PhoneCheck - Silent Authentication
tru.ID provides three core products (PhoneCheck, SubscriberCheck, SIMCheck); on this page, we’ll cover the details of PhoneCheck, which can enhance your mobile or web application with a more secure, less clunky, less broken, silent authentication or verification flow with little to no user action required. All you need is the phone number of a user and for them to actually be in possession of the associated SIM Card with an active mobile data connection.
Sounds easy, right? But why would I want to do this? If you wish to skip past this page and go straight into the technical discussions, please refer to the Integration Guide.
Note: Although this focuses on SMS OTP, and the reasons listed below are also SMS-focused, many examples and reasons are similarily applicable to other verification methods.
If you use SMS OTP within your authentication flow, you’ll have likely come across some of the issues listed below:
- Higher risks associated with SMS, such as SMS pumping, SMS phishing, and charges for failed SMS attempts, generally incur unnecessary higher costs and increased risk of suffering a breach.
- User experience is clunky and often flawed, requiring users to leave the application to read an SMS message and copy or memorise a code. The code itself might be incorrectly typed in, risking a broken attempt at authentication, or worse willingly or unwittingly shared risking an identity and protected systems.
- Depending on the coverage, the supplier sending the SMS, and other reasons, the SMS may not be received in time or at all resulting in user frustration.
- A high percentage of abandonment at this point of the flow.
So.. Why would I want to use Silent Authentication out of everything else?
SMS OTP, or any other verification process that requires an OTP to be entered, generally requires the user to first enter their identifier and a knowledge-based factor such as a username and password. They must then switch applications to read an SMS, Authenticator app, Email, or even a voice call. The user then needs to go back to the app they’re attempting to log in to and remember that code enter it.
This kind of experience is not ideal, and relying on the user to get it right causes a higher risk of dropouts or an incorrect verification status.
Below is a basic example flow of authentication that requires the user to enter an OTP (Minus the third-party application to retrieve the OTP):
The experience for Silent Authentication from an end-user perspective is considerably simpler, with less risk of user errors. If your application does not already know the user’s phone number, they can enter it into the mobile app, and then from their view, a second or two later, they’re verified!
Below is a basic example of Silent Authentication:
Any OTP verification method requires the user to switch applications and copy/memorize a specific one-time passcode. The immediate risk here is that a user can be convinced by someone with malicious intent to hand over that code.
With tru.ID’s Silent Authentication, there is no code for a user to retrieve and enter. This flow eliminates the risk of the users of your application from having their credentials stolen through social engineering.
Improved consistency of charges
A very important subject among the top concerns of every business is costs. How much does everything cost? How can we keep costs to a minimum? With SMS OTPs, generally, you’re charged regardless of the outcome. So you could be charged for all of the following:
- A successful OTP verification
- An incorrect phone number was entered (unsuccessful OTP verification)
- SMS pumping (more info)
With tru.ID’s Silent Authentication, you are only charged for a successful verification attempt. The possible outcomes and whether you’re charged for them are:
- Silent Authentication is successful; the user’s phone number and SIM card are a match (Charge)
- Silent Authentication is successful; the user’s phone number and SIM card are not a match (Charge)
- Silent Authentication is unsuccessful; the verification attempt timed out (No charge)
- Silent Authentication is unsuccessful; the mobile network operator is not supported with tru.ID (No charge)
To begin learning how this could be implemented into your mobile or web application, follow the Integration Guide.