Best practices for call authentication – first proposal
The FCC asked the Call Authentication Trust Anchor (CATA) working group to recommend best practices for the implementation of call authentication. The TRACED Act required this step. The CATA has recently issued a report with proposed best practices. Here’s a summary overview.
The FCC published a public notice on October 1, 2020 asking for comments on these proposed best practices by October 16, 2020.
Summary of proposed best practices
The CATA working group proposed best practices in the following areas:
1. Subscriber vetting
The best practices document defines a few terms to discuss best practices for subscriber vetting:
Customer — the entity that purchased services, including the right to use a telephone number. This could be a person, enterprise, reseller, or value-added service provider.
End user — the entity using the service, such as initiating calls from the issued number.
Direct relationship — the customer and the end user are the same.
Indirect relationship — the customer and the end user are different.
Best practices distinguish between a direct and an indirect relationship between the originating service provider and the end user that initiates a call.
When there’s a direct relationship between the originating service provider and the end user, the normal retail practices of signing up the customer are sufficient to vet the customer/end user.
When there’s an indirect relationship between the originating service provider and the end user, best practices include the collection of additional information suitable for the nature of the relationship. The best practices document is not very specific about the information but offers the following example:
Providers will confirm the identity of new commercial VoIP customers by collecting information such as physical business location, contact person(s), state or country of incorporation, federal tax ID, and the nature of the customer’s business.
2. Telephone number validation
Telephone number validation is used to determine that an end user has a legitimate use of a telephone number used in caller ID.
In a direct relationship between the originating service provider and the end user, this is easily determined.
For an indirect relationships, the best practices document lists mechanisms that are currently under development for indirect attestation, such as Delegate Certificates, Letters of Authorization, and Central Database methods.
3. A-level attestation
Originating service providers should only authenticate calls with full attestation when they can confidently attest that the end user initiating the call is authorized to use the telephone number caller identity associated with the account of the end user.
Confidence for providing full attestation will come from completing the telephone number validation described above.
4. B- and C-level attestation
Originating service providers should only authenticate calls with partial or gateway attestation if telephone number validation has not been performed on the originating telephone number.
5. Third-party validation services
Originating service providers should use a third-party validation service when they cannot or choose not to perform telephone number validation. This approach may be particularly useful when vetting enterprises that acquire telephone numbers from multiple service providers.
6. International call originators using NANP numbers
Service providers that sell services to international call originators using NANP numbers should develop processes to validate that the calling party is authorized to use the telephone number or caller identity.
Domestic gateway providers may wish to include commercial terms and conditions with international providers that provide the tools and information to trust the validity of the calling identity.
Our STIR/SHAKEN products:
- Most affordable commercial solutions
- Work with any TDM and/or SIP network
- Include support with all aspects of deployment.
7. Ongoing robocall mitigation
Service providers should have ongoing robocall mitigation programs in addition to call authentication.
This information will only be used to respond to your inquiry. TransNexus will not share your data with any third parties. We will retain your information for as long as needed to retain a record of your inquiry. For more information about how we use personal data, please see our privacy statement.
TransNexus has a comprehensive suite of robocall prevention solutions.Learn more