As our presence online becomes more visible, the need for strong security solutions grows exponentially. Yet, many users still fail to follow the basic cybersecurity practice – adopting sophisticated passwords.
Password security constantly sparks debates and endless conversations among pundits regarding user experience and safety. One reused hacked password may mean huge financial losses, leaked information, and reputational damages. But do passwords – in their current form – still serve their main purpose, or do they no longer cut it for proper security?
We’ve reached out to the CEO and Founder of tru.ID, Paul McGuire, to talk about innovative alternatives to passwords and how to effectively secure private accounts and business information.
How did tru.ID come about? What has the journey been like so far?
In 2019, I spotted an opportunity in mobile authentication. Mobile operators, with their enormous security infrastructure, were opening up network-based mobile number verification via APIs. At the same time, the API economy was booming.
I had always been a mobile-first entrepreneur. My first venture was mBlox, a pioneer in mobile messaging that got sold to Sinch, and my second was mobile pay-tech, Paymo, which was acquired by Boku.
So when the opportunity to help the world get rid of passwords became apparent, I assembled a stellar team of product experts and engineers to build an API platform aggregating mobile authentication globally and in the most scalable way.
When the pandemic hit, we were, somewhat unexpectedly, prepared. We always intended to be a remote-first team in the belief that talent can be found anywhere.
We’ve seen demand for our solution surge as businesses of all sizes focus on preventing account fraud and dealing with the onslaught of cybersecurity attacks as a result of consumers and employees conducting their lives and work online.
Can you tell us a little bit about what tru.ID does? How does SIM-based authentication work?
I’m not exaggerating when I say tru.ID is the latest innovation in MFA. Until recently, unless you were the government or a very large corporation, it was simply not possible to program the authentication infrastructure of a mobile network into an app as easily as you would any other code.
When you use a mobile phone, you don’t need to use a username or password to log in to the network — authentication happens seamlessly using the SIM card embedded inside the phone. The mobile network detects automatically that it’s a legitimate SIM card paired with your mobile number. Just like that, you’re making phone calls, sending texts, making payments, and so on.
With tru.ID, this proven ubiquitous security solution is being made available as an API anyone can use. We are operating in 20 countries, covering the verification of over 2 billion mobile subscribers.
To put it simply, we’ve turned network authentication into an easy-to-deploy API. You integrate once, then scale globally as you need to. We’ve also added common app SDKs to make integration super simple so that every business, no matter what size, can leverage the cryptographic security of SIM-based authentication in their app.
This is a game-changer for MFA technology and will lead to stronger account security for consumers and employees alike.
The user experience is so simple and slick that it’s a win-win for everyone — users will find it easy, developers will find it simple, and businesses will find it liberates them from the burden of passwords.
How do you manage to ensure secure authentication without compromising the user experience?
This is a great question because it recognizes that secure authentication and user experience have traditionally clashed.
This is certainly true if you consider common authentication methods, such as sending SMS codes, switching to email to click a link, or the dreaded password reset.
Tru.ID and SIM-based authentication make the conflict between security and user experience a thing of the past.
SIM-based authentication is sometimes referred to as silent authentication — because that’s how it works. Apart from typing in the mobile number, there are no codes to insert, nothing to click, no passwords to type. Which, in a mobile-first world, is life-changing.
What’s more, SIM-based authentication is highly secure. The SIM card is the same tamper-resistant, cryptographic verification technology that you can see in every bank card. Just look closely, and you will see the chips look the same.
By verifying the SIM card alongside the mobile number, it's also possible to check for SIM swap activity, and if there are any red flags, take appropriate action.
Have you noticed any new cyber threats arise as a result of recent global events?
Two security threats emerged as a result of recent global events.
First, in 2020, as many as 1.9 billion individuals worldwide used online banking services actively. This number is predicted to reach 2.5 billion by 2024. The adoption of digital services, particularly financial services, has been exponential.
