What is Mécanisme d’Authentification des Numéros and Why It Matters for the Telecom Industry, the French Society and Europe

Have you ever received a call from a number that looked familiar, but turned out to be a scammer or a robocaller? If so, you have been a victim of caller ID spoofing, a technique that allows fraudsters to hide their true identity and pretend to be someone else. Caller ID spoofing can lead to various forms of scams, such as phishing, vishing, swatting, and wangiri, which can cause you to lose money, trust, or even your life. France is one of the most affected countries by this problem, ranking fifth in the world in terms of spam calls received per user in 2020.

To fight back against this threat, France has introduced a new mechanism of number authentication, or MAN (Mécanisme d’Authentification des Numéros), which is a set of rules and standards that aim to verify the identity of the caller and the number they use, blocking the call or the message if they are not verified. MAN is mandated by the Naegelen law, which was passed in July 2020 and came into force on July 25, 2023. The law also requires telecom operators to work together and follow the technical standards defined by the French telecom regulator, ARCEP .

But this Mechanism is not just a solution for France. It is also part of a bigger vision and strategy for a secure and interoperable digital identity for all EU citizens and businesses. MAN is aligned with the European Commission’s Communication 2030 Digital Compass: The European Way for the Digital Decade, which sets out a number of goals and milestones for electronic identification, including the creation of a common toolbox and a European Digital Identity Wallet. The European Digital Identity Wallet will allow EU citizens and businesses to access online services across the EU using their national digital IDs, which will be verified and authenticated using various methods, such as biometrics, PIN codes, or certificates.

MAN is based on the STIR/SHAKEN framework, which is a suite of protocols and procedures developed by the Internet Engineering Task Force (IETF) and adapted to the US context by the Alliance for Telecommunications Industry Solutions (ATIS) and the SIP Forum. STIR/SHAKEN works by adding a digital certificate to the SIP information used to initiate and route calls in VoIP systems, which can be verified by the receiving operator using a public key. The certificate also contains an attestation level, which indicates how much the caller’s identity and number are trusted. There are three levels of attestation: A (full), B (partial), and C (gateway) .

MAN follows the same principles as STIR/SHAKEN, but with some differences in the implementation and governance. For example, MAN uses a different certificate authority system, which is managed by ARCEP and involves four roles: the root certificate authority (ARCEP), the delegated certificate authorities (DCAs), the certificate service providers (CSPs), and the certificate users (operators). MAN also defines a different set of procedures and rules for the issuance, revocation, and renewal of certificates, as well as for the verification and validation of calls .

MAN and STIR/SHAKEN both address the challenges of interoperability, security, and privacy, but in slightly different ways - each with its own pros and cons. For example, MAN has a more centralized and regulated certificate authority system, which may increase the trust and accountability of the operators, but also introduce more complexity, potentially leading to a less effective system overall. STIR/SHAKEN has a more decentralized and market-driven certificate authority system, which may reduce the cost and overhead of the operators, but also create more fragmentation and inconsistency. Both MAN and STIR/SHAKEN have to deal with the issues of cross-border and cross-network interoperability, as well as the protection of personal data and the respect of user preferences .

France is not the only country that has adopted or is planning to adopt number authentication based on STIR/SHAKEN or similar frameworks. In the US, number authentication is required by the TRACED Act, which was passed in 2019 and set a deadline of June 30, 2021 for large operators to implement STIR/SHAKEN. Smaller operators have until June 2022 or June 2023, depending on their size and traffic volume. The Federal Communications Commission (FCC) oversees the implementation and enforcement of STIR/SHAKEN in the US . In Canada, number authentication is required by the Canadian Radio-television and Telecommunications Commission (CRTC), which set a deadline of November 30, 2021 for all operators to implement STIR/SHAKEN. The CRTC also coordinates with the US and other countries to ensure cross-border interoperability . Other countries that are exploring or developing number authentication solutions based on STIR/SHAKEN include the UK, Australia, Japan, and India .

MAN has a huge impact on the telecom industry in France and beyond. Implementing MAN can bring various benefits for telecom operators, service providers, and customers, such as:

• Improving the quality of service, by reducing the number of unwanted and fraudulent calls and messages, and increasing the accuracy and reliability of caller ID information.

• Enhancing the customer experience, by increasing the trust and confidence of the users in answering and making calls and messages, and providing them with more control and choice over their communication preferences and privacy settings.

• Strengthening the trust and transparency in the telecom market, by creating a level playing field for all operators and service providers, and ensuring compliance with the legal and regulatory requirements and standards.

However, implementing MAN also involves some challenges and risks, to name a few:

• Technical complexity, as MAN requires the deployment and integration of new hardware and software components, the adaptation and testing of existing systems and processes, and the coordination and collaboration of multiple stakeholders and parties.

• Operational overhead, as MAN requires the management and maintenance of the certificate authority system, the issuance and revocation of certificates, the verification and validation of calls and messages, and the reporting and auditing of the performance and compliance of MAN.

