Zero Trust is increasingly being adopted as the best strategy for access management and fraud prevention. To help achieve progress on Zero Trust, there is now a new, easy way to implement continuous user verification by tapping into the authentication systems used by mobile operators.
Before we show you how it works and how to integrate it, let's start with the fundamental security challenge.
The Zero Trust model of identity verification essentially means never trusting that a returning user is whom they claim to be, regardless of their location or previous successful attempts. Zero Trust is a strategic approach to access management that is vital for keeping out bad actors.
As the world moves to the cloud, with an increasingly distributed network of employees, partners, and clients, tighter auth journeys become even more important.
But with greater security comes greater friction – users have to invent intricate passwords, remember security questions, and interrupt their workflows with authenticator app codes, SMS PINs, and other multi-factor authentication (MFA) methods.
We know that knowledge factors like passwords are less than ideal. Compromised passwords are behind the majority of data breaches and attacks, and Forrester Research estimates that in the enterprise environment, each employee password reset costs $70 in help desk support. That's without taking into account the overall frustrating user experience.
Biometrics, on the other hand, is unrealistic as Zero Trust requirements for the average user. You also don't need to request such personal information for all types of transactions or tasks.
Possession factors provide a solid middle ground, and proof of possession of a mobile device is more universal. Plus, mobile phone numbers aren't overly personal.
However, possession checks which use codes – even authenticator apps – are vulnerable to man-in-the-middle (MITM) and SIM swap attacks, as well as creating UX problems – from SMS codes that never arrive to the pressure of typing numbers from an authenticator app against a countdown.
A simpler and safer form of checking possession factor while maintaining Zero Trust is already in users' hands – it's the mobile phone and the SIM card inside it.
The SIM card within the phone is already authenticated with the Mobile Network Operator (MNO). It is SIM authentication that allows mobile customers to make and receive phone calls and connect to data. Now you can use this same powerful authentication method for your own website or mobile app, using tru.ID.
tru.ID partners directly with global carriers to offer three kinds of APIs that integrate with the network's authentication infrastructure, using the data connection and without collecting any personally identifiable information (PII). It's a URL-based lookup of the number, the SIM identity and that the two match.
Network-level, SIM-based authentication is invisible to the user – the check of the SIM happens in the background once the user inputs their mobile number. If your site or app already has the mobile phone number stored, even better - there's no user action required at all. This improved UX creates seamless account experiences without compromising security.
No personally identifiable user data or application information is exchanged during the MNO number and SIM lookup – the check is over a data connection and simply validates carrier information.
To learn more about how SIM-based authentication works, you can read about authenticating users with SubscriberCheck here.