Published in


What is Zero Trust SMS?

Before I explain what it means to enable “Zero Trust” for SMS, I need to explain what “Zero Trust” is. Zero trust was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research. So, let’s use John’s own words:

“Rooted in the principle of “never trust, always verify, Zero Trust is a strategic initiative that helps prevent successful cyberattacks by eliminating the concept of trust from an organization’s network architecture.”

Enabling Zero Trust for SMS

In the context of killing SMS scams, enabling zero trust for SMS would require the solution to assume every URL inside every SMS message is dangerous, unless verified.

What Zero Trust SMS is NOT

Any vendor who does not block every URL except for those that authenticate, is NOT enabling Zero Trust of any kind. It’s like an on/off switch vs a dimmer switch. Something either enables zero trust, or it does not. There’s no in-between or half-hearted measures. And this is how the entire cybersecurity industry defines zero trust too, not just me.

How to select a Zero Trust SMS vendor

Ask them if their new solution is built by, or powered by MetaCert. If it’s not, it’s not Zero Trust SMS.

If a vendor is positioning their solution as “Zero Trust” and it’s not powered by MetaCert, it’s misrepresenting what it does. This is true because no other company in the world has built the technology or global registry of URLs to enable zero trust for SMS. I predict competitors will come to market, but it’ll take at least a year for a cybersecurity company to build a meaningful dataset of URLs, technology, tools and techniques.

“Allowlist” ≠ Zero Trust

Creating a small “allowlist” (formally known as a “whitelist”) with say, a million URLs isn’t a zero trust strategy — that’s the old way of doing security. Unless a solution can authenticate tens of billions of URLs, it will annoy operators, brands, banks and subscribers.

Watch out for imposter vendors

Some vendors are literally stealing our IP right now, while misrepresenting their services as “Zero Trust SMS”. So we need to make sure mobile operators aren’t duped in the same way subscribers are being duped.

MetaCert pioneered Zero Trust URL Authentication and Zero Trust SMS

MetaCert didn’t just pioneer the concept of Zero Trust SMS, we pioneered the entire concept of Zero Trust URL & Web Access Authentication. SMS is just one implementation of that concept. Browser-based security for desktop protection is another. More will follow.

If you work for an operator, please avoid counterfeit services from vendors you don’t know, and I’ll help your subscribers avoid links from people they don’t know. Zero Trust URL authentication is the only way to kill FluBot, so I’d hate to have the concept’s reputation ruined by rogue vendors who now position themselves as security vendors.

Why I wrote this article

My mother told me this week that she was unable to get a blood or urine test because Ireland’s national health service (HSE) was hit with a phishing-led ransomware attack recently. I’m now taking it personally whenever I see a security vendor tell blatant lies about the capabilities of its security products and services. It’s not the HSE’s fault as I’m sure they were being protected by massive multi-billion dollar security vendors. It’s our fault as an industry for not trying something different — like… zero trust.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul Walsh

Paul Walsh


MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.