How do authentication systems tell mobile and VoIP numbers apart?

SMS-based two-factor authentication is a common method to add an extra layer of security beyond passwords. After entering their login credentials, users using SMS 2FA will receive a one-time passcode via text message to their registered mobile phone number. After that, they enter this code to verify that they are attempting to access the account. SMS 2FA takes advantage of users already having their phones with them to receive login verification codes, providing a convenient second factor of authentication. However, ensuring the registered phone number is truly linked to a real mobile carrier rather than a voice-over IP (VoIP) service is important for the security of this 2FA method.

Because VoIP numbers can be obtained and accessed remotely without requiring the physical possession of a device, they are more convenient for attackers. To prevent vulnerabilities, authentication systems need to distinguish between multiple types. So how can they tell if a number belongs to a VoIP or real mobile service?

Carrier identification through network lookups

The SMS passcode that is sent by a 2FA provider is first routed through an SMS infrastructure such as Twilio. The Home Location Register (HLR), a database that offers carrier and routing information for phone numbers, is searched for using this infrastructure.

Information such as the recipient carrier's SMSC (Short Message Service Centre) assignment is disclosed in the HLR response. The carrier names and other metadata associated with the numbers can then be assigned by cross-referencing this data with intelligence databases. Should a phone number's SMSC correspond with a recognised VoIP provider, systems may flag it as VoIP.

Prefix pattern recognition

VoIP service providers frequently allocate numbers in recognisable prefixes or blocks. To identify VoIP ranges, authentication platforms typically issue rules based on the analysis of number patterns. In North America, for instance, area codes like 900 are devoted to VoIP. Based on this intelligence, systems refuse 2FA to numbers that correspond with VoIP prefixes. 

At Daito, we only offer verified business numbers

While some services occasionally provide VoIP numbers that have been ported, Daito uses only business mobile lines that have been verified, meaning that security is increased. Daito eliminates the risks associated with using VoIP or personal credentials for multi-factor login access across tools by providing a centralised solution designed for teams.

In conclusion, 2FA systems distinguish genuine mobile carriers from VoIP services using a combination of static intelligence databases and real-time network lookups. Centralised authentication solutions like Daito provide even greater assurance for security-driven businesses.