• Compliance issues, as MAN requires the operators and service providers to comply with the Naegelen law and the ARCEP’s technical standards and procedures, as well as with other relevant laws and regulations, like the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

• Fraud prevention, as MAN does not eliminate the possibility of fraud, but rather shifts the focus and the methods of the fraudsters, who may try to exploit the vulnerabilities and loopholes of MAN, such as obtaining fake or stolen certificates, bypassing the verification and validation processes, or using alternative channels and platforms for spoofing and scamming.

The French Authentication Mechanism can also enhance the role of mobile carriers in providing digital identity solutions for their customers. Digital identity is the representation of a person’s identity in the digital world, which can be used to access online services, verify transactions, and protect personal data. Mobile carriers have a unique position and opportunity to offer digital identity solutions, as they have access to a large and loyal customer base, a secure and ubiquitous network infrastructure, and a trusted and regulated relationship with the authorities and the users.

With MAN, mobile carriers can offer various digital identity services to their customers. For example, they can provide verified caller ID services, which show the user the verified identity and number of the caller, along with the attestation level and the verification status of the call. This can help the user make an informed decision about whether to answer or reject the call, and to report or block any suspicious or unwanted calls. They can also offer identity verification services, which use the verified identity and number of the user, as well as other factors, like biometrics, PIN codes, or SIM cards, to verify the user's identity and authenticate the user's access to online services, such as banking, e-commerce, or e-government. Even more so, they can enable identity management services, which allow the user to manage their digital identity and preferences by choosing which identity attributes to share, which services to trust, and which privacy settings to apply, using a mobile app or a web portal.

MAN can help mobile carriers to leverage their existing assets, ranging from customer data, network infrastructure, to SIM cards, in order to create value-added services and new revenue streams, as well as to differentiate themselves from the competition and to increase customer loyalty and satisfaction.

One of the main challenges and opportunities for achieving cross-border interoperability of number authentication and digital identity schemes in the EU is the harmonization of standards, the mutual recognition of certificates, the coordination of authorities, and the protection of privacy and data. These issues need to be addressed at both the technical and the legal levels, as well as at the organizational and the political levels.

At the technical level, the interoperability of number authentication and digital identity schemes requires the alignment and adaptation of the technical standards and protocols used by the different countries and operators, such as STIR/SHAKEN, MAN, or other frameworks. This may involve the development and adoption of common specifications, guidelines, and best practices, as well as the testing and validation of the interoperability and compatibility of the systems and processes.

At the legal level, the interoperability of number authentication and digital identity schemes requires the mutual recognition and acceptance of the certificates and the identity attributes issued and verified by the different countries and operators, as well as the compliance with the relevant laws and regulations - the GDPR, the ePrivacy Directive, or the Naegelen law for instance. This may involve the establishment and implementation of common legal frameworks, agreements, and mechanisms, similar to the European Electronic Identification, Authentication and Trust Services  (eIDAS) Regulation, which provides a legal framework for electronic identification and trust services in the EU.

At the organizational and political level, the interoperability of number authentication and digital identity schemes requires the coordination and collaboration of the authorities and the stakeholders involved in the governance and the implementation of the schemes, such as ARCEP, FCC, CRTC, European Commission, national governments, telecom operators, service providers, and users. This may involve the creation and participation of common platforms, forums, and networks, like the European Electronic Communications Code (EECC), which establishes a harmonized regulatory framework for electronic communications in the EU, or the STIR/SHAKEN Governance Authority (SGA), which oversees the policy and technical aspects of STIR/SHAKEN in the US.

The interoperability of number authentication and digital identity schemes can bring various benefits for the users and the service providers across the EU:

• Enhancing the trust, security, and convenience of cross-border and cross-network communication, by ensuring that the caller’s identity and number are verified and authenticated, and that the user can access online services using their national digital identity.

• Reducing the costs and barriers of cross-border and cross-network communication, by simplifying and harmonizing the technical and legal requirements and standards, and by facilitating the mutual recognition and acceptance of certificates and identity attributes.

• Promoting the innovation and competitiveness of the telecom and digital identity markets, by creating new opportunities and challenges for the operators and service providers, and by stimulating the development and adoption of new technologies and solutions.

I believe that MAN is a promising and progressive initiative that can contribute to the advancement and improvement of the telecom and digital identity sectors in France and beyond. It’s also worth noting that it is not a perfect or a final solution in any way, but rather a step in a long and complex journey that requires continuous research and development, as well as collaboration and cooperation among the different actors and parties. 

Mécanisme d’Authentification des Numéros can bring various benefits for the telecom industry and the society, such as improving the quality of service, enhancing the customer experience, strengthening the trust and transparency in the telecom market, boosting the role of mobile carriers in providing digital identity services, and facilitating the cross-border and cross-network interoperability of number authentication and digital identity schemes. However, it also involves some challenges and risks, from technical complexity, operational overhead to various compliance issues, which might need to be addressed and overcome by the authorities and the stakeholders involved in the governance and the implementation of MAN.