CallTrust: A federated system for call authentication in telephony networks

Voice phishing (vishing) remains a critical security threat in telephone communications, where users cannot reliably authenticate calling parties. Despite technical efforts like STIR/SHAKEN, traditional telephony still lacks application-layer mechanisms to detect spoofed or hijacked calls. In this paper, we present CallTrust, a novel, deployable, and infrastructure-agnostic solution that enables real-time verification of incoming and outgoing calls between users and Certified Services, i.e., trusted entities publicly certified to own specific phone numbers. Our protocol operates entirely at the application layer and leverages time-slotted, privacy-preserving credentials published by Certified Services to detect spoofed or hijacked calls. We detail the protocol design and show that it satisfies the intended security properties. To demonstrate the practical relevance of our approach, we propose a federated design that enables cross-realm (i.e., cross-border) adoption. As a concrete example, we apply it to the European eIDAS framework by extending Qualified Website Authentication Certificates (QWACs) to support the binding of telephone numbers to legally recognized entities. Through a mobile-based proof-of-concept implementation, we show that call authentication can be completed in under two seconds, thus providing users with timely warnings before engaging with potentially phone scammers. Experimental results confirm the practicality of our approach, offering a viable path toward securing telephony communication against impersonation-based threats.