Why We Built Calling Into LastID

We didn't plan to build a dialer

When we started LastID, calling wasn't on the roadmap. We were focused on identity verification for digital channels. Messaging, authentication, service desk workflows.

Then we started talking to CISOs, IT leaders, and operations teams. The same question kept coming up: what about phone calls?

Not help desk calls. Not IVR flows. Regular, everyday business calls. The kind that happen a hundred times a day at every company on the planet.

Your phone is your most-used work tool

Think about your actual workday. Your CEO calls your CFO to approve a wire transfer. A board member calls the general counsel about a sensitive matter. A vendor calls procurement to change payment details. A partner calls your team lead to discuss contract terms.

Every one of those calls happens on a mobile phone. And every one of those calls relies on the same trust model: caller ID and the sound of someone's voice.

That's it. That's the entire security layer.

Caller ID is trivially spoofable. Voice is increasingly cloneable. And yet we make critical business decisions on these calls every single day without a second thought.

The workarounds people are using should tell you everything

The fact that this is a real problem isn't theoretical. Look at what people are actually doing about it.

Families are establishing code words to verify that the person calling them is real. The Wall Street Journal ran a piece titled "Why Every Family Needs a Code Word" because AI voice cloning has gotten so convincing that parents can't tell if it's actually their kid on the phone. The FTC has warned consumers that scammers need as little as three seconds of audio to clone a voice with 85% accuracy.

Now bring that into the enterprise. Executives are sharing one-time passwords over iMessage family plans to verify wire transfer requests. CFOs are texting CEOs on a side channel to confirm that the call they just got was legitimate. Security teams are telling employees to hang up and call back on a known number, which does nothing if the attacker has spoofed that number too.

These are duct-tape solutions to a structural problem: there is no identity layer on voice calls.

The numbers back it up

According to a 2025 Gartner survey of 302 cybersecurity leaders, 62% of organizations experienced a deepfake-related attack involving social engineering in the past year. Gartner also predicts that by 2028, 40% of social engineering attacks will target executives and the broader workforce alike.

The financial impact is real. Businesses lost an average of $500,000 per deepfake incident in 2024. Deepfake-enabled CEO fraud now targets at least 400 companies daily. And 80% of companies still have no established protocol for handling deepfake-based attacks.

Voice cloning activity surged 680% in 2024. Q1 2025 alone saw more deepfake incidents than all of the prior year. 70% of people say they can't distinguish a real voice from a cloned one. This isn't a future problem. It's today.

We got asked to solve the whole problem

The teams we talked to weren't looking for a point solution. They didn't want identity verification bolted onto one channel while the rest stayed wide open. They wanted to know: can you verify identity everywhere it matters?

And calling is where it matters most. Not because it's the most sophisticated attack vector, but because it's the most human one. We trust voices. We trust phone numbers. We trust that the person who called us from a number we recognize is who we think they are.

That trust is the vulnerability.

Every calling tool treats identity as someone else's problem

Zoom doesn't verify who's on the call. Teams doesn't. FaceTime doesn't. Your carrier certainly doesn't. These tools authenticate accounts, not people. Knowing someone logged into a Teams account tells you nothing about who's actually speaking.

This isn't a criticism. These platforms were built to connect people, not to verify them. Identity was never their job.

But it is ours. And once we accepted that phone calls are the most common unverified interaction in business, building calling into LastID stopped being optional.

Challenge-response works for approvals. Calls need something different.

We already had a challenge-response protocol that works well for transactional moments like approvals and sign-offs. But a phone call isn't a transaction. It's a conversation. It has a lifetime. You can't ask someone to re-authenticate every 30 seconds while they're talking through a deal or walking through a sensitive topic.

So we built continuous verification. Identity is checked when the call connects and continuously validated throughout the session, invisibly, without friction. There's no pop-up, no interruption, no "please re-verify." The cryptographic proof stays live for the duration of the call. If something changes, the session reflects it immediately.

This was a hard problem. Most identity systems are built around discrete moments: login, approve, sign. We had to build one that works across time, in the background, without getting in the way of actual conversation.

No phone number required. Trust comes first.

We made a deliberate decision: LastID doesn't bind to a phone number. You don't dial digits. You can't just call anyone.

You can only call or message people you've exchanged trust with, either directly or through your enterprise. Public keys aren't available to the world. Access to someone's identity is gated through the trust relationship. If you haven't established that trust, you can't reach them.

This flips the model. Traditional calling is open by default: anyone with your number can call you. LastID is closed by default: only verified, trusted parties can connect. That eliminates entire categories of attack before they start. No robocalls, no spoofed numbers, no cold-call social engineering.

For enterprises, this means your employees are only reachable by people the organization has explicitly trusted. For individuals, it means the only calls you get are from people you actually know are real.

Not just calling. Messaging, audio, video, all verified.

Once we committed to solving the whole problem, calling was just the start. We built messaging, audio calls, video calls, group conversations, and direct messages. All of it identity-verified. All of it inside LastID.

Every channel uses the same verified identity credential. Whether you're sending a message, jumping on a video call, or dialing someone directly, the person on the other end is proven to be who they say they are. There's no mode where identity drops out.

End-to-end encrypted with MLS

We didn't just add verification on top of an unencrypted pipe. Every call, every message, every video session in LastID is end-to-end encrypted using MLS (Messaging Layer Security). That covers audio calls, video calls, group conversations, and direct messages.

MLS means the encryption scales to groups without compromising on security. It's the same protocol being adopted across the industry for secure group messaging, and we use it for everything. Not just chat. Calls too.

So you get two things no other platform gives you together: verified identity on both ends, and end-to-end encryption for the entire conversation. You know who you're talking to, and nobody else is listening.

This is about how we actually work

We didn't build communications for a specific department or use case. We built it because phone calls, messages, and video are how business gets done, and nobody was verifying any of it.

Every company has calling. Every employee uses their phone for work. And right now, every one of those interactions is unverified and often unencrypted.

We were asked to solve the whole problem. So we built the whole solution: identity-verified, end-to-end encrypted messaging, audio, and video. All in one place.