


In addition, PIN codes delivered by SMS can cause challenges for users and consequently for customer support teams:

  • SMS delivery problems: Often SMS messages don’t arrive, or arrive late, causing users to request a resend. This can then create more confusion, with messages arriving out of sequence.
  • User difficulties: Having to retrieve and retype PIN codes can lead to errors, and being asked to send an SMS from the handset is confusing for many users.


For these reasons, many regulators, including the RBI, now recommend investigating and implementing alternatives to SMS OTP.


SIM-based authentication is a new and improved solution

SIM-based authentication leverages the existing cryptographic security of the SIM card to authenticate the mobile number of the transacting device and link that to the user’s bank account. This approach does not use SMS PIN codes and so is not vulnerable to man-in-the-middle attacks, social engineering or SIM swap fraud. It also provides a far simpler user experience.

The authentication uses a secure, encrypted connection from the mobile device to the mobile network operator, who verifies the associated mobile number. Once verified, the mobile phone number can be compared with the RMN previously registered against that user’s bank account. If there is a match, the transaction can proceed.

The whole process is transparent to the user but highly secure, requiring no user input (other than typing their mobile number), which allows no room for malicious actors.


tru.ID: based on strong SIM security

Inside the SIM card is the same cryptographically secure, tamper-resistant authentication technology that is inside every bank card. When deployed in a mobile phone, it has a unique identifier – the International Mobile Subscriber Identifier, or IMSI. The pairing of an IMSI with a mobile phone number is a unique combination which, together with the SIM card’s strong cryptographic security, ensures an active binding of the transacting mobile device with the user and their bank account.


This SIM-based approach to device binding leverages the advanced security technology built into every SIM card, and avoids the pitfalls of alternative approaches:

  • Tamper-resistant: Cryptographic keys are stored in a solid-state storage within the SIM card. The card has a tamper-proof housing.
  • Effectively unclonable: Modern SIM cards incorporate advanced cryptographic algorithms which restrict access to the stored secret and prevent cloning of the card.
  • Hardware-based: Rooted in SIM security, tru.ID verification is impervious to attacks against the physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking, or malware.
  • No PIN codes: With no passcodes which can be intercepted, man-in-the-middle attacks are impossible.


How to get started 

tru.ID can support all types of mobile apps, with a rich set of tutorials available for Android, iOS, React Native, and many other implementations. Our online platform is developer-first, with a sandbox for easy testing.  


Book your free 30-minute demo today to see it in action and discuss how tru.ID can make device binding simple.