Zero Trust user verification using SIM-based authentication


Zero Trust is increasingly being adopted as the best strategy for access management and fraud prevention. To help achieve progress on Zero Trust, there is now a new, effortless way to implement continuous user verification – use SIM-based authentication that uses the cryptographic security already used by mobile operators.

Before we show you how it works and how to integrate it, let’s start with the all to familiar security challenge of modern enterprises.

Zero Trust and Authentication

The Zero Trust model of identity and access management means never trusting that a returning user is who they claim to be. As the world moves to the cloud, with an increasingly distributed network of employees, partners, and clients, tighter auth journeys become even more important.

But with greater security comes greater friction – users have to invent intricate passwords, remember security questions, and interrupt their workflows with authenticator app codes, SMS PINs, and other multi-factor authentication MFA methods.

We know that knowledge factors like passwords create inherent vulnerability. Compromised passwords are behind the majority of data breaches and attacks, and Forrester Research estimates that in the enterprise environment, each employee password reset costs $70 in help desk support. That’s without taking into account the overall frustrating user experience.

Biometrics, on the other hand, is unrealistic as Zero Trust requirements for the average user. It’s also unnecessary to request such personal information for all types of transactions or tasks.

Possession factors provide a solid middle ground, and proof of possession of a mobile device is more universal.

Now, a simpler and stronger possession factor for maintaining Zero Trust is opening up hardware-grade security that’s already in users’ hands – it’s the mobile phone with the SIM card inside it.

How to verify users by checking directly with mobile networks

The SIM card within the phone is already authenticated with the Mobile Network Operator MNO . It is SIM authentication that allows mobile customers to make and receive phone calls and connect to data. Now you can use this same powerful authentication method for your own website or mobile app, using tru.ID.

tru.ID partners directly with global carriers to offer three kinds of APIs that integrate with the network’s authentication infrastructure, using the data connection and without collecting any personally identifiable information PII . It’s a URL-based lookup of the number, the SIM identity and a check that the two match.

Zero Friction, Zero Trust, Zero-Knowledge

Network-level, SIM-based authentication is invisible to the user – the check of the SIM happens in the background once the user inputs their mobile number. If your site or app already has the mobile phone number stored, even better – there’s no user action required at all.

No personally identifiable user data or application information is exchanged during the MNO number and SIM lookup – the check is over a data connection and simply validates carrier information.

Find out more

SIM-based authentication, the proven verification technology used by mobile operators the world over,  is now available for the first time via the tru.ID platform.

Book your free demo or access the API for free.