Repeat usernames are a link to other accounts
Even when they’re not revealing personal information, the fact that usernames are public and knowledge-based – meaning they can be entered by anyone, anywhere – is a vulnerability.
For example, let’s say John Doe has a cryptocurrency account. He keeps it separate from his real identity, using the username Dorsie100 and a strong password, a combination he’s used across a few different accounts.
Attackers trying to breach random crypto accounts don’t know who Dorsie100 is, and aren’t able to guess the password. But they do have access to leaked databases full of credentials all over the dark web. They search the database for Dorsie100, find the strong password associated with a breach from a less secure site last year, and they’re in.
Even with a low success rate, attackers can use publicly visible usernames to connect the dots and profit from this connection of information.
In an era where we all have hundreds, if not thousands, of online accounts, this is a very real problem – you can check if your credentials have been compromised at HaveIBeenPwned?
Who is the user behind the name?
As well as creating potential threats for real people, reliance on usernames is a business problem. For reliable analytics, and to keep out spambots and fraudsters, you need to know that each person is a unique individual. But allowing them to choose a username doesn’t guarantee that.
The security risk for real users is an advantage for malicious actors. JohnDoe1985 could be someone using their real details and exposing personal information… but it could also be a bot-generated username, tied to a bot-generated email address.
Nowhere in this process is the user linked to a singular, unique identity that can’t be easily faked.
A stronger, more secure alternative for password recovery and MFA
The simple alternative is to authenticate people using their mobile phone numbers and SIM card, a solution that provides them with anonymity and you with confidence in their identity.
A phone number is a unique identifier that doesn’t require the user to set a password, which can be compromised and linked to other accounts. There are still risks with a phone number alone: virtual numbers can be generated online, so a phone number doesn’t guarantee a unique device. And SIM swap fraudsters can also hijack a legitimate customer's phone.
For SIM swap fraud to work, the criminal must possess a newly issued SIM card with the victim’s mobile number mapped to it.
But each SIM card also has a unique identity number (called the International Mobile Subscriber Identity, or IMSI) – so a SIM card reissued to a criminal will have a different IMSI than the original.
tru.ID's technology checks the phone number against the SIM card in the device to solve this issue. SIM-based authentication can resolve the issue of mobile digital identity with no need to memorise yet another username and password – and it flags recent SIM changes.
Before sending an SMS or email in a password recovery flow, you can now confirm the user’s SIM card hasn’t recently been swapped – and implement stronger security measures if it has. (See how it works for a password recovery flow in a website application in our dedicated tutorial.)
How to get started
tru.ID products easily integrate into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs.
Developers can find all they need to get started in our documentation, including integration guides for all our products. Simply sign up to start integration, and test for free, today – or contact Sales to find out how we can help your business.