But with rising adoption comes rising fraud — to the point where some regulators, in the UK for example, are beginning to consider fraud a threat to national security. Phishing (where compromised passwords are predominantly the cause), SIM swap fraud, and payment fraud have all seen triple-digit rises.
The second security threat is the prevalence of the remote-first and now increasingly hybrid workforce. Securing employee access to business-critical systems has always been important, but with hybrid working, BYOD, and distributed teams, it’s become essential. The incidence of ransomware attacks has increased by 148% during the pandemic.
What would you consider to be the main issues associated with password-based authentication?
The password is, to put it simply, no longer fit for purpose.
First off, the password is a knowledge factor. Although something you know sounds good in theory, in practice it is a prime target for phishing and other types of social engineering. It’s also something you forget. The human tendency is to keep things simple and, therefore, guessable! Security rules then force people into contorted passwords and memorable information which is anything but simple to remember. Add touch keyboards on mobile, and you have a cocktail of usability problems and user frustration.
Secondly, as a result of the security vulnerabilities, password-based systems have to be fortified by a second factor — often a possession factor or something you have. Again, a great idea, but not if you create the friction of sending PIN codes by email or SMS. Again, both are phishable credentials. Issuing card readers or FIDO tokens also adds friction.
So you can see how, over time, the search for security has created complex, hard-to-use systems that still have big security holes.
In your opinion, why do certain organizations fail to recognize the need for quality authentication solutions?
I think organizations do recognize the need for quality authentication solutions, but they are overwhelmed by the sprawling security perimeter their business has to deal with, and they are struggling to find good solutions.
They’re confused by all the different MFA options out there, many of which sound good but still have an underlying dependence on passwords and so have the same vulnerabilities.
Solutions like tru.ID are so new and cutting-edge that they are not yet well known. This is why I’m delighted to be talking to cybernews® to let the world know that an innovative and new MFA method exists and that it’s both highly secure and easy to use.
Besides quality authentication methods, what other cybersecurity measures should companies have in place?
That’s a very big question – too big to give proper attention in this short space of time.
The cybersecurity problem is so big that most governments now publish guidance. Putting that guidance into action is probably the most important advice I would give to businesses.
Coming back to authentication, there are two other points worth making. Firstly, you will never get to 100% security – it’s all about making it hard enough for attackers that they choose to go elsewhere. What you need is to find a solution for >90% of your users, then you can concentrate on the edge cases. SIM-based authentication can help solve that 90% problem.
Secondly, try and avoid making your users a core part of your security architecture as they are not security professionals. It’s not reasonable to ask users to manage complex passwords because they will fail. It is also not reasonable to expect users to never click on email links. Having those requirements means you are expecting humans to be part of your security and that is never going to work. The good news is, there are better solutions now. A hardware-based possession factor and biometrics can help remove the dependency on user behavior.
Talking about average individuals, what best practices should users follow to keep their identity and online accounts safe?
Let’s be honest, no one wakes up in the morning thinking that they must enable 2FA on their accounts. But when you do get that email from an account provider requesting that you enable 2FA, take it seriously and do it.
Since many organizations still need a password, it’s a good idea to also use a password manager that lets you have unique, long passwords that are much more secure.
If you don’t want to do any of that, then try using long phrases you can remember more easily but which are hard for bad actors to guess.
But, overall, if there is an alternative to a password, choose that.
Would you like to share what’s next for tru.ID?
Trillions of dollars are being spent on fighting and paying for cybercrime. That is the money the world should be using to fight bigger issues, like global warming.
We want to help businesses remove their dependence on passwords. To make that happen, we must make it easy to integrate tru.ID technology.
So far, we have focused on consumer apps. Our APIs get praise from the engineering community frequently and already make it easy to embed SIM-based authentication.
We also want to make it easy for businesses to secure their employees. So we plan to introduce OIDC-compatible authentication solutions that will integrate with leading workforce identity management platforms.
Above all, we want to grow awareness of our innovative new authentication solution. SIM security is already in everyone’s pocket and now tru.ID can help you quickly and easily deploy it.
That's why I hope your readers will hear a lot more about us in the near future. .