Advanced Zero-Trust API Offers Mobile Carrier Authentication to Developers

Zero Trust is increasingly being accepted as one of the best tactics to handle application security and avoid data breaches. To help accomplish progress on Zero Trust, there is now an advanced way to implement continuous user verification by associating directly to the authentication systems used by mobile operators – without the upward of processing or preserving user information.

Before we display its functionality and how to organize it, let’s begin with the basic challenge.

What is Zero Trust and Authentication?

The Zero Trust model of personalized verification most essentially means never trusting that a returning user is who they claim to be, regardless of their location or previous successful attempts. Zero Trust is a strategic approach to access management that is crucial for keeping out bad actors.

As the world moves to the cloud, with a progressively distributed network of employees, partners, and clients, tighter auth journeys become even more essential.


But with greater security comes greater resistance – users have to come up with intricate passwords, remember security questions, and break their workflows with authenticator applications codes, SMS PINs, and other multi-factor authentication (MFA) methods.

The Exchange between Security and UX

We all know that knowledge factors like credentials are less than ideal. Negotiated passwords are behind the bulk of data breaches and attacks, and Forrester Research appraisal that in the enterprise surrounding, each agent credential’s reset costs $70 in help desk in support. That’s without taking into account the overall disappointing user experience.

On the other hand, Biometrics is unrealistic as Zero Trust needs for the average user. You also don’t require such crucial information for all types of access.

The control factor gives a solid middle ground, and proof of possession of mobile phones is more universal. Moreover, mobile phone numbers aren’t excessively personal.

Although, possession check with use codes – even authenticator applications – are vulnerable to man-in-the-middle (MITM) and SIM swap attacks, as well as generating UX problems—from SMS codes that never comes under the pressure of typing counts form an authenticator application against a countdown.

A simpler and safer form of checking possession factor while handling Zero Trust is already in the user’s hands – it’s the mobile phone and the SIM card inside it.

How to Authenticate User by Connecting Directly to Mobile Networks?

There is one thing that is already authenticated with the Mobile Network Operator (MNO) i.e. SIM card inside the phone. It is SIM authentication that permits mobile customers to manage phone calls and connect to data. Now you can use this same powerful authentication method for your website of mobile applications, using tru.ID.

tru.ID collaborate directly with carriers across the world to offer these kinds of APIs that design with the network’s authentication framework, using the data connection and without collecting any personally identifiable information (PII). The tru.ID API authenticates whether the SIM card associated with the phone number has recently changed, administering silent, continuous verification.

Zero Friction, Zero Trust, Zero-Knowledge

SIM-based authentication is invisible to the user – the check of the SIM happens in the background once the user inputs their mobile number. If your site or application already has the mobile phone number preserved, even better – there’s no user action needed at all. This enhanced UX generates logical account experiences without negotiating security.

No directly discoverable user information is traded during the MNO number and SIM lookup – the check is over a data connection and approves official carrier data.

How to Get Started?

For constant Zero Trust authorizations in the background using the SIM, SIMCheck is suggested, having the additional advantages of being a quick, easy, and server-side assimilation. Should the lookup return recent changes to the SIM, you may select to implement additional set-up verification.

How is all this accomplished programmatically? With one API call. When something happens on the client-side which needs a step up or security check, the client informs the server, which composes this API call to check if the SIM has changed for the user’s phone number.

curl – – location – – request POST ‘’ \

– -header ‘Content-Type: application/json’ \

– -header ‘Authorization: Bearer <Token>’ \

– -data-raw ‘{“phone_number: “<PhoneNumber>”}’

The SIMCheck API response will look something like this, where the ‘no_sim_change’ equity is the key to tell us whether the SIM card has changed recently:


“check_id”: “<CHECK_ID>”,

“status”: “COMPLETED”

“no_sim_change”: true,

“charge_amount”: 1.00000,

“charge_currency”: “API”,

“created_at”: “2021-071-13T23: 44: 19+0000”,

“snapshot_balance”: 10.000


After all this, the server informs the client whether the transaction or request can proceed. If it fails, your site or application can either deny access or need an additional, non-telephonic form of authentication.

Leave a Reply