You don’t leave the house without it and there’s a good chance you check your phone several dozen times a day. In fact, you might even check your phone before finishing this article. It’s okay, we won’t take it personally. (And sorry for planting the idea in your head.)
Phones can reveal a lot about their owners. And organizations can use a phone number to find or infer various identity- and risk-related signals. As a result, phone verifications can be a simple way to detect bad actors without annoying legitimate customers. Here’s how it works.
What is phone verification?
Phone verification can encompass several processes that help you determine:
- Whether the person owns or is associated with a phone number.
- How much risk is associated with a phone number.
- If the person has possession of the phone number at the moment of verification.
Some organizations limit the definition of verifying a phone number to confirming possession in the moment. But at Persona, we see phone verification as more than answering a single question.
For example, using phone verification to establish ownership or association with the phone number can be important for corroborating identity and preventing fraud. This can be accomplished by comparing an applicant’s personally identifiable information (PII) collected during onboarding with records from an issuing or authoritative database.
- Phone carrier verification: An issuing database verification checks with the phone carrier to confirm a submitted name matches the name and number in its database.
- Authoritative database verification: Authoritative databases collect and store information from various sources but don’t issue identifying information on their own. For example, the credit bureaus’ credit header data can include a person's name, date of birth, Social Security number, recent addresses, and phone numbers.
A match can help confirm that the person owns or is associated with the number, and substantiate their claims about their identity.
Using phone verification to assess risk
Organizations can also use phone risk reports to evaluate the risk associated with a phone number based on various attributes and signals. These reports may contain different information depending on the provider, and some include a risk score or rating and recommendations.
Persona’s Phone Risk Report has nearly global coverage across 175+ countries and territories, and includes results on:
- Phone type: Such as a fixed line, mobile phone, or voice over internet protocol (VoIP) number, with recommendations on whether to flag or block based on corresponding risk levels. Persona also offers phone type results separate from the full Phone Risk Report.
- Phone carrier: Such as Verizon, AT&T, or T-Mobile.
- Risk levels: Ranging from 1 (low risk) to 5 (high risk).
- Risk score: Ranging from 0 to 100 with corresponding risk levels.
- Risk recommendations: Recommendations to allow, flag, or block based on the results.
Various device and behavioral signals can affect the risk assessments, such as:
- Unusual velocity and behavior patterns, such as indicators that multiple people or accounts share the same phone number.
- When the phone number was created.
- Whether the number is on blocklists.
- Whether the phone number was recently changed to a new phone at a different carrier.
- If the SIM card was recently swapped to a new phone.
- If the area code aligns with the person’s current or previous address.
These may offer insights on their own, when combined with other applicant information, and when viewed within the context of data from a fraud consortium.
Phone verification from the consumer’s perspective
Aside from asking for basic identifying information, you can use phone verifications to help establish identity and evaluate risk with little or no consumer involvement.
These no-friction checks can dynamically lead to an approval, block, or manual review. Depending on the results, you might step up to an SMS or SIM-based verification — or other type of verification customized to your business needs and audience’s preferences.
Even if you start with an SMS-based verification to confirm possession, most people are familiar with these requests. You’ve almost certainly entered a code from a text message into an app or web browser before — your phone might even do it for you automatically.
For an even-lower friction process, some organizations use SIM-based phone verifications rather than a one-time password (OTP) to confirm possession. The silent mobile verification confirms ownership by connecting directly to mobile network operators and confirming that the phone number and SIM card match. It may also be a more secure option than SMS-based verifications that are susceptible to phishing, SIM-swapping, and other types of attacks.
In addition to using SMS- or SIM-based phone verifications as part of fraud prevention and identity verification at onboarding, organizations may also use similar multi-factor authentication (MFA) processes to authenticate existing users.
What are the benefits and drawbacks of phone verification?
Phone verifications can be a relatively simple and helpful addition to your onboarding process, but there are always pros and cons to consider.
Benefits
- Low or no friction: Many people are familiar with SMS-based verifications, and phones may even be able to autocomplete the OTP requests. You can also run database checks with basic PII to get phone risk reports without any friction.
- Improves access to customers: Confirming that a phone number is real and belongs to a customer can improve future communications, such as marketing outreach and payment reminders.
- Adds to your understanding of customers: Phone verifications can enrich the other information you gather to give you a more complete picture of a person’s identity and risk.
Drawbacks
- Susceptible to attacks: SMS verifications have vulnerabilities, including man-in-the-middle attacks, SIM swapping, and phishing.
- Depends on real-time connectivity: Although most people have a mobile phone, SMS verification requires the person to have cell phone service at the moment.
- Reluctance to share phone numbers: Legitimate users might be reluctant to share their phone number because of privacy concerns or worries about getting bombarded by marketing texts.
How can organizations get started with phone verification?
Phone verification is fairly common, and many vendors offer phone verification solutions as a core product or part of a suite of tools for identity verification and fraud prevention.
When comparing your options, consider the outputs you want. Perhaps an SMS-based verification system is your goal. Or, you might be looking for more insights from device signals, the phone carrier type, or a complete risk report. It can also be important to understand the sources for the underlying information and analysis, regional coverage, and how you can use the results within your existing systems.
Contact us now to learn more about Persona’s phone verification options or how you can connect your current solution to Persona to improve your identity verification process.