Implement Passwordless Verification Using Mobile Number and SIM
How to verify the mobile number using the SIM card, and detect SIM swap changes using a new API. Remove reliance on SMS OTP, passwords, and authentication apps.
Join the DZone community and get the full member experience.Join For Free
Registering users, logging them in, verifying credentials, and ensuring extra checks at specific in-app tasks are user journeys most digital businesses have to build. These account journeys are in a constant race between security considerations and usability. From the days of the simple username and password, barring the inevitable password recovery flow, things became increasingly more cluttered with two-factor authentication possession verification via SMS OTP, step-up security checks using authenticator apps, or magic links by email.
By now we know that there's no such thing as a strong password, that SMS OTP, although a standard choice, is not as secure as once thought, and that authenticator apps create poor UX for users. So what's the alternative? Identity on the blockchain is quite a way off from the mainstream, and biometrics are not suitable for every type of verification. In the short- to medium-term, the user experience of account journeys will continue to rely on two-factor (2FA) or multi-factor (MFA) authentication.
What if there was a simpler, stronger 2FA solution using an authentication method already present in over 2bn+ smartphones?
Introducing SIM-Based Number Verification
The pairing of the mobile phone number with the SIM card are credentials that the mobile network already uses to allow access for its customers to make/receive phone calls, use data, and send/receive messages. There's no need to 'log in' to the network because it has already done the SIM authentication.
Using the cryptographic security of the SIM card, the combination of the mobile number with a background check of the SIM card offers a strong possession factor, which developers can now implement alongside their existing 2FA solutions or usernames & passwords, and replace those over time.
How the Number + SIM Verification API Works
The SIM card within the phone is already authenticated with the Mobile Network Operator (MNO). SubscriberCheck from tru.ID hooks into the same authentication mechanism as MNOs using Check URLs. As a result, the tru.ID API does two things. Firstly, it verifies that the mobile number is active and paired to the SIM card on the mobile phone. As part of this verification, the API also retrieves information if the SIM card associated with the phone number has recently changed. These checks can be integrated easily with APIs and SDKs in an app, creating both seamless and secure account journeys that don't require SMS OTP or passwords.
Prevent Account Takeovers and SIM Swap Fraud
SIM swap fraud is a growing issue with serious financial consequences – FinTechs and cryptocurrency wallets have been especially targeted, but any platform that uses SMS to verify identity is at risk. All it takes is one compromised user to cause major support issues and brand damage.
SIM-based authentication offers a way to check for SIM card changes. Fraudsters attempt to access their victims' accounts usually within 24 hours, so by checking for SIM swap activity within the last 7 days, SubscriberCheck can detect changes early and developers can implement step-up security prompts or prevent account access altogether - whatever level of assurance business rules require.
Works Alongside Existing 2FA Methods
Replacing 2FA that work well enough already may sound like a risky step, which is why SIM-based verification can be implemented alongside existing SMS OTP solutions (think Twilio or Vonage). As the UX and security benefits become clear, the legacy methods can be phased out.
Here is How to Use SubscriberCheck
1 — Test the tru.ID API with a phone number you'd like to verify and check SIM status on.
2 — The tru.ID platform performs a lookup on the phone number to determine which MNO it is associated with.
3 — tru.ID then asks that MNO for a unique Check URL that will be used as part of a mobile authentication workflow.
4 — The tru.ID platform stores that MNO Check URL and returns a tru.ID Check URL.
5 — Request the tru.ID Check URL within the mobile application using the tru.ID SDK for Android, 6, iOS, or React Native. It's important to use the SDK because it forces the web request over the authenticated mobile data session.
6 — The MNO will receive the web request via a redirect from the tru.ID platform. The MNO then determines if the phone number associated with the authenticated mobile data session matches the phone number associated with the requested Check URL. If it does, then the phone number has been successfully verified.
7 — At this point the tru.ID platform also performs a SIM card change lookup and stores the result.
8 — Once the Check URL request has been completed and the SIM change information retrieved, the mobile application can request the result of the phone verification from the tru.ID API.
9 — Use the phone verification match and SIM card to change `no_sim_change` properties within your application logic.
You can start testing for free and make your first API call within minutes – Check the documentation for your guide to getting started.
Published at DZone with permission of Natalie Malevsky. See the original article here.
Opinions expressed by DZone contributors are their own.