STIR/SHAKEN Call Authentication
STIR/SHAKEN is the caller-ID authentication framework for signed telephone-number claims in IP voice networks. It helps verify where a call number claim came from, but it does not prove the voice is human, truthful, consensual, or authorized.
Definition
STIR/SHAKEN is a caller-ID authentication framework used by voice service providers to sign and verify claims about the telephone number presented with a call. STIR, Secure Telephone Identity Revisited, is the IETF protocol family. RFC 8224 defines SIP Identity, RFC 8225 defines PASSporT, and RFC 8588 defines the SHAKEN PASSporT extension for attestation and origination identifiers.
SHAKEN, Signature-based Handling of Asserted information using toKENs, is the ATIS/SIP Forum deployment framework for applying Secure Telephone Identity technologies in IP service-provider voice networks. In plain terms, it is a receipt for a caller-ID claim as a call moves across participating networks.
Current Context
In the United States, the Federal Communications Commission's 2020 caller-ID authentication order mandated STIR/SHAKEN implementation in the IP portions of voice-service-provider networks by June 30, 2021, implementing direction from the TRACED Act. The FCC also noted that the SIP-based framework cannot directly authenticate non-IP network segments.
AI voice systems make the boundary more important. The FCC's February 8, 2024 Declaratory Ruling confirmed that TCPA restrictions on artificial or prerecorded voice encompass current AI technologies that generate human voices and generally require prior express consent unless an emergency purpose or exemption applies. As of June 25, 2026, STIR/SHAKEN is one evidence layer, not a detector for Synthetic Media and Deepfakes.
How It Works
An originating service provider creates a PASSporT object containing call-related claims such as the originating telephone number, destination, issuance time, and SHAKEN-specific fields. The provider signs the token with credentials that downstream systems can check. In SIP call setup, the signature and credential reference travel through the Identity header defined by RFC 8224. A terminating provider can verify the signature, inspect the attestation value, and use the result in analytics, call labeling, blocking, or traceback.
Attestation Levels
RFC 8588 defines a SHAKEN attestation claim with three values. "A" is full attestation, where the provider can fully attest to the calling identity. "B" is partial attestation, where the provider originated the call but cannot fully attest to the calling identity. "C" is gateway attestation, the lowest level, used when a provider receives a call from a telephone gateway that does not support PASSporT or Secure Telephone Identity.
Those levels are not grades for the audio. A full-attestation robocall can still be unwanted, unlawful, deceptive, or generated by AI. A gateway-attestation call can still be legitimate. The value is forensic: it says how much the network path can vouch for the number claim.
Governance Use
For AI voice fraud, campaign calls, call-center authentication, and institutional phone agents, STIR/SHAKEN should be recorded as structured incident evidence:
- Call-path evidence: originating provider, terminating provider, attestation level, certificate result, and Identity header status.
- Traceback support: origination identifier, upstream gateways, timing, customer account class, and provider contact path.
- Content layer: recording status, transcript status, synthetic-audio analysis, disclosure, consent, and sponsor claim.
- Action layer: user warning, blocking decision, fraud report, correction, escalation, or referral.
Agent Context
AI receptionists, bank assistants, medical schedulers, sales agents, and browser-connected voice agents should keep caller-ID authentication separate from authority. A verified number claim is not authorization to reset an account, disclose protected information, move money, change a shipment, or accept a political instruction.
Outbound AI callers need consent records, sponsor identity, callback routes, opt-out handling, and initiation logs. Inbound agents should treat STIR/SHAKEN as one input beside speaker verification, account authentication, liveness or synthetic-audio checks, risk scoring, and human escalation.
Limits
STIR/SHAKEN does not solve robocalls by itself. It cannot prove consent, purpose, truth, speaker identity, human presence, or organizational authority. It does not prevent fraud from a real number, a compromised account, a negligent provider, a consent farm, or a weak gateway.
The framework works best where call setup is SIP-based and participating providers preserve authentication information. Mixed IP and legacy paths, international gateways, enterprise PBX arrangements, forwarding, number leasing, and poor certificate governance can all complicate interpretation. Treat absence of authentication as a risk signal, not automatic guilt.
Source Discipline
Use primary documents and name the layer. RFC 8224 is SIP Identity. RFC 8225 is PASSporT. RFC 8226 is the certificate framework. RFC 8588 is the SHAKEN PASSporT extension. ATIS-1000074 is the deployment framework. FCC orders govern U.S. implementation, compliance, and TCPA interpretation; they do not certify synthetic-audio detectors or call-center products.
Spiralist Reading
Spiralism reads STIR/SHAKEN as a modest proof boundary. A signed caller-ID path can help establish where a signal entered the phone system. It must not be mistaken for the whole person, the whole institution, or the whole truth of the call.
Related Pages
- Synthetic Media and Deepfakes
- Digital Identity
- AI Agent Identity
- Synthetic Identity Fraud
- Election Integrity and AI
- Content Provenance and Watermarking
- AI Incident Reporting
- The Voiceprint Becomes the Password
- The Synthetic Voice Enters the Ballot
Sources
- IETF, RFC 8224: Authenticated Identity Management in the Session Initiation Protocol (SIP), February 2018.
- IETF, RFC 8225: PASSporT: Personal Assertion Token, February 2018.
- IETF, RFC 8226: Secure Telephone Identity Credentials: Certificates, February 2018.
- IETF, RFC 8588: Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN), May 2019.
- ATIS, Signature-Based Handling of Asserted Information Using toKENs (SHAKEN) (ATIS-1000074-E).
- Federal Communications Commission, First Caller ID Authentication Report and Order and Further Notice of Proposed Rulemaking, FCC 20-42, March 31, 2020.
- Federal Communications Commission, Declaratory Ruling, FCC 24-17, Implications of Artificial Intelligence Technologies on Protecting Consumers from Unwanted Robocalls and Robotexts, February 8, 2024.