How GSMA TS.43 Will Impact Mobile Identity Verification

For many years, legacy identity verification methods have relied on a familiar, but increasingly outdated method: the SMS one-time passcode (OTP). Whether logging into a bank account or confirming a transaction, users receive a code via text and enter it to prove who they are. It's never been elegant, but for many years it was adequate to meet a need.

But the nature of risk has changed. A lot. Regulators around the globe are phasing out SMS-based authentication for high-risk financial services because of concerns about fraud, SIM swaps, and phishing attacks. As a result, the industry has been looking for a stronger, more seamless way to verify identity.

The Business Case Behind the Standard

SMS OTP is a roughly $10 billion business for mobile network operators, but it's under pressure from every direction. An estimated 25% of that revenue is tied to fraudulent traffic, while legitimate enterprises are quietly migrating toward messaging apps, passkeys, network-based approaches, and cryptographic identity solutions. MNOs are losing ground on multiple fronts simultaneously.

GSMA TS.43 (Service Entitlement Configuration) is their answer. It’s a new standard designed to bring mobile authentication into the modern threat landscape. For the right implementations, it represents a genuine leap forward in both security and user experience.

But the business context matters for buyers. TS.43 is, at its core, a mechanism for MNOs to modernize and defend their authentication revenue. Companies evaluating it should expect pricing comparable to, or higher than, what they're currently paying for SMS OTP. That framing is worth keeping in mind when evaluating vendors and negotiating terms.

The Guessing Problem

Legacy mobile authentication – SMS OTP, IP-based network checks, network-based approaches like SNA – shares a fundamental flaw: it relies on inference. The goal is to infer that a user is legitimate based on indirect signals, like whether a phone number received a message or whether a device appears connected to a specific network. But signals can be spoofed, intercepted, or manipulated through SIM swaps, phishing, and malware.

TS.43 replaces inference with cryptographic proof tied directly to the SIM card. That's a fundamentally different architecture, and a much harder thing to fake.‍

How TS.43 Authentication Works

Instead of sending a one-time passcode and relying on the user to enter it correctly, TS.43 verifies identity through a secure interaction between the device, the SIM card, and the mobile carrier. The process works like this:

1. Authentication is initiated: When a user attempts to log in or verify their identity, the application initiates an authentication request on the device.
2. The device contacts the carrier's entitlement server: The device establishes a secure connection to the mobile carrier's entitlement server; it’s the same infrastructure carriers already use to manage services like Wi-Fi calling and device provisioning.
3. The server issues a cryptographic challenge: The entitlement server sends a challenge to the device that must be answered by the SIM card itself.
4. The SIM generates a cryptographic response: Inside the SIM card is a hardware-protected secret key that was embedded when the SIM was issued by the mobile operator. This key never leaves the SIM.
   

This approach builds on EAP-AKA (Extensible Authentication Protocol – Authentication and Key Agreement), the same protocol mobile networks have used for decades to securely connect devices to cellular infrastructure. Every time a phone attaches to an LTE or 5G network, EAP-AKA performs a similar challenge-response exchange between the SIM and the carrier's authentication servers. TS.43 extends that trusted mechanism to digital identity verification.

Because authentication occurs at the signaling layer between the SIM and the carrier, it operates independently of the user's internet connection. Cellular data, home Wi-Fi, a café hotspot, enterprise Wi-Fi, satellite internet – the authentication process works the same regardless.

Eliminating the "Wi-Fi Blind Spot"

This is one of the most significant improvements TS.43 offers over legacy silent authentication. Traditional network-based verification breaks down the moment a user is on Wi-Fi – because it relies on IP addresses and network signals that only reflect carrier connectivity. TS.43 doesn't. Verification is tied to the SIM card's cryptographic identity, which is embedded in the device hardware and has nothing to do with how the device connects to the internet.

The result is authentication that is:

• Low-friction – minimizes or eliminates the need for manual code entry
• Secure – resistant to phishing and interception
• Hardware-backed – rooted in the SIM itself
• Universal – works regardless of network transport

How Prove is Building the Future of Digital Identity With a Smarter Path Forward

Prove treats TS.43 not as a destination, but as a foundation; one powerful signal in a persistent identity model that's designed to outlast any single authentication method.

Prove is integrating the TS.43 network coverage signal into its platform and using it to help establish the Prove Key: a cryptographic, device-bound credential that enables persistent, high-assurance authentication without repeated challenges. In this model, TS.43 (alongside OTP when needed) serves as a way to initially verify the user and securely bind their identity to the device. Once that trusted credential is established, customers can move away from repeated reliance on costly, one-time authentication methods altogether.

The outcome is a stronger security model with meaningfully better economics:

• Fewer user challenges after initial verification
• Reduced dependency on SMS OTP and carrier-based transactions
• Improved unit economics through a single, integrated vendor approach
• Higher-assurance authentication tied directly to the device

The companies that will benefit most from TS.43 won't be the ones that simply swap SMS OTP for another carrier-based transaction. They'll be the ones that treat it as the starting point for something more durable – a persistent, cryptographic identity layer that doesn't have to ask the same question twice.

The digital economy runs on trust. TS.43 makes that trust harder to fake. How you build on top of it determines how far it takes you.