December 6, 2021

New hardware-grade MFA secures all employees using the mobile phone

Paul McGuire
Co-founder, CEO at tru.ID

Discover how SIM-based authentication can help you with a free 30 min consultation

Follow us on

Global enterprise security budgets are over $100B per year, yet the number of breaches continues climbing. With hybrid working here to stay, workers need to access systems and data from anywhere. But compromised credentials are responsible for the majority of breaches – at an average breach cost of $4.37 million.

For the future of work, how do you prevent data breaches? The obvious answer is strong authentication; ideally passwordless, Zero Trust multi-factor authentication (MFA), and ideally for all your employees. 

Hardware is a robust solution, but it’s not realistic to deploy to every employee. Many IAM leaders compromise by sticking to more cost-effective legacy methods, even though authenticator apps and codes sent via email or SMS are vulnerable to phishing and man-in-the-middle (MITM) attacks.

Now there’s an alternative that provides hardware-grade security for the whole organisation – without the need for additional hardware. SIM authentication from tru.ID is the newest innovation in MFA, and it uses the strongest piece of hardware employees already own: their mobile phone. Here’s how... 

Tighter security vs ease of use

MFA is usually added as a countermeasure to password-based access. 

Of the stronger passwordless MFA methods, FIDO tokens come as keys, dongles, and handheld readers that generate time-limited passcodes. Users generally dislike the cumbersome experience, but must comply with it. IAM teams don’t have it easy either – they must absorb the costs and complexity of supporting a rather fiddly security choice.

As a result, hardware tokens tend to be issued only to individuals identified as high-risk, leaving most of the workforce vulnerable.

In search of a universal security solution

Any security solution to be deployed universally must meet a tough set of requirements:

  • Easy to deploy
  • Easy to use
  • Easy to manage
  • Cost-effective
  • Highly secure

The pros and cons of current hardware MFA

Hardware MFA may be highly secure, but it fails on the other criteria:

  • At $50-$100 each, costs escalate, so only ‘high-risk’ individuals are issued tokens.
  • These small devices are easily lost, stolen and expensive to replace. They also risk ending up in the wrong hands.
  • Remembering the device at all times, plus typing time-sensitive passcodes creates effort for users.
  • Providing access for remote workers and contractors, increasingly necessary in hybrid workplaces, is challenging.

Thankfully, there’s an innovative MFA alternative – using the SIM card in employees’ mobile phones to get strong, hardware-grade security without any extra hardware.

A new user-friendly hardware solution: SIM-based MFA

In an IAM context, the SIM card acts as a secure possession factor, but with a unique advantage. Every employee already has one at all times: it’s in their mobile phone, and they’re very motivated to keep it safe.

SIM authentication is how networks verify their 5 billion customers every time they make calls or use data, and to charge them correctly. No extra credentials are needed to ‘log in’ to a mobile network – authentication happens automatically in the background between the SIM card and the operator. SIM authentication is seamless to the user. 

Now, with tru.ID, network authentication is being made available to businesses, offering compelling benefits for IAM:

  • Easy to deploy: Already present in every employee’s pocket, SIM authentication allows rapid onboarding of new employees and continuous authentication of all the workforce.
  • Easy to use: A simple, familiar experience that doesn’t require extra user input.
  • Easy to manage: tru.ID SIM authentication supports OIDC and can be easily added as an authentication method on OIDC-compatible IAM platforms.
  • Cost-effective: There is no upfront investment required for specialist devices. Pricing is typically per authentication or per user per month.

Proven cryptographic security

Inside the SIM card is the same cryptographically secure, tamper-resistant authorisation technology that is inside every bank card. When deployed in a mobile phone, it has a unique identifier - International Mobile Subscriber Identifier, or IMSI. The SIM also stores a secret key (or ‘Ki’; a 128-bit value) and an algorithm which, together with the IMSI, provides cryptographically secure authentication.

SIM authentication uses a secure, encrypted connection from the mobile device to the mobile network operator, who verifies the match. Requiring no code or password from the user means there’s no way for malicious actors to intercept the process. tru.ID can also check that the SIM card has not been associated with a new account recently, protecting against SIM swap fraud

  • Tamper-resistant: Cryptographic keys are stored in a solid-state storage within the SIM card. The card has a tamper-proof housing.
  • Effectively unclonable: Modern SIM cards incorporate advanced cryptographic algorithms which restrict access to the stored secret and prevent cloning of the card.
  • Hardware-based: Rooted in SIM security, tru.ID verification is impervious to attacks against the physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking, or malware.
  • No PIN codes: With no passcodes which can be intercepted, man-in-the-middle attacks are impossible.

How to get started

To learn more or to get started with implementation, tru.ID can provide a packaged solution via API, or embedded into an authentication app. The app-based solution can also be enhanced by biometric MFA. Integrating SIM-based authentication for IAM can happen with either OIDC or REST API. It also works with eSIMs. 

tru.ID can support all types of mobile apps, with a rich set of tutorials available for Android, iOS, React Native, and many other implementations. Our online platform is developer-first, with a sandbox for easy testing.  

Book your free 30-minute demo now to see it in action.