STIR/SHAKEN is a call authentication framework that verifies caller identity to combat spoofed robocalls on IP-based phone networks. It helps service providers confirm that a call is coming from the number shown on caller ID.
STIR stands for Secure Telephony Identity Revisited and defines the standards for verifying call signatures. SHAKEN, or Signature-based Handling of Asserted Information Using toKENs, outlines how service providers apply these standards within their networks. Together, they support compliance with FCC rules requiring most U.S. carriers to implement this protocol across their systems. STIR/SHAKEN compliance improves call legitimacy and makes it easier to identify fraudulent traffic.
Telecommunications networks saw a sharp rise in scam and spam calls using spoofed telephone numbers. This increase disrupted businesses, overwhelmed call centers and compromised PBX systems. Without a consistent way to verify the calling party, voice service providers had limited tools to stop suspicious calls or trace their origination.
Legacy PSTN and VoIP systems were not built to support caller ID authentication across networks. Providers could not reliably identify the true call source or determine if a calling number was legitimate. The Federal Communications Commission responded with mandates under the TRACED Act, requiring providers to adopt a framework that could reduce unwanted robocalls and support call blocking efforts.
The STIR/SHAKEN framework was developed by the Internet Engineering Task Force (IETF) and ATIS to close this technical gap. It introduced a standardized way for providers to validate phone calls using digital certificates issued by a certificate authority.
Instead of relying on the phone number alone, calls now include an identity header that helps confirm the source. Based on how much information the provider can confirm, calls receive full attestation, partial attestation or gateway attestation.
Key outcomes of implementing the STIR/SHAKEN protocols include:
The framework supports both IP-based and traditional voice services and is tied to compliance with the FCC's robocall mitigation database, making it a key step in improving trust across telecom networks.
STIR/SHAKEN works by using public key infrastructure to verify the identity of callers as a call travels through interconnected IP-based networks. The process relies on cryptographic signatures and certificate-based validation to confirm that a call has not been tampered with or spoofed.
When a call is initiated, the originating voice service provider uses a private key to create a digital signature tied to a certificate issued by a trusted certificate authority. This signature is embedded into the call signaling as part of an identity header, which travels with the call through the network.
The terminating provider retrieves the certificate and uses the corresponding public key to validate the signature before the call reaches the end user. This validation confirms that the calling number has been authenticated by a trusted source and that the data has not been altered in transit.
This process depends on:
STIR/SHAKEN compliance requires that providers maintain systems capable of signing, validating and interpreting call data in real time. The effectiveness of this protocol relies on broad adoption and accurate implementation across the telecom ecosystem.
STIR/SHAKEN is not just a technical standard but a regulatory requirement in the United States. The Federal Communications Commission (FCC) has mandated its implementation for most voice service providers to help reduce spoofed calls and support call traceability.
Under the TRACED Act, signed into law in 2019, voice providers were given deadlines to implement STIR/SHAKEN protocols in IP-based networks. Non-facilities-based providers had until June 2022, while others were subject to earlier timelines. Providers must also register in the FCC’s Robocall Mitigation Database and submit a mitigation plan if they are unable to fully implement STIR/SHAKEN.
Key regulatory obligations include:
Providers that fail to comply risk removal from the Robocall Mitigation Database, which can lead to other carriers blocking their traffic. These rules apply to both originating and terminating providers and are intended to strengthen call authentication across the telecom sector.
STIR/SHAKEN compliance is a moving target as the FCC continues to refine its enforcement policies and extend rules to more segments of the telecommunications industry. Voice providers must monitor updates and maintain current documentation to avoid penalties and maintain service continuity.
STIR/SHAKEN protocols continue to evolve as voice service providers, regulators and technology partners identify new challenges in stopping spoofed and unwanted calls. While current deployment focuses on IP-based networks within the United States, future efforts are expanding the scope and capabilities of the framework.
One key area of development is cross-border call authentication. International calls are often used in fraud campaigns, but most foreign carriers are not yet required to adopt STIR/SHAKEN. Industry groups and regulators are exploring standards for global call validation that could close this gap.
There is also growing interest in extending STIR/SHAKEN capabilities beyond voice, including potential applications in messaging and unified communications. As telecom traffic diversifies, there is pressure to apply similar call authentication principles to other services that carry identity information.
Expected areas of focus include:
The future of STIR/SHAKEN depends on continued technical refinement, broader participation and policy alignment across networks and regions. For providers and telecom stakeholders, staying current on these updates will remain key to maintaining compliance and call integrity.