• There are no suggestions because the search field is empty.

STIR/SHAKEN

The STIR/SHAKEN protocol is a caller ID authentication framework used in IP-based voice networks to reduce robocalls and call spoofing. It verifies that a call is from the number it claims to be using digital certificates. STIR (Secure Telephony Identity Revisited) defines the technical standards, while SHAKEN (Signature-based Handling of Asserted Information Using toKENs) defines how providers implement them. STIR/SHAKEN compliance is mandated by the FCC for most U.S. carriers.

Glossary Home | S

STIR/SHAKEN is a call authentication framework that verifies caller identity to combat spoofed robocalls on IP-based phone networks. It helps service providers confirm that a call is coming from the number shown on caller ID.

STIR stands for Secure Telephony Identity Revisited and defines the standards for verifying call signatures. SHAKEN, or Signature-based Handling of Asserted Information Using toKENs, outlines how service providers apply these standards within their networks. Together, they support compliance with FCC rules requiring most U.S. carriers to implement this protocol across their systems. STIR/SHAKEN compliance improves call legitimacy and makes it easier to identify fraudulent traffic.

Upgrade Your Business Communications

Explore secure, reliable voice solutions built to support STIR/SHAKEN compliance, reduce spoofed calls and keep your teams connected across every location.

See SMS/MMS for for UCaaS 

Why Was STIR/SHAKEN Developed?

The Problem: Caller ID Spoofing & Robocalls

Telecommunications networks saw a sharp rise in scam and spam calls using spoofed telephone numbers. This increase disrupted businesses, overwhelmed call centers and compromised PBX systems. Without a consistent way to verify the calling party, voice service providers had limited tools to stop suspicious calls or trace their origination.

Legacy PSTN and VoIP systems were not built to support caller ID authentication across networks. Providers could not reliably identify the true call source or determine if a calling number was legitimate. The Federal Communications Commission responded with mandates under the TRACED Act, requiring providers to adopt a framework that could reduce unwanted robocalls and support call blocking efforts.

The Solution: Caller Identity Authentication

The STIR/SHAKEN framework was developed by the Internet Engineering Task Force (IETF) and ATIS to close this technical gap. It introduced a standardized way for providers to validate phone calls using digital certificates issued by a certificate authority.

Instead of relying on the phone number alone, calls now include an identity header that helps confirm the source. Based on how much information the provider can confirm, calls receive full attestation, partial attestation or gateway attestation.

Key outcomes of implementing the STIR/SHAKEN protocols include:

  • Improved protection against spam calls and spoofed caller ID information
  • Reliable call source validation for incoming calls
  • Better traceback support for identifying malicious traffic
  • Stronger call routing accuracy for legitimate calls

The framework supports both IP-based and traditional voice services and is tied to compliance with the FCC's robocall mitigation database, making it a key step in improving trust across telecom networks.

How Does STIR/SHAKEN Work?

STIR/SHAKEN works by using public key infrastructure to verify the identity of callers as a call travels through interconnected IP-based networks. The process relies on cryptographic signatures and certificate-based validation to confirm that a call has not been tampered with or spoofed.

When a call is initiated, the originating voice service provider uses a private key to create a digital signature tied to a certificate issued by a trusted certificate authority. This signature is embedded into the call signaling as part of an identity header, which travels with the call through the network.

The terminating provider retrieves the certificate and uses the corresponding public key to validate the signature before the call reaches the end user. This validation confirms that the calling number has been authenticated by a trusted source and that the data has not been altered in transit.

This process depends on:

  • Secure management of private keys and digital certificates
  • A registered certificate authority trusted by all participating providers
  • Consistent formatting of identity headers across implementations
  • Infrastructure that supports IP-based call signaling and validation

STIR/SHAKEN compliance requires that providers maintain systems capable of signing, validating and interpreting call data in real time. The effectiveness of this protocol relies on broad adoption and accurate implementation across the telecom ecosystem.

Legal & Regulatory Status

STIR/SHAKEN is not just a technical standard but a regulatory requirement in the United States. The Federal Communications Commission (FCC) has mandated its implementation for most voice service providers to help reduce spoofed calls and support call traceability.

