How to Implement Zero Trust User Verification Using the Mobile Number

August 3, 2021
Paul McGuire
Co-founder, CEO at tru.ID

Photo by Bernard Hermant on Unsplash

Try out tru.ID

Make your first phone check in 1 minute. No app required to test. Get started for free.
Sign up

Follow us on

Github iconTwitter iconLinkedIn icon

Zero Trust is increasingly being adopted as the best strategy for access management and fraud prevention. To help achieve progress on Zero Trust, there is now a new, easy way to implement continuous user verification by tapping into the authentication systems used by mobile operators.

Before we show you how it works and how to integrate it, let's start with the fundamental security challenge.


Zero Trust and Authentication

The Zero Trust model of identity verification essentially means never trusting that a returning user is whom they claim to be, regardless of their location or previous successful attempts. Zero Trust is a strategic approach to access management that is vital for keeping out bad actors.

As the world moves to the cloud, with an increasingly distributed network of employees, partners, and clients, tighter auth journeys become even more important.

But with greater security comes greater friction – users have to invent intricate passwords, remember security questions, and interrupt their workflows with authenticator app codes, SMS PINs, and other multi-factor authentication (MFA) methods.


Get this article in your inbox - get The Dot.

The Dot is our regular email about digital identity and news we're certain you'll find interesting.

The Trade-off Between Security and UX

We know that knowledge factors like passwords are less than ideal. Compromised passwords are behind the majority of data breaches and attacks, and Forrester Research estimates that in the enterprise environment, each employee password reset costs $70 in help desk support. That's without taking into account the overall frustrating user experience.

Biometrics, on the other hand, is unrealistic as Zero Trust requirements for the average user. You also don't need to request such personal information for all types of transactions or tasks.


Possession factors provide a solid middle ground, and proof of possession of a mobile device is more universal. Plus, mobile phone numbers aren't overly personal.


However, possession checks which use codes – even authenticator apps – are vulnerable to man-in-the-middle (MITM) and SIM swap attacks, as well as creating UX problems – from SMS codes that never arrive to the pressure of typing numbers from an authenticator app against a countdown.

A simpler and safer form of checking possession factor while maintaining Zero Trust is already in users' hands – it's the mobile phone and the SIM card inside it.


How to Verify Users by Checking Directly with Mobile Networks

The SIM card within the phone is already authenticated with the Mobile Network Operator (MNO). It is SIM authentication that allows mobile customers to make and receive phone calls and connect to data. Now you can use this same powerful authentication method for your own website or mobile app, using tru.ID.

tru.ID partners directly with global carriers to offer three kinds of APIs that integrate with the network's authentication infrastructure, using the data connection and without collecting any personally identifiable information (PII). It's a URL-based lookup of the number, the SIM identity and that the two match.


Zero Friction, Zero Trust, Zero-Knowledge

Network-level, SIM-based authentication is invisible to the user – the check of the SIM happens in the background once the user inputs their mobile number. If your site or app already has the mobile phone number stored, even better - there's no user action required at all. This improved UX creates seamless account experiences without compromising security.

No personally identifiable user data or application information is exchanged during the MNO number and SIM lookup – the check is over a data connection and simply validates carrier information.


How to Get Started

Want to try it for yourself? Make your first API call within minutes – just sign up with tru.ID or check the documentation. tru.ID is keen to hear from the community to discuss case studies.

To learn more about how SIM-based authentication works, you can read about authenticating users with SubscriberCheck here.

This feature originally appeared in The Hacker News.