Email + password offers flawed security
The email address has no linkage to the mobile phone, it is simply an identifier. There is no way to validate physical possession of a mobile device, so user authentication is typically performed using a knowledge factor – the password. However, passwords are widely acknowledged as a flawed security solution. Consequently, SMS OTP (One Time Password) is often added as a second (possession) factor. But that is just a sticking plaster on top, creating further UX friction and introducing additional fraud risks.
If not email, then what?
Taken altogether, email + password is the wrong paradigm for user identity on mobile, especially now that better alternatives exist. Email became the default approach to online identity when the world was still desktop-based. But now that we live in a mobile-first world, it makes more sense to leverage the capabilities of the mobile phone to bring identity into the modern era. This is easy to implement, but has to be done the right way, to avoid some big potential pitfalls.
Mobile number alone can cause problems
Most phone-based authentication methods today simply use the mobile number alone, and rely on a PIN code that is sent via SMS, or a voice call to that number. Companies assume this is a possession-factor authentication method, but the problem is that it doesn't reliably prove possession. There are some fundamental flaws -- and bad actors are taking advantage.
SIM swap: Bad actors are increasingly committing SIM swap fraud by persuading the mobile operator to issue them with a replacement SIM card that takes over the same mobile number. They are then able to receive all voice calls and SMS messages (including PIN codes) sent to that number, and then use those codes to take over that user’s accounts.
Mobile phone number recycling: A further drawback is that, because there is only a finite pool of mobile phone numbers available, they routinely get recycled by the mobile operators. If a mobile number alone is used as the identity key, and your previous number is later recycled to someone else, there’s a real chance they could gain access to your WhatsApp account, messages and contacts, as well as other private accounts that rely solely on mobile number.
Mobile number linked to a SIM card – a secure and frictionless solution
The key to authenticating a mobile user quickly, securely and reliably is to use their mobile number, but perform the verification using the SIM card in the mobile phone. A mobile number check that is linked to a physical SIM card is the strongest and lowest-friction solution for user identity on a mobile device, addressing all the issues raised above.
Unrivalled security: A SIM card comes with impregnable cryptography and is the same piece of highly secure, scalable and proven microcomputer technology that you can see in every credit card. Mobile phone numbers are also uniquely tied to an individual SIM card. At any one time, this pairing of mobile number + SIM card is entirely unique, not duplicable and cryptographically secure. There is nothing a phone user can do to tamper with that unique pairing.
Prevents SIM swap: Verifying with mobile number + SIM card works against SIM swap fraud by ensuring that the number hasn’t been reassigned by a bad actor.
Avoids fake accounts: Verifying the mobile number + SIM card before an account is opened makes it much harder for bad actors to generate multiple accounts for fraudulent purposes: there is a real cost and process overhead involved in obtaining a new SIM card, unlike purely digital identities (such as email addresses) which can be created by bots.
Seamless UX: For a user, the approach is extra simple – just type your number and it will be verified instantly, in real time, with no further action required – no SMS to wait for, no PIN code to retype.
tru.ID: mobile authentication, reimagined
tru.ID can help you to implement this 21st century approach to user identity. Our range of API-based authentication products enable you to quickly and securely verify the number of an active mobile device. This provides an enhanced, frictionless user experience, reducing fraud and helping you to increase mobile revenues.