What is a mobile possession factor – and how can it replace passwords to stop phishing?

December 22, 2022
Paul McGuire
Co-founder, CEO at tru.ID

Photo by Rodrigo de Mendoza on Unsplash

Try out tru.ID

Make your first phone check in 1 minute. No app required to test. Get started for free.
Sign up

See it in action

In just 30 minutes, our team can show you the power of SIM-based authentication.
Book a demo

Follow us on

Github iconTwitter iconLinkedIn icon

When 50% of cybersecurity breaches come from stolen credentials, something is broken. The solution is to remove shared credentials from the equation entirely – using a mobile digital identity based on possession instead.

We all use email, and we all use passwords – which means we are all vulnerable to phishing attacks.

The frequency and success rates of phishing attacks is skyrocketing as criminals become more effective, and opportunities for attack greatly multiplied during the pandemic. Global losses from cybercrime are now around $1 trillion – staggering amounts of money that could be better spent elsewhere.

So far, the answer has been patching extra layers of security on top of emails and password logins – Captcha forms, SMS codes, confirmation emails. 

These standard multi-factor authentication (MFA) approaches are sticking plasters that don’t address the core problem. They still fall back to shareable credentials such as passwords and OTP codes, and remain vulnerable to phishing because they rely on knowledge only. 

As long as credentials can be shared, they can be intercepted and misused. Stolen credentials are still the most common attack vector leading to data breaches. 

What is needed is a shift from knowledge-based credentials to possession-based security – which doesn’t rely on information that can be duplicated, like passwords or codes. This can sit on top of other other strong security such as biometrics.

Now, for the first time, the possession factor security built into mobile networks is being made available by API – minimising the possibility for phishing and protecting your users from attack.


Why is phishing a still-growing problem?

Phishing and other types of social engineering rely on human behaviour to breach an organisation’s weaknesses. They make use of the convenient, knowledge-based email & password method most of us use to access services online, by tricking us into sharing those credentials. And it works: 83% of organisations surveyed said they experienced a successful email-based phishing attack in 2021.

Criminals use these methods because they are low-risk, scaleable, and fully remote. And now, they’re getting more successful. Criminals are sharing information to become better than ever at convincingly tricking people, as well as scaling up their operations – tools available on the dark web can help attackers automate cyberattacks, and run a criminal operation as a full-scale business.

The costs (and wider damages) from successful attacks are growing larger and far more serious. The Covid-19 pandemic has helped phishing grow massively thanks to the massive increase in remote working, as well as an increasing use of SMS-based messaging, as nations used the channel to deliver information about health and vaccination. 

Phishing scams have increased by 59%, according to INTERPOL Secretary General Jürgen Stock, who commented “Cyber-criminals are developing and boosting their attacks at an alarming pace.”

See tru.ID in action

In just 30 minutes, our team can show you the power of SIM-based authentication.

2FA codes are part of the problem

Passwords are a knowledge factor that involve a shareable credential, and so can be easily phished. This is why most services require a further step, or second-factor authentication (2FA). 

Unfortunately, most 2FA methods also involve a shareable credential which can itself be phished – typically a one-time password (OTP) or PIN code, sent via SMS or email.

Even worse, criminals are specifically targeting these methods: researchers recently found that over 1,200 phishing kits designed to steal 2FA codes are out in operation. And while purpose-built hardware for MFA exists, it’s prohibitively expensive and not owned by the average person. 

The answer, therefore, cannot lie in adding more layers of friction that kill the user experience without truly keeping out attackers. 

Seamless, stronger security can only work with a possession factor that is widely available, easy to use, easy to integrate, and cost-effective. Now, for the first time, this is possible – using the SIM cards that already exist in over 5 billion mobile phones worldwide. 

The new phishing-resistant possession factor 

tru.ID’s next-gen SIM authentication is the new solution that the security world has been waiting for. SIM cards are the same highly secure, proven microchip technology that is built into every credit card. There is a SIM card in every mobile phone – everyone already has this powerful hardware in their pocket.

Using the cryptographic security of the SIM card can deliver strong, multi-channel authentication that is easy to use and simple to deploy. Now, at last, there is an easy, cost-effective way to stop relying on shareable credentials and make possession-factor verification available to all.  

How does SIM-based auth work better? 

When we use our mobile phones (to browse the internet, make a video call, or use data on an app) we don’t need to type our email and a password to log in – the mobile network operator performs a cryptographic check of the SIM card, silently in the background, to prove it is valid. From that point forward, all communication between the device and the network is fully encrypted.  

This strong, cryptographic security is built into the SIM card in every mobile phone, and it happens silently in the background every time we use our mobile device. But until recently, it wasn’t possible for businesses to program the authentication infrastructure of a mobile network into an app as easily as any other code.

Now, for the first time, this authentication capability is available as a possession factor API.  Simply add the tru.ID SDK into your existing mobile app to instantly make possession-factor security available to all your users.

Secure app registration, login, step-up checks and more…

In the past, when a new user registered for your app, you had very little data you could trust. Now, with SIM-based authentication, you can use the mobile number together with a secure SIM card possession check as a strong, trusted credential. 

The same can be applied to step-up checks – when a customer is about to perform a higher risk action (for example making a payment or accessing sensitive data). You can now use a SIM check to ensure the user still has the valid SIM card in their possession before allowing the transaction to go ahead. Unlike other MFA, it happens silently, with no need for additional data entry by the customer, and can even detect potential SIM swap fraud.

Ready to learn more?

To find out how to implement next-gen authentication and deliver high security, low friction authentication experiences to your users, simply book your free 30-minute demo or visit the tru.ID website.

For developers, the tru.ID API documentation is all online: sign up and start testing for free at https://tru.id/signup.

About tru.ID

tru.ID helps businesses to reduce the threat of cybercrime with a range of mobile identity and authentication solutions for customers and employees.

 

tru.ID offers passwordless authentication solutions that leverage the cryptographic security of the SIM card already present in every phone. This revolutionary approach delivers hardware-grade security at scale – delivered via API without the need for separate hardware. 

tru.ID is already live in 20 markets covering over 2bn mobile accounts.

How to get started

tru.ID can support all types of mobile apps, with a rich set of tutorials available for Android, iOS, React Native, and many other implementations. Our online platform is developer-first, with a sandbox for easy testing.  
Start coding
tutorial

Get this article in your inbox - get The Dot.

The Dot is our regular email about digital identity and news we're certain you'll find interesting.