
Six years ago the UK’s major mobile operators began to deploy a service called ‘Number Verify’ (here), which made it both easier and more secure to authenticate a user’s identity for online transactions. Vodafone has now announced that the UK, Germany and the Netherlands will be the first countries to get v2.0 of the phone number authentication API.
Most consumers are probably already aware of the common Two-Factor Authentication (2FA) process, which works to verify users with a login/password (or other method) by sending a one-time passcode (OTP) to the consumer’s mobile phone. The customer then inputs that code into an app or website and are then able to complete the login.
However, SMS OTP only confirms that someone entered a code sent to a mobile number. It does not prove that the real subscriber is present or that the authentication journey has not been compromised, which is something fraudsters often try to manipulate.
Advertisement
The original Number Verify service simplified that process by verifying customers through matching phone numbers used in a website or app session, which ensured the details being provided are the same registered on the customer’s account (this method was also PSD2 SCA – Strong Customer Authentication – compliant). But this still wasn’t perfect and over time fraudsters are adapting.
By comparison, Number Verify 2.0 improves that process and can now work over Wi-Fi as well as mobile data, including while roaming (v1 only worked with mobile data). Various other improvements have also been made, such as via OS-level integration and cryptographic SIM tokens (TS.43) – the latter are temporary, tamper-proof network tokens. The CAMARA API (Application Programming Interface) is now also much more standardised.
The new version thus gives businesses a “simpler, more secure and seamless way to verify a user’s mobile phone number without SMS one-time passcodes“. It uses the mobile network to verify that a user’s phone number is associated with their SIM and device across both app and web journeys, whether the user is on mobile data or Wi-Fi.
Johanna Wood, Director of Network APIs at Vodafone, said:
“SMS OTP has been the default for over a decade, but it was never built for the threat environment we operate in today. Number Verify 2.0 changes that by giving developers a way to verify phone numbers that is faster, safer and seamless for the user.
Launching Number Verify 2.0 simultaneously in three countries marks the start of our global rollout for enterprise customers.”
The mobile number remains one of the most widely used identifiers for registration, login, account recovery and transaction confirmation, yet Vodafone notes that the industry’s default verification method has “not kept pace with modern fraud threats or user expectations“. The new version is an attempt to address those shortcomings.
Advertisement
Number Verify 2.0 is also said to offer enterprises, such as banks, retailers and social media platforms, multiple benefits, including:
Higher conversion rates: removing manual mobile number entry, SMS wait times and code typing from onboarding, login and account recovery flows.
More secure by design: eliminating human-readable OTPs that can be phished, intercepted or socially engineered.
Keeps costs down: reducing unnecessary SMS spending, failed OTP attempts and exposure to artificial traffic.
Advertisement
The upgrade is already said to be “now available” in the UK, Germany and the Netherlands, albeit initially only on Android based devices (Smartphones, tablets etc.). But this is a system that is designed to ensure interoperability across other mobile operators and markets, so Vodafone won’t be the only one to deploy it.
Advertisement
So we can forget about those awful passkeys that we’re being pressured to use?
I’m curious at to why you consider them to be awful?
@binary because I don’t understand them. Passcodes via SMS, email, hardware token or phone app (but not MS or Google) are fine but with passkeys how do I back them up, how do I copy to another device, what if my device dies, is lost or stolen or I just buy a new one? And please don’t say “MS/GOOGLE back them up to some magic place because I trust them about as far as I can throw them. I believe (but I may be wrong) that Windows stores them in the TPM, Android in…? So how do I get a copy to my second pc or phone? The answer seems to be that you don’t. If that account is now locked down with a passkey locked in a particular pc then how do I connect with my phone? If I can still get in with id and PW then I just sidestepped passkeys. Or maybe I’m locked out on all devices except the one with the passkey? So… ? I note that earlier this year password managers started to support them which suggests to me that passkeys are a moving target, someone realised that the “security” is so tight you can’t get in. I also read various technical journals and avidly read anything about passkeys to try to lift the fog. The comments, from people working with current technology, are universally negative. I’m avoiding them until I’m confident that I can backup/restore off device and copy to a new device. The obfuscation, the language used us not good but I imagine a lot of people will blindly accept them and suffer the consequences at a later date.