Under the TRACED Act, signed into law in 2019, voice providers were given deadlines to implement STIR/SHAKEN protocols in IP-based networks. Non-facilities-based providers had until June 2022, while others were subject to earlier timelines. Providers must also register in the FCC’s Robocall Mitigation Database and submit a mitigation plan if they are unable to fully implement STIR/SHAKEN.

Key regulatory obligations include:

  • Signing and validating calls where technically feasible
  • Filing certifications with the FCC
  • Maintaining participation in traceback efforts

Providers that fail to comply risk removal from the Robocall Mitigation Database, which can lead to other carriers blocking their traffic. These rules apply to both originating and terminating providers and are intended to strengthen call authentication across the telecom sector.

STIR/SHAKEN compliance is a moving target as the FCC continues to refine its enforcement policies and extend rules to more segments of the telecommunications industry. Voice providers must monitor updates and maintain current documentation to avoid penalties and maintain service continuity.

The Future of STIR/SHAKEN

STIR/SHAKEN protocols continue to evolve as voice service providers, regulators and technology partners identify new challenges in stopping spoofed and unwanted calls. While current deployment focuses on IP-based networks within the United States, future efforts are expanding the scope and capabilities of the framework.

One key area of development is cross-border call authentication. International calls are often used in fraud campaigns, but most foreign carriers are not yet required to adopt STIR/SHAKEN. Industry groups and regulators are exploring standards for global call validation that could close this gap.

There is also growing interest in extending STIR/SHAKEN capabilities beyond voice, including potential applications in messaging and unified communications. As telecom traffic diversifies, there is pressure to apply similar call authentication principles to other services that carry identity information.

Expected areas of focus include:

  • Improved attestation accuracy
  • Wider adoption among smaller and rural carriers
  • Stronger enforcement for noncompliance
  • Collaboration with international telecom regulators

The future of STIR/SHAKEN depends on continued technical refinement, broader participation and policy alignment across networks and regions. For providers and telecom stakeholders, staying current on these updates will remain key to maintaining compliance and call integrity.

STIR/SHAKEN FAQs

How do providers obtain a STIR/SHAKEN certificate?

Voice service providers must obtain a STIR/SHAKEN certificate from a recognized certificate authority approved by the Secure Telephone Identity Governance Authority (STI-GA). To qualify, providers need to be listed in the Federal Communications Commission’s Robocall Mitigation Database and meet the governance criteria set by the STI-GA.

Once eligibility is confirmed, the provider submits a request to an approved certificate authority. The authority issues a certificate that allows the provider to sign outbound calls using the STIR/SHAKEN protocol. The certificate confirms that the provider is authorized to send authenticated calls across IP-based networks.

Can you tell if your phone has been spoofed?

Most users cannot directly tell if their phone number has been spoofed. Spoofing allows scammers to fake the caller ID so their calls appear to come from your number, often without triggering any alerts on your own device. You may only notice the issue if you start receiving unexpected callbacks or complaints about calls you did not make.

Carriers and call analytics platforms can sometimes detect unusual call activity or patterns that suggest spoofing. While individuals have limited visibility, businesses can use third-party call monitoring tools or contact their telecom provider for support if they suspect their number is being misused.

How do I know my phone is hacked?

Signs of a hacked phone usually show up as unusual behavior. You might see rapid battery drain, the device heating up when idle or unexpected pop-ups and apps you do not remember installing. Other hints include sudden spikes in data use, calls or texts in your log that you did not make and settings that change on their own.

If you suspect a compromise, start with a simple check. Review installed apps and remove anything unknown, update the operating system and run a mobile security scan. Change passwords for email, payroll and other work accounts from a trusted device and turn on multifactor authentication where available. If problems continue, back up needed files then reset the phone to factory settings and contact your telecom or IT support.

What are the attestation levels for STIR/SHAKEN?

STIR/SHAKEN uses three attestation levels to indicate how much the originating voice service provider knows about the caller and the phone number being used. These levels help other providers assess the trustworthiness of the call.

Full Attestation (A): The provider has a direct relationship with the caller and can confirm the caller is authorized to use the phone number.

Partial Attestation (B): The provider knows the caller but cannot verify that the caller is allowed to use the specific number.

Gateway Attestation (C): The provider is passing the call from another network and does not know the caller or the number.

These attestation levels are included in the identity header and are used during the call validation process to help reduce spoofed and unwanted calls.

X