Eric Nadalin, CTO, co-founder tru.ID, and Gentleman Farmer
Finally after all those years, mobile network operators start to offer a secure and frictionless alternative to SMS. Learn more about Silent Authentication.
This is a great review of Silent Authentication, and the complex situation we find around this topic.
In essence silent authentication is a possession API that avoids the customer having to do anything. Unlike the relatively insecure SMS-based OTP (One Time Passcode), which has been depreciated by the NIST since 2016, for example, as discussed this A2P article on my weblog.
Silent authentication is based on the old Mobile Connect work, which was targeting developers, but like Camara will only be used by aggregators. The reason is the mess of different implementations from the 1500 carriers. Aggregators will continue to be required to mask the mess.
The vision of silent authentication is great. However, only 60-70 carriers have implemented SA. There are a number of wrinkles, such as MVNO access, it requires the device have a mobile data connection, not WiFi. Carriers are worried about A2P SMS revenue loss, rather than customer security. And regulators are getting involved which only adds politics, and with politics comes stupidity.
The Q&A is really interesting covering: detailed implementation issues; state of SA roll-out in specific countries such as India; role of device binding; use of IP addresses for specific carriers; and use of location information.
I left the conversation thinking silent authentication will continue to grow, as part of a suite of authentication solutions. Where aggregators will increasingly deliver an aggregate authentication capability depending on the brands specific use case and end customer connectivity. Eric is assured continued business well through the next decade 😉