Skip to main content
What is token-based authentication?
March 23, 2022 at 4:00 AM
Woman looking at iPhone

The STIR-SHAKEN framework is a legally mandated implementation for telecommunications services that's becoming a more and more prevalent part of how these services verify calls and protect users from spam calls, scammers, and more. Token-based authentication is a major element of how this process functions, allowing callers to be granted an attestation level that verifies their level of trust to other callers.

What is token-based authentication, exactly? As we’ve written previously, it isn’t necessarily a new practice. This kind of authentication has been a part of web browser processes for verifying protocols and procedures for years. Now, as spam calls have reached recent record highs, it’s legally required by the FCC to be implemented as a part of all telecommunications services.

Whether or not you’ve already implemented STIR-SHAKEN at your organization, it’s worth understanding how the token-based authentication process works so that you can better understand how it can impact your organization’s communications.

How authentication works

Token-based authentication is a complex, multi-step process that occurs in a matter of seconds. It takes place from the moment you first make the call to the moment that call is received by the person you’re attempting to contact.

When you make a call, your number you’re calling is received by a MySQL data link, which allows a verification tag to be displayed for the person you’re calling. From there, a certificate is produced that verifies that your number is accepted by a major telecommunications service provider, at which point the data is returned and inserted into your SIP header. The call is once again cross-checked against an API, then verified as legitimate to the person receiving the call.

This is, of course, assuming that all goes well through the authentication process. Not every call will be verified as legitimate if it can’t pass through the previously-mentioned steps, which will typically happen in the case of a spoofed call, robocall, or other type of spam call.

Authentication and attestation

The token-based authentication process determines the attestation level a call will receive once it’s displayed to the person receiving the call. There are three attestation levels. Knowing these levels can help you determine whether a call you’re receiving is from a valid source or if there’s a potential issue in the authentication process when you’ve made a call.

Full, or “A” Attestation, means a number has passed through the authentication process flawlessly. The caller has been successfully identified by the service provider and they are authorized to use the number they’re calling from.

Partial, or “B” Attestation, means that a caller has been successfully identified by the service provider, but not the source of the phone number.

Gateway, or “C” Attestation, means neither part of this verification process has been successful, and the service provider can identify neither the caller nor the source from which they’re calling. Calls with this level of attestation are most likely to be labeled as unverified or potential scams.

What authentication means for your organization

For a telecommunications service provider, being able to adequately authenticate calls is essential for maintaining trust in your network. This doesn’t just mean trust on the part of your users, but from other networks, too; if your network hasn’t implemented STIR-SHAKEN and doesn’t have this kind of authentication system in place, calls made by your customers are more likely to appear as unverified to customers of other providers.

That also means that authentication isn’t just a matter of trust. It’s a matter of adequate service for your users. If their calls aren’t recognized as legitimate or they’re being flooded with spam calls, important communications on both a personal and professional level can more easily become disrupted.

You can implement STIR-SHAKEN into your voice services with the help of the team at Prescott-Martini. To learn more or to get started, contact us now.

Subscribe to our newsletter
Let's keep in touch!

Stay updated on the latest news in the regulatory and compliance world! Sign up to receive our newsletter.