What is tru.ID?
tru.ID offers turnkey API products for mobile phone number and identity verification. It confirms the ownership of a mobile phone number by verifying the possession of an active SIM card with the same number. Unlike other alternatives such as SMS-based OTP, tru.ID relies on in-band server-side verification, and is impervious to man-in-the-middle, social engineering and SIM Swaps attacks.
How does tru.ID work?
tru.ID integrates with Mobile Network Operators who already authenticate a mobile phone when making phone calls or using mobile data. We expose this authentication mechanism through the tru.ID APIs which enables you to integrate that functionality into your mobile applications.
For more information on integrating tru.ID into your applications see the tru.ID documentation.
How is tru.ID different from SMS OTPs?
Does tru.ID send a binary SMS or missed call to the device?
No. tru.ID does not use any traditional communication channels for the purpose of verification.
Does tru.ID support verification on all devices/endpoints?
tru.ID enables verification for a mobile app or a mobile website — devices/endpoints with a SIM card. It is possible to power desktop-centric verification flows though a companion mobile device, however tru.ID performs a real-time possession check. The user verifying themselves must possess the mobile device which is believed to have the number a user wishes to verify. To learn more about why this is so, please email us at [email protected].
What security factor does tru.ID verify?
tru.ID offers possession-factor verification for strong authentication in mobile apps and mobile websites.
What is SIM swap fraud?
SIM Swap fraud is orchestrated by an attacker first gathering enough relevant details about a person's identity, such as their date of birth, address, a driving license number etc. The attacker then use these details to present themselves as the legitimate owner of a phone number to the Mobile Network Operator. If they succeed, they can then request a new SIM card be issued for the phone number to them. With this new SIM card in their possession, they will be able to impersonate the real owner of the mobile phone number.
Does tru.ID mitigate the risk of SIM Swaps?
Does tru.ID work if a user has ported or is roaming?
Yes. tru.ID can verify users under all circumstances.
Do I need my end-user's consent to verify their phone numbers?
A mobile phone number counts as Personally Identifiable Information (PII). When you pass us a user’s mobile phone number, you are asking us to process that data on your behalf, in order for us to deliver the authentication services you have requested. We require that you confirm you have the necessary permissions applicable to relevant jurisdiction(s) from your end-users for us to process it. For more details on your responsibilities, please see our Terms.
How you obtain that permission may vary by territory (you are responsible for understanding the laws in the countries where you operate), but typically having a check box that the user clicks to agree to your terms of service, having the data processing rights clearly called out in your terms of service, and being able to show the audit trail of capturing each user’s consent, should be enough. If in doubt, you should solicit independent legal advice regarding this subject.
Can I use tru.ID for silent verification?
Yes. tru.ID can verify a phone number your application is already privileged to anywhere in your app. Your end-user terms and conditions should give you the right to collect and process a user's mobile phone number. This is identical to the authorisation your business/application would solicit for the purposes of mobile phone number verification through any other means such as SMS OTP.
Is tru.ID a Data Controller?
tru.ID is a Data Processor for phone numbers. We log phone numbers you've requested verification for using one-way encryption; meaning tru.ID does not know the numbers that have been verified.
How does tru.ID deal with PII?