More than 60% of UK online purchases are made through a mobile device. For 2021, that equates to £72 billion in sales. But the value of smartphones and tablets goes beyond retail. With a central role in the workplace, in financial transactions, in access to government services, and in our social lives, our mobile devices have become the key to our identities.
And that means that passwords are not enough. People write them down, re-use them, and share them with social engineers. Two factor authentication (2FA) helps but there’s a trade-off. Many 2FA techniques increase user experience friction, whether it’s waiting for a one time password (OTP) over SMS or digging out an authenticator app and then racing to enter the OTP before the countdown ends.
And there is some risk with using one time passwords, for example. Let’s put that into perspective, though.
On the whole, imperfect 2FA is better than no 2FA. But there is an increasing risk that a determined bad actor could socially engineer a person into porting their phone number out of their control or swapping their number to a SIM that is in the fraudster’s control.
In practice, the user visible portion of a 2FA flow is just one of several checks. Vodafone’s SIM Swap API, for example, can help you to build a confidence score around a user’s identity by telling you when that number was last swapped from one SIM card to another
However, what if you could make almost the entire process invisible to the end user? Vodafone’s Number Verify API does just that. So, how does it work?
How Number Verify works
The “two factors” in two factor authentication refer to ways that people can prove their identity. Typically, they are:
- Something the person knows: such as a password or PIN
- Something the person has: a mobile device or cryptographic hardware key
- Something the person is: their fingerprint, facial features, or similar
OTP-based two factor authentication usually combines a password (something the user knows) with a way to prove they have their registered mobile device in their possession (something they have). Number Verify works the same way but it saves the user from having to receive a code in the clear and then enter it.
Let’s look at how that might work from the perspective of an app developer:
- A user attempts to log-in to the app.
- The app calls the Number Verify API, providing the Vodafone mobile number registered for that user.
- Number Verify uses the Vodafone network to probe the SIM in the device the app is running on.
- Number Verify returns TRUE if the current device’s SIM number matches that on record and FALSE if not.
By relying both on Vodafone’s network and the SIM card itself, the response is virtually impossible to fake. It’s worth noting that SIM cards, including eSIMs, are fully functioning computers in their own right with their own operating systems and storage. Crucially, each SIM card is also cryptographically secured, which allows the network to trust its response.
From the user’s point of view, none of that happened. And that’s why this method is often called silent SIM based identity verification.
Building a confidence score
Earlier, we touched on the idea of a confidence score. Number Verify is just one Vodafone Identity Hub API that helps you to build a picture of who an individual really is.
The Match API is, forgive the pun, particularly well matched with Number Verify. It lets you verify specific information about a Vodafone subscriber, without needing to actually exchange any personally identifiable information between your systems and the network’s.
That’s particularly powerful because it gives you an independent source of account profile information without the need to ever exchange any of your user’s personally identifying information. Some of the data you can verify with Match include the person’s name, address, date of birth, whether their phone is reported lost/stolen, and so on.
Combined with other Vodafone Identity Hub APIs, you can build a level of trust in an individual’s digital identity. Depending on your use case, you might choose to request more identity proof depending on what the Vodafone APIs tell you.
Pros and cons of silent SIM verification
The upsides of silent SIM verification with Number Verify are clear:
- There’s no interruption for the user
- It verifies identity directly with the SIM and the mobile network
- It lowers the total cost of identifying users by driving higher conversion than using OTPs over SMS, thanks to lower friction
- Number Verify is PSD2 compliant, as it is a true possession factor, rather than an OTP which can shared and intercepted
One thing to bear in mind is that Number Verify requires that the device is connected to the mobile network. If the person’s device has no signal, for example, then your app will need to fall back to other authentication methods.
Try it for yourself
Number Verify is just one of the APIs we’ve made available to help you to build user experiences with greater trust and less friction. You can try those APIs for yourself, using our sandbox environment, right here in the Vodafone Developer Marketplace. Follow our guide to get started.