Think of STIR/SHAKEN as a security stamp for phone calls. It’s a system that lets phone companies share more details about who is calling so we can all start trusting our phones again. The main goal is to stop illegal spoofing (when scammers fake a phone number) and malicious robocalling to protect you from fraud.
What exactly is STIR/SHAKEN?
In the US, the government passed the TRACED Act in 2019 to fight robocalls and number spoofing. This law told the FCC to make sure phone companies use solutions like STIR/SHAKEN.
The names STIR (Secure Telephone Identity Revisited) and SHAKEN (Secure Handling of Asserted information using toKENs) are industry standards. When a call starts, the originating phone company adds a secure "digital signature" to it. This signature is a secure token that proves which phone company started the call.
What is Attestation?
Attestation is simply a "confidence level" or proof attached to a call. It tells the company receiving the call how much the originating phone company knows about the person placing the call and if they have the right to use that caller ID number.
Here are the three levels:
A (Full) Attestation: The service provider knows who the customer is and has confirmed they’re allowed to use that phone number. This is the highest level of trust.
B (Partial) Attestation: The service provider knows who the customer is, but they can't confirm if the customer is allowed to use that specific phone number.
C (Gateway) Attestation: The service provider knows where the call came from (like a different country or another company), but they don't know the original source or who the caller is.
An attestation level of B, or C is not a definitive indicator your call will get backed or labeled as spam. Rather, it provides context regarding the call’s origin. Fraudulent activity can still occur even with verified signatures, as the framework prioritizes confirming the number’s legitimacy over the caller’s actual intent.
Carriers typically don’t use these levels as the sole basis for such actions. Based on our understanding, while specific details are proprietary, mobile carrier analytics engines generally don’t weigh attestation as a primary factor in real time assessments. Thus, having a B or C-level rating shouldn’t cause a call that’s otherwise rated positively to be flagged as spam.
Nonetheless, proactively signing your traffic remains crucial for regulatory compliance with the FCC and ensures you’re ready as call authentication evolves. As the industry advances toward maintaining signatures across diverse networks and equipment, it’s possible that attestation levels will play a more significant role in future call outcomes.
What's driving this change?
Robocalling and spoofing are the top complaints consumers make to the FCC. STIR/SHAKEN is one major step in the industry's effort to stop these bad actors from scamming people and businesses. On the flip side, we also need to make sure important calls like school alerts or prescription reminders get delivered successfully.
Bandwidth is committed to fighting illegal robocalls using a three-part approach: prevent, detect, and mitigate. You can read more about Bandwidth’s approach to fighting telecom fraud.
How does STIR/SHAKEN work?
As a call begins, the originating service provider uses their Secure Telephone Identity Authentication Service (STI-AS) to generate a secure SIP identity header. This encrypted header contains several key data points:
Attestation level
Date and time
Calling FROM number
Calling TO number
Origination ID for analytics and/or traceback
Location of certificate repository
Signature
Encryption algorithm
The following diagram shows the high-level call flow for SHAKEN calls:
SIP INVITE is received by the originating service provider, who looks at the call source (customer) and calling number to determine the level of attestation to provide for the call.
The originating service provider sends a SIP INVITE to the authentication service.
Authentication service returns SIP INVITE with SIP Identity Header containing PASSporT header, PASSporT payload, PASSporT signature, encryption algorithm, and location of certificate repository.
SIP INVITE with Identity header is sent to the terminating service provider.
The terminating service provider sends a SIP INVITE with an Identity header to the Verification Service.
Verification Service obtains the digital certificate with the public key, decodes the identity header, and verifies that the originating service provider is authorized to originate calls for the calling number.
Verification Service returns results indicating whether the Identity Header was valid and whether TN Validation passed, failed, or wasn't performed.
The terminating service provider completes the call to the called party.
How does Bandwidth handle Call Attestation?
The following procedures are for outbound traffic originating from US-based phone numbers:
If you sign your own calls: Bandwidth will simply pass along your existing digital signature exactly as received.
If you use Bandwidth’s Hosted Signing Service: After signing a contract addendum and providing your SPC token and Certificate during setup, we’ll apply your signature to any unsigned traffic. We’ll use the specific attestation levels you’ve designated for your account.
If no signing arrangements are made: Bandwidth is legally obligated to sign outbound US traffic to meet our Intermediate Service Provider requirements. However, this does not fulfill your own regulatory signing obligations. To remain compliant, you must utilize our Hosted Signing Service or an alternative solution. Any traffic that Bandwidth signs in its role as an Intermediate Service Provider (ISP) will receive a C (Gateway) Attestation.
A few final thoughts
We strongly recommend talking to your legal team to understand any regulations you need to follow as a service provider.
Check with your equipment vendor to make sure your systems are ready to handle the new information STIR/SHAKEN adds to calls.
We recommend this guide as it details the procedures to be followed by the service provider in order to participate in the SHAKEN ecosystem.
For more information, see Understanding STIR/SHAKEN and STIR/SHAKEN Resources.
