March 3, 2022

Security and simplicity – get the best of both worlds with SIM-based authentication

Paul McGuire
Co-founder, CEO at tru.ID
Try out Tru.ID

Make your first phone check in 1 minute. No app required to test. Get started for free.

Follow us on

Are you still using legacy methods to authenticate your customers? If so, you are trapped in an impossible trade-off between strong security and keeping your customers happy.

Bring your security into the 21st century instead: here’s what you need to know about next-gen authentication.

When it comes to identity and access management, MFA (multi-factor authentication) has gone from a nice-to-have to a must-have. However, basic MFA such as OTPs (one-time passwords) sent by SMS or email can actually make the situation worse: these are still shared credentials which can be stolen. Your organisation is still exposed to social engineering and account takeovers, but now you also have to cope with the user dissatisfaction and high support costs caused by adding complications.

If you still use card readers or physical document checks, the problems are even worse – they are more expensive, and a much more cumbersome UX (user experience). It’s a challenge for IAM professionals: how do you balance security with user friction?

In today’s increasingly mobile-first world, it’s harder still to ensure your customers are well protected across all their devices without making the user experience unnecessarily onerous. The good news is that now, finally, there is a solution that gives you the best of both worlds – strong security with a great UX.

The problem: MFA forces you to compromise on security or UX

Email + password for login is highly vulnerable alone, but the default options for MFA don’t actually fix these vulnerabilities. Replacing one shareable credential (the password) with another shareable credential (the OTP) adds user friction, but still lets criminals use social engineering to compromise this knowledge from anywhere in the world.

For even higher friction, there are card readers, hardware tokens or even physical document checks. These solutions may provide higher security, but they are hugely expensive and provide an even more convoluted user experience. Unfortunately, a poor account experience creates a poor impression of your brand, despite the best intentions.

Bad actors are getting smarter and better organised. The acceleration to online and remote working driven by COVID-19 has created greater opportunities for attacks on every type of business, which has driven a surge in criminal activity. Reports of cybercrime such as account takeover, phishing, and fraud have grown by 300% since the pandemic began. 

What was previously a largely desktop problem is now multi-channel, with mobile the primary vector: more than 50% of high-risk transactions originate from mobile devices. The challenge for IAM professionals is how to adapt to these new challenges without destroying the customer experience.

The solution: next-gen SIM-based auth, already in your users’ pockets 

The answer is not to keep patching knowledge on top of knowledge. A change of security paradigm is needed – moving away from shareable credentials which anyone can copy towards a far more secure, hardware-based possession-factor. This can only work if the possession factor is widely available, easy to use and integrate, and cost-effective. 

The answer is the SIM card inside our mobile phones. It is tamper-resistant, cryptographically secure, and shares the same microchip technology that is built into every bank card. But its greatest benefit is that it’s already used by 6.37 billion people daily – meaning customers don’t need to lift a finger to take advantage of powerful possession-factor MFA.

Next-gen SIM-based authentication: how it works

When we use data on our mobile phones, we don’t need to type our email and a password to log in. We are automatically logged onto the mobile network because the mobile operator performs a silent cryptographic check of the unique SIM card. From that point forward, all communication between the device and the network is fully encrypted. 

This strong, cryptographic security is built into every mobile network and SIM card, and it happens silently in the background every time we use our mobile device.

tru.ID’s SIM-based silent authentication is the new solution that harnesses this technology. Using the cryptographic security of the SIM card together with your existing mobile app, you can deliver strong, multi-channel authentication that is easy for your customers to use and simple for you to deploy. App authentication can be used to authenticate your customers across other channels too, such as desktop/laptop.

At last, there’s an easy, cost-effective way to stop relying on shareable credentials and add possession-factor authentication as part of your MFA approach for every user. 

Frictionless MFA for registration, login, step-up security, and more

In the past, when a new customer registered for your app, you had no way to prove their credentials weren’t stolen or faked. Now, with SIM-based authentication, you can use the mobile number together with a secure SIM card possession check as a strong, trusted credential.

The same can be applied to step-up checks – when a customer is about to perform a higher risk action (for example changing a payee, or transferring a larger sum of money), you can use the SIM card possession check to ensure the user still has the valid SIM card in their possession before allowing the transaction to go ahead.  This can happen silently, with no need for additional data entry by the customer.

And for normal customer logins, take advantage of the frictionless security that the SIM card offers. No need for more email + password; simply check the mobile number and SIM card silently in the background for high security with a low-friction UX.

Ready to upgrade to next-gen customer authentication? 

To find out how to implement tru.ID silent auth and deliver high-security, low-friction authentication experiences for your customers, simply book your free 30-minute demo.

tru.ID products are integrated easily into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs. tru.ID is built to the OIDC standard. Our API documentation is all online. You can sign up and start testing for free.

About tru.ID

tru.ID helps businesses to reduce the threat of cybercrime with a range of mobile authentication solutions for customers and employees.

tru.ID offers passwordless authentication solutions that leverage the cryptographic security of the SIM card already present in every phone. This revolutionary approach delivers hardware-grade security at scale – delivered via API without the need for separate hardware.

tru.ID is already live in 20 markets covering over 2bn mobile accounts.