by
GMS Team
Digital identity is entering a new phase. For years, SMS one-time passwords helped make mobile operators a trusted part of digital verification journeys. They offered scale, familiarity, and ease of use. But as fraud grows more sophisticated, and as enterprises demand stronger security with less friction, that model is starting to show its limits.
Today, the conversation is moving beyond OTP. This evolution is being driven by the introduction of standardised Network APIs such as Number Verification and SIM Swap. These APIs open up a new approach to trust, one built not only on possession of a phone number, but on real-time network intelligence, smoother user journeys, and more privacy-conscious product design.
.jpg?width=133&height=200&name=Elliot%20Rose%20(1).jpg)
Against this backdrop, in light of the Digital Identity Panel at GCCM & MMS 2026 in London, we sat together with Elliot Rose, Market Intelligence Manager at GMS, to explore questions shaping this transition, from silent authentication and AI-driven fraud to interoperability, behavioural signals, and the commercial realities of identity products.
Q: Many MNOs are already working on network APIs, but one of the key use cases we’re seeing them consistently experiment with first authentication, with things like Number Verification and SIM Swap. This seems to compete with their own A2P SMS businesses. Is this a case of trying to adjust to commercial realities? Or is there something else going on?
A: There is a clear move towards more secure authentication, especially among banks and financial services, where the balance between convenience and protection is critical. In these environments, SMS alone is no longer sufficient, so operators need to prioritise network APIs if they want to remain part of the authentication value chain.
At the same time, silent verification is not just a security upgrade. It also has the potential to offer a better user experience than some traditional alternatives, such as hardware tokens or more cumbersome multi-step checks. That said, success will depend on how well these services are designed around consent and the wider user journey. The goal is not simply to replace OTP, but to make verification both stronger and easier.
Q: The industry is already seeing more sophisticated fraud tactics, fuelled by GenAI and the increased ease of creating convincing synthetic identities. How can network APIs and MNOs more generally contribute to combatting this fraud?
A: Operators already hold a range of useful signals, but in many cases, those capabilities have yet to be turned into products that enterprises can easily consume. Network APIs offer a route forward here, either by exposing selected signals directly or by allowing operators to perform the analysis themselves and return a risk score instead.
What stands out is that much of this does not depend on the newest generation of AI. In practice, a lot of the underlying value comes from machine-learning methods that have been in use for years across telecom networks and risk-scoring environments. The real opportunity lies in turning that proven intelligence into scalable services that can help enterprises identify suspicious behaviour without adding unnecessary complexity.
Q: SMS is already used by many enterprises worldwide, both domestically and internationally. It’s a known quantity and an easy to use service. How do operators and their partners sell a new product to the enterprises? Is the increased security worth the price of a new integration?
A: SMS has retained its appeal for a reason: it is simple, predictable, and widely understood. That sense of familiarity matters. One of the advantages of standardisation efforts like the CAMARA initiative and GSMA’s Open Gateway is that they can help bring network APIs to a more consistent level of comfort. If enterprises are going to transition towards silent authentication, the technology needs to feel straightforward to adopt, integrate, and scale.
Whether silent authentication becomes a premium layer or a new baseline will depend largely on the enterprise and the use case. There is already interest in packages that offer greater assurance and higher security, particularly where the business value is obvious. In some journeys, stronger verification may become the expected default. In others, it may sit as a premium option for higher-risk moments.
Q: Every product developer wants to create “sticky” features that ensure their customers keep coming back, but enterprises need consistency across markets – particularly global players who will work across many markets. How do telecoms players balance consistent market access and predictable product performance against the desire to build their own unique value proposition that makes them stand out to potential customers?
A: Fortunately, stickiness is more of a concern for us providers. MNOs should be actively discouraged from creating products that diverge from those of their peers, since operators can only cover their own subscriber base and will need to federate. For the provider, stickiness is always part of the equation, but the balance may differ depending on the target market. Some providers may choose to bundle APIs into a broader proposition, while others may build dedicated identity offers around selected API combinations.
