The pros and cons of current hardware MFA
Hardware MFA may be highly secure, but it fails on the other criteria:
- At $50-$100 each, costs escalate, so only ‘high-risk’ individuals are issued tokens.
- These small devices are easily lost, stolen and expensive to replace. They also risk ending up in the wrong hands.
- Remembering the device at all times, plus typing time-sensitive passcodes creates effort for users.
- Providing access for remote workers and contractors, increasingly necessary in hybrid workplaces, is challenging.
Thankfully, there’s an innovative MFA alternative – using the SIM card in employees’ mobile phones to get strong, hardware-grade security without any extra hardware.
A new user-friendly hardware solution: SIM-based MFA
In an IAM context, the SIM card acts as a secure possession factor, but with a unique advantage. Every employee already has one at all times: it’s in their mobile phone, and they’re very motivated to keep it safe.
SIM authentication is how networks verify their 5 billion customers every time they make calls or use data, and to charge them correctly. No extra credentials are needed to ‘log in’ to a mobile network – authentication happens automatically in the background between the SIM card and the operator. SIM authentication is seamless to the user.
Now, with tru.ID, network authentication is being made available to businesses, offering compelling benefits for IAM:
- Easy to deploy: Already present in every employee’s pocket, SIM authentication allows rapid onboarding of new employees and continuous authentication of all the workforce.
- Easy to use: A simple, familiar experience that doesn’t require extra user input.
- Easy to manage: tru.ID SIM authentication supports OIDC and can be easily added as an authentication method on OIDC-compatible IAM platforms.
- Cost-effective: There is no upfront investment required for specialist devices. Pricing is typically per authentication or per user per month.
Proven cryptographic security
Inside the SIM card is the same cryptographically secure, tamper-resistant authorisation technology that is inside every bank card. When deployed in a mobile phone, it has a unique identifier - International Mobile Subscriber Identifier, or IMSI. The SIM also stores a secret key (or ‘Ki’; a 128-bit value) and an algorithm which, together with the IMSI, provides cryptographically secure authentication.
SIM authentication uses a secure, encrypted connection from the mobile device to the mobile network operator, who verifies the match. Requiring no code or password from the user means there’s no way for malicious actors to intercept the process. tru.ID can also check that the SIM card has not been associated with a new account recently, protecting against SIM swap fraud.
- Tamper-resistant: Cryptographic keys are stored in a solid-state storage within the SIM card. The card has a tamper-proof housing.
- Effectively unclonable: Modern SIM cards incorporate advanced cryptographic algorithms which restrict access to the stored secret and prevent cloning of the card.
- Hardware-based: Rooted in SIM security, tru.ID verification is impervious to attacks against the physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking, or malware.
- No PIN codes: With no passcodes which can be intercepted, man-in-the-middle attacks are impossible.
How to get started
To learn more or to get started with implementation, tru.ID can provide a packaged solution via API, or embedded into an authentication app. The app-based solution can also be enhanced by biometric MFA. Integrating SIM-based authentication for IAM can happen with either OIDC or REST API. It also works with eSIMs.
tru.ID can support all types of mobile apps, with a rich set of tutorials available for Android, iOS, React Native, and many other implementations. Our online platform is developer-first, with a sandbox for easy testing.
Book your free 30-minute demo now to see it in action.
