Let’s be honest: we all use email and passwords. Passwords introduce insecurity into the system. The success rate of phishing attacks is skyrocketing, and opportunities for the attack have greatly multiplied as lives moved online. All it takes is one leaked password for all other users to become victims of a data breach.
As a result, digital identities rely on verification plasters to provide extra protection. MFA (multi-factor authentication) frequently relies on knowledge factors like password resets and OTP codes, which are still accessible. Credentials can be abused as long as they can be shared or intercepted.
A paradigm shift is required, from knowledge-based credentials to strong possession-factor security that cannot be compromised, in addition to additional verification security measures like as biometrics.
A new possession-factor API promises to achieve just that, by replacing knowledge-based credentials with SIM card-based possession factor device binding and user authentication, lowering the likelihood of phishing.
Phishing is a human issue:
Phishing and other forms of social engineering rely on humans to be the weakest link in a security breach. They take advantage of the simple, credential-based access provided to the ordinary platform user by fooling them into sharing credentials. It also works: In 2021, 83% of firms polled reported a successful email-based phishing assault.
Even 2FA codes are now being targeted:
Passwords are widely known to be freely exchanged and hence easily phished. However, a lesser-known reality is that many kinds of 2FA, such as the OTP or PIN code introduced to strengthen password flaws, are also phishable.
Worse, thieves are now deliberately targeting these methods: researchers recently discovered over 1,200 phishing kits designed to steal 2FA codes in operation.
As a result, the solution to identity and access management is not to deploy additional patches that ruin the user experience, as these do not actually keep attackers out. Instead, MFA requires a more powerful, simpler possession factor — one that requires no typing and so requires no phishing.
Purpose-designed Security dongles or tokens are examples of MFA possession factors. However, they are pricey and unlikely to be purchased by the typical user. Stronger security for everybody can only be achieved with devices that are broadly available, simple to use, easy to integrate, and inexpensive.
Insert your SIM card. It is embedded into every mobile phone and uses cryptographic security while connecting to mobile network authentication.
For the first time, tru.API ID’s makes SIM-based mobile network authentication available to any business and app developer, allowing you to exploit the security of the SIM card as a secure possession factor for MFA.
SIM-based authentication: the new anti-phishing possession factor
The SIM card has several advantages. SIM cards employ the same highly secure, cryptographic microchip technology as credit cards. It’s tough to clone or tamper with, and every mobile phone includes a SIM card, so every one of your consumers already has this hardware in their pocket.
Because it is a quiet authentication check, the combination of the mobile phone number and its associated SIM card identification (the IMSI) is difficult to phish.
The user experience is also excellent. Mobile networks commonly execute quiet checks to ensure that a user’s SIM card matches their phone number before allowing them to send messages, make calls, and use data — guaranteeing real-time authentication without the need for a login.
Until recently, businesses could not write a mobile network’s authentication architecture into an app as simply as any other code. Everyone may use network authentication thanks to tru.ID.
By incorporating the tru.ID SDK into existing account journeys that employ the mobile phone number, the user gains quick possession-factor security. Furthermore, because SIM-based authentication requires no additional user input, there is no attack vector for bad actors: SIM-based authentication is transparent, thus there are no credentials or codes to steal, intercept, or misuse.
The user’s SIM card is not accessed by tru.ID. Instead, it checks the status of the SIM card in real time with the cell provider. It verifies that a phone number has not been assigned to another SIM and checks for recent SIM changes, assisting in the prevention of SIM swap fraud.
An illustration of a SIM-based verification scenario
Despite the fact that the scenario below describes a number of procedures, the end user of the system only needs to do one thing: supply their mobile phone number.
1 — After the user enters their mobile number, the tru.ID API runs a lookup to discover the mobile network operator (MNO) the phone number is allocated to.
2 — tru.ID asks a unique Check URL from the MNO to initiate the mobile authentication procedure.
3 — correct.
ID saves the MNO’s Check URL and returns a true value.
ID Check URL to your web server to launch the mobile device
4 — The mobile app displays the tru.ID Check URL. It is preferable to utilize tru.ID SDKs for this since they compel the web request to be sent over a mobile data connection.
5 — The web request will be sent to the MNO through a redirect from the tru.ID platform.
6 — The last redirect directs the device to the web server’s redirect url endpoint. The body of this request will contain a ‘code’ and a ‘check id,’ which the web server sends to tru. ID’s API to complete the SubscriberCheck process.
7 — The MNO then checks to see if the phone number associated with the authenticated mobile data session corresponds to the phone number connected with the requested Check URL. If it does, the phone number has been validated successfully.
8 — tru.ID does a SIM card lookup and saves the status result.
9 — After completing the Check URL request and retrieving the SIM card status, the mobile application can request the phone verification result from the tru.ID API.
10 — Within your application logic, use the phone verification match and SIM card change ‘no sim change’ attributes.
Where do I begin?
With the tru. ID developer platform, you can begin testing SIM-based authentication immediately and make your first API request in minutes.