Our role will be to help MNOs package their network APIs into use case-focused, accessible services. Enterprises need consistency and broad reach, not fragmented implementations. That also means we need to consider the crucial role of enablement: helping operators deploy APIs more consistently across markets can reduce the risk of creating proprietary features that are harder to scale. It also means we can help smooth out any unevenness caused by legacy identity products or where one MNO has moved faster than the rest. CAMARA is particularly valuable here, both for operators adapting existing capabilities into compliant APIs and for those building from scratch, thanks to the standardised guidance and development support it provides.
Q: If we look beyond the telcos and their enterprise customers, it’s clear that there is growing awareness about the importance of privacy and data security among the general public and the regulators. For example GDPR in the EU or the PDPA in Malaysia. Yet operator network APIs are based on the idea of exposing network capabilities, including data insights on subscribers, to a wider audience. Can we build these signals without exposing violating people’s privacy or violating data minimisation principles?
A: Privacy by design has to come first. That is not just a regulatory requirement; it is a product principle. Many of the earliest network API use cases already reflect this, whether through zero-knowledge approaches or by using only the network data needed to support a specific outcome.
The key is to design APIs around the minimum information required for the use case, rather than allowing verifiers to probe for broader attributes and gradually construct a profile. If the goal is to confirm whether someone is over 18, for example, the product should answer that question directly without exposing additional personally identifiable information. Done properly, signal-rich verification and data minimisation need not be in conflict.
Q: What role do network APIs have in the broader digital identity ecosystem? We’re already seeing rollouts of digital identity wallets and eID frameworks, including the EU’s cross-border eIDAS initiative. Are network operators’ own efforts already redundant, based on legacy infrastructure? Or are they really capable of offering a reliable “root of trust” to ground identity assurance?
A: The answer is likely somewhere in the middle. Digital identity wallets will clearly play an important role, particularly in markets where national frameworks are gaining traction. But there will still be strong demand for interoperable, cross-market access to verified attributes, especially in international contexts where wallets may not be compatible or where enterprises do not want to integrate individually into multiple ecosystems. In that sense, APIs can offer a kind of universality that enterprises already value.
At the same time, wallets bring capabilities of their own, including the potential for more self-sovereign models and the ability to share certain documents directly. For this reason, it is unlikely to be a case of one replacing the other. More realistically, network APIs will become part of a wider identity chain. A SIM swap check, for instance, could help confirm that a wallet being moved to a new device reflects a legitimate user action rather than a fraudulent attempt to clone an identity.
Q: We’ve talked broadly about how network APIs relate to SMS, including the idea they may provide a premium, more secure solution. Is there a commercial justification for that? And what pricing or packaging models are we seeing emerge?
A: For now, operators continue to favour transactional, per-check pricing because it is familiar and commercially safe. But that approach is already becoming more nuanced. In some cases, especially when APIs such as SIM Swap and Number Verification are bundled, pricing is tied more closely to the verification event itself than to the raw number of API calls. That is where value becomes clearer, and where providers can better demonstrate their role.
The commercial logic also varies by use case. Banks are often willing to pay a small premium for more secure verification because the cost of fraud is both direct and visible. In other sectors, returns are more incremental. A call centre, for example, may use verification APIs not because of a specific breach risk, but because they reduce the time spent confirming the caller's identity. In both cases, the strongest model is one that links trust to measurable business outcomes.
Looking ahead
What becomes clear is that digital identity is no longer just about replacing one authentication method with another. Instead, it is becoming a broader trust framework, shaped by network intelligence, user experience, privacy safeguards, and cross-market interoperability.
For operators, this creates a timely opportunity. The assets are already there: trusted network relationships, valuable signals, and a growing standards-based ecosystem. The next step is turning those ingredients into products that are simple enough for enterprises to adopt, strong enough to improve security, and flexible enough to work across an increasingly complex identity landscape.
Now is the moment to act. Start exploring how network APIs can strengthen your digital identity strategy. Connect with industry leaders, evaluate your current authentication flows, and take the next step to build trust for the future of digital identity.
GMS Team