Frequently Asked Questions

What is tru.ID?

The tru.ID platform offers turnkey API products for mobile phone number and identity verification. It confirms the ownership of a mobile phone number by verifying the possession of an active SIM card with the same number. Unlike other alternatives such as SMS-based OTP, tru.ID relies on in-band server-side verification, and is impervious to man-in-the-middle, social engineering and SIM Swaps attacks.

How does tru.ID work?

tru.ID integrates with Mobile Network Operators who already authenticate a mobile phone when making phone calls or using mobile data. We expose this authentication mechanism through the tru.ID APIs which enables you to integrate that functionality into your mobile applications.

For more information on integrating tru.ID into your applications please refer to our documentation.

How is tru.ID different from SMS OTPs?

To see how tru.ID compares with SMS-based OTPs for 2FA, see a Comparison of tru.ID with SMS and read more about the tru.IDentity Paradigm.

Does tru.ID send a binary SMS or missed call to the device?

No. tru.ID does not use any traditional communication channels for the purpose of verification.

Does tru.ID support verification on all devices/endpoints?

tru.ID enables verification for a mobile app or a mobile website — devices/endpoints with a SIM card. It is possible to power desktop-centric verification flows though a companion mobile device, however tru.ID performs a real-time possession check. The user verifying themselves must possess the mobile device which is believed to have the number a user wishes to verify. To learn more about why this is so, please email us at feedback@tru.id.

What security factor does tru.ID verify?

tru.ID offers possession-factor verification for strong authentication in mobile apps and mobile websites.

What is SIM swap fraud?

SIM Swap fraud is orchestrated by an attacker first gathering enough relevant details about a person's identity, such as their date of birth, address, a driving license number etc. The attacker then use these details to present themselves as the legitimate owner of a phone number to the Mobile Network Operator. If they succeed, they can then request a new SIM card be issued for the phone number to them. With this new SIM card in their possession, they will be able to impersonate the real owner of the mobile phone number.

Does tru.ID mitigate the risk of SIM swaps?

Yes. tru.ID provides two products to mitigate the risk of SIM swaps. See SIMCheck and SubscriberCheck.

Does tru.ID verification work if a user has ported or is roaming?

Yes. tru.ID can verify users under all circumstances.

Do I need my end-users' consent to verify their phone numbers?

A mobile phone number counts as Personally Identifiable Information (PII). When you pass us a user’s mobile phone number, you are asking us to process that data on your behalf, in order for us to deliver the authentication services you have requested. We require that you confirm you have the necessary permissions applicable to relevant jurisdiction(s) from your end-users for us to process it. For more details on your responsibilities, please see our Terms.

How you obtain that permission may vary by territory (you are responsible for understanding the laws in the countries where you operate), but typically having a check box that the user clicks to agree to your terms of service, having the data processing rights clearly called out in your terms of service, and being able to show the audit trail of capturing each user’s consent, should be enough. If in doubt, you should solicit independent legal advice regarding this subject.

Can I use tru.ID for silent verification?

Yes. tru.ID can verify a phone number your application is already privileged to anywhere in your app. Your end-user terms and conditions should give you the right to collect and process a user's mobile phone number. This is identical to the authorisation your business/application would solicit for the purposes of mobile phone number verification through any other means such as SMS OTP.

Is tru.ID a Data Controller?

tru.ID is a Data Processor for phone numbers. We log phone numbers you've requested verification for using one-way encryption; meaning tru.ID does not know the numbers that have been verified.

How does tru.ID deal with PII?

As strong advocates of data privacy ourselves, we believe your customers' data is private to them. tru.ID does not require any personally identifiable information (PII) other than an end-user's phone number to perform a verification. We process the phone number at your request for the purpose of verification and do not store it on our systems. Any references to a user's PII (phone number) in our systems after processing is a one-way encrypted hash, which—even if known—cannot be reverse engineered to identify the user. For more details, please read our Privacy Policy.