As robocallers become increasingly sophisticated, the telecommunications industry continues to evolve in response. At the heart of these efforts is STIR/SHAKEN—a framework designed to authenticate caller identity and restore trust in voice communication. A critical but sometimes misunderstood part of this framework is the use of third-party authentication. With the FCC’s Eighth Report and Order released in 2024, new rules now clarify how and when third-party authentication is allowed, raising the bar for compliance across the industry.
What Is Third-Party Authentication?
In the context of STIR/SHAKEN, third-party authentication refers to the practice of a voice service provider outsourcing the process of signing outbound calls to another entity. Instead of directly signing the call using their own credentials and authentication infrastructure, the originating provider contracts a third party to perform this function on their behalf.
The third party is responsible for validating the caller’s identity and assigning an appropriate attestation level. An A-level (Full Attestation) means the caller is known to the provider and is authorized to use the number; a B-level (Partial Attestation) indicates the caller is known, but the provider cannot confirm ownership of the number; and a C-level (Gateway Attestation) is applied when the provider cannot verify either the caller or the number being used. These levels are essential in communicating trust in the identity of the caller across the telecom network.
Third-party authentication has been especially useful for smaller providers or those lacking the resources to deploy their own Public Key Infrastructure (PKI) required to fully implement STIR/SHAKEN. These providers often turned to trusted vendors who offered authentication-as-a-service, enabling them to meet basic regulatory requirements with minimal upfront investment.
What the FCC Now Requires
The FCC’s Eighth Report and Order establishes stricter guidelines around third-party authentication, emphasizing accountability and transparency. It does not prohibit the practice, but it makes the responsibilities of the originating provider crystal clear. According to the updated rules:
- The originating service provider retains full legal and regulatory responsibility for all signed calls, even if another entity performs the signing.
- Providers must ensure their third-party vendors comply with all aspects of the STIR/SHAKEN framework, including proper use of credentials, certificate management, and attestation policies.
- Providers must be able to produce documentation and demonstrate compliance upon FCC inquiry or audit.
This represents a significant change in tone. Previously, providers could operate under the assumption that the third party carried shared or primary responsibility for authentication. Now, the burden is squarely on the shoulders of the originating provider.
Why the Change Matters
Previously, a lack of clearly defined responsibilities allowed some providers to rely too heavily on their third-party partners—often without adequate vetting or oversight. In some cases, bad actors exploited the system by enlisting third parties that would sign unauthenticated or spoofed calls, undermining the very purpose of STIR/SHAKEN.
These gaps in accountability created a ripple effect. When illegitimate calls were signed and passed along as “verified,” downstream carriers and call recipients had little reason to question the caller ID. As a result, spoofing continued despite broad adoption of STIR/SHAKEN, eroding consumer trust and leading to pressure on regulators to intervene more forcefully.
By holding originating providers accountable regardless of delegation, the FCC is sending a clear message: call authentication must be governed with integrity, not just implemented for show. Trust in the voice network depends on every provider ensuring that authentication is carried out responsibly.
What It Means for Voice Providers
Voice providers that rely on third-party authentication must now take a much more hands-on approach to managing those relationships. This begins with reviewing and updating vendor agreements to ensure they include compliance clauses aligned with the FCC’s guidance. Providers need to go beyond contractual language and implement practical oversight mechanisms.
Auditing third-party processes becomes essential to verify that calls are being properly authenticated and signed. This includes regular checks on how attestation levels are being assigned and whether the third party is maintaining compliance with STIR/SHAKEN protocols. Providers must also maintain thorough internal documentation that tracks attestation decisions, outlines authentication workflows, and logs vendor performance.
In addition, internal teams should be trained to understand the evolving regulatory landscape, what to monitor in third-party operations, and how to respond to potential compliance issues. Empowering staff with this knowledge strengthens organizational resilience and ensures that providers are not blindsided by enforcement actions or operational disruptions.
For some, this may involve transitioning to in-house authentication solutions to maintain tighter control. For others, it will require deeper collaboration with third-party partners, including SLAs (Service Level Agreements) that reflect the new compliance environment.
Ultimately, the changes are about shifting from a compliance mindset that’s checkbox-driven to one that prioritizes transparency and trustworthiness in voice traffic.
The Bigger Picture
Third-party authentication has played an important role in helping the industry scale STIR/SHAKEN adoption. Without it, many smaller providers would have struggled to meet initial rollout deadlines or manage the technical demands of implementation. In that sense, third-party services helped democratize access to compliance.
However, as the regulatory landscape evolves, so too must the standards. The Eighth Report and Order is part of a broader FCC strategy to refine and mature the STIR/SHAKEN ecosystem. Future guidance may further limit or regulate third-party authentication, especially if misuse persists.
The message is clear: authentication is not just a technical step—it’s a statement of trust. Providers who issue or rely on digital signatures are vouching for the legitimacy of their traffic. Whether signing calls directly or via a third party, the responsibility remains the same.
How Klearcom Supports Compliance and Visibility
At Klearcom, we support voice service providers and enterprises in navigating evolving STIR/SHAKEN requirements with confidence. Our monitoring and testing solutions are designed to help you identify vulnerabilities, ensure accurate call authentication, and maintain strong oversight of your voice infrastructure.
By giving providers the tools to proactively address compliance issues, Klearcom helps mitigate regulatory risks and reduce the likelihood of enforcement penalties or service disruptions. Whether you're overseeing in-house signing or managing third-party partnerships, Klearcom enables greater transparency, resilience, and peace of mind.
Reach out to Klearcom to explore how we help organizations meet evolving voice regulations and reduce compliance risk.
