SIM authentication is the newest innovation in MFA and can transform every employee’s mobile phone into a cryptographically secure, hardware-grade security solution for the whole organization.
MFA is necessary because hybrid working is here to stay. Only 15% of employees believe they are less efficient at home than they were on business premises. As the protection perimeter sprawls, it becomes more challenging than ever to secure the enterprise against the leading cause of data breaches; compromised passwords.
Removing passwords is a key strategic objective for IAM leaders, but achieving this is far from simple. Legacy systems, on-premise or cloud-based access, SaaS, BYOD – all add to the trade-off of tighter security against risk.
Tighter Security vs. Ease of Use
Multi-factor authentication (MFA) is usually added as a countermeasure to password-based vulnerabilities.
FIDO tokens come as keys, dongles and handheld readers that generate time-limited passcodes of the stronger passwordless MFA methods. Users generally dislike but must comply with the cumbersome experience. Meanwhile, IAM teams absorb the costs and complexity of supporting this security choice.
The drawbacks mean that hardware tokens tend to be issued only to individuals identified as high-risk, leaving most of the workforce vulnerable.
In Search of a Universal Security Solution
Any security solution to be deployed universally must meet a rigid set of requirements:
- Easy to deploy
- Easy to use
- Easy to manage
- Cost-effective
- Highly secure
Until recently, it just wasn’t possible to tick all of these boxes.
The Pros and Cons of Current Hardware MFA
Hardware MFA may be highly secure, but it fails on the other criteria:
- At $50-$100 each, costs escalate, so only ‘high-risk’ individuals are issued tokens.
- These small devices are easily lost, stolen and expensive to replace. They also risk ending up in the wrong hands.
- Remembering the device at all times, plus typing time-sensitive passcodes, is effortful for users.
- Providing access for remote workers and contractors, increasingly necessary in hybrid workplaces, is challenging.
Thankfully, there’s an innovative MFA alternative – using the SIM card in employees’ mobile phones to get strong, hardware-grade security without any extra hardware.
A New User-Friendly Hardware Solution: SIM-Based MFA
The SIM card acts as a secure possession factor in an IAM context but with a unique advantage. Every employee already has one at all times - it’s in their mobile phone – and they’re very motivated to keep it safe.
SIM authentication is how networks verify their 5 billion customers every time they make calls or use data and charge them correctly. No extra credentials are needed to ‘log in’ to a mobile network – authentication happens automatically in the background between the SIM card and the operator. SIM authentication is seamless to the user.
Now, network authentication is being made available to businesses, offering compelling benefits for IAM:
- Easy to deploy: Already present in every employee’s pocket, SIM authentication allows rapid onboarding of new employees and continuous authentication of all the workforce.
- Easy to use: A simple, familiar experience that doesn’t require extra user input.
- Easy to manage: SIM authentication can be integrated using OIDC, and the mobile number is a standard LDAP field.
- Cost-effective: There are no upfront costs for devices or shipping. Pricing is typically per employee per month.
Proven Cryptographic Security
Inside the SIM card is the same cryptographically secure, tamper-resistant authorization technology inside every bank card. When deployed in a mobile phone, it has a unique identifier – international mobile subscriber identifier, or IMSI. The SIM also stores a secret key (or ‘Ki’; a 128-bit value) and an algorithm that provides cryptographically secure authentication with the IMSI.
- Tamper-resistant: The Ki is stored in solid-state storage within the SIM card. The card has tamper-proof housing.
- Unclonable: Modern SIM cards using COMP128v2/v3 block access to the Ki, preventing cloning.
- Out-of-band: SIM security is independent of the physical mobile handset, OS, and apps – there’s no risk of compromise via rooting, hacking or malware.
- No PIN codes: With no passcodes which can be intercepted, man-in-the-middle attacks are impossible.
Implementation Options
To learn more or to get started with implementation, a specialist partner such as tru.ID can provide a packaged solution via API or embedded into an authentication app. The app-based solution can also be enhanced by biometric MFA. Integrating SIM-based authentication for IAM can happen with either OIDC or REST API. It also works with eSIMs.
Summary
SIM authentication is cryptographically secure, easy to implement and effortless to use. Unlike established hardware solutions, SIM authentication combines security with usability and provides an ideal, cost-efficient solution to protect the entire workforce by quickly and easily deploying hardware-grade authentication without additional hardware.
