From ring-cut to A2P Flash calls. Will voice shortcut SMS for two-factor authentication?

What is the total value of the market for SMS one-time passcodes?

It’s not easy to calculate the answer, but we can take an educated guess.

According to Mobilesquared, the A2P SMS messaging market was worth $19.74 billion in 2020. It says 2.02 trillion A2P SMS messages were sent in 2020.

And Mobilesquared has indicated that one-time passcodes represent the biggest chunk of this activity. It says they comprise 20 percent of all business messaging traffic – that’s 400 billion messages in total a year.

Do the maths, and this equates to around $4 billion a year.

Now, to be clear, Mobilesquared made its 20 percent assertion in 2018 so the number may be slightly out of date. But anyone with any experience of the A2P space knows that 2FA codes represent a huge chunk of the market. Indeed, it’s entirely possible 20 percent is on the low side – especially if you consider a possible fall in promotional SMS due to price rises.

So why are we making these calculations?

Because this $4 billion a year market is under threat.

The reason? Flash calling.

Many readers will be aware of this new and frictionless alternative to the SMS OTP. But for those of you that are not, let’s recap.

What is flash calling?

A flash call occurs for multiple reasons – but all have to do with alerting the recipient in a way that reduces (or eradicates) the cost of doing so. Perhaps the first instance of it came in the consumer space as the ‘missed call’. Here, a person would call a friend with a single ring to indicate they had arrived safely home.

Companies quickly adapted this practice too – especially in developing markets. In India, it’s now common for customers to make a missed call to a particular business number in order to trigger a call back. The appeal to cost-conscious users on prepaid tariffs is obvious.

In fact, this kind of flash call ‘product’ is so well-established it even has different names in different regions: flashing in Nigeria, flashcalling in Pakistan, miskol in the Philippines and ring-cut in Sri Lanka for example.

So it was probably inevitable that the missed call concept would cross over into the SMS authentication space. Companies realised that, rather than sending a one-time SMS containing a PIN, they could make a call from a random number, which drops after one ring. The A-number of the call made (or its last 4 or 6 digits) represents the passcode that the user needs to validate his or her mobile number.

What’s the secret of its appeal?

It’s easy to see why brands and their customers like flash calling.

For the brand, there are huge cost savings. Flash calls are generally categorised as zero-duration calls, which are not charged in most telco voice billing models. There’s also virtually zero risk of interception by fraudsters.

For end customers, much of the friction of an SMS 2FA disappears. They don’t have to manually enter a code because the incoming number is the code. And in Android, the call log permissions allow for the app to ‘read’ the code and approve the authentication in the background. Obviously, the user has to grant the app these permissions at the installation stage. However, most users do – especially for apps like Telegram, Viber and WhatsApp, which are call-related.


Adoption of flash calling is growing

These obvious benefits explain why flash calling has suddenly become ‘a thing’. Some very big companies are now looking at it. The strongest interest appears to be from rich messaging app companies – especially in the Asia Pac and CIS regions.

Telegram is already offering a flash calling API to developers, while in August, the chat provider Imo made it available to its 200m customers across Asia.

But the most eye-catching development came in June 2021, when it was revealed that WhatsApp would introduce a flash call feature in its Android update.

To be clear, WhatsApp is just testing the concept. But with two billion customers and global reach, the company’s interest has made flash calling a big talking point in the A2P space.

Market analysts have noted this rise in activity, and are now forecasting a sharp spike in volumes. Juniper Research, for example, says 5 billion flash calls will be used for authentication in 2022. But by 2026, it expects the number to rise to 130 billion.

To gauge the possible impact of this traffic, let’s return to the Mobilesquared data quoted earlier.  It estimates that one-time passcodes (OTPs) represent around 20 percent of all business messaging traffic sent –  equal to 400 billion messages in total a year at present. 

It also says that total traffic will rise to 2.62 trillion by 2025. If OTPs stay at the same levels, this would mean around 525 billion OTPs sent.

On this basis, Juniper’s estimated 130 billion flash calls (for 2026) could cannibalise around a quarter of the authentication code market.

If these numbers are anywhere near correct, then the industry is headed for a major shake-up. Flash calling has the potential to be highly disruptive – especially for mobile operators.

MNOs have a big decision to make

On the MNO side, there is obvious cause for concern. Flash calling could eviscerate A2P SMS revenues. It could replace billions of billed text messages with something for which there is no income stream at all: missed calls.

There is also a security concern. On the plus side, it’s true (as stated earlier) that flash calling minimises the risk of passcode interception. But then it’s also the case that flash calling normalises the process of accepting incoming authentication calls from random numbers.

It’s possible that some users might call these numbers back on purpose or by mistake. This could be expensive. It could anger some consumers and cause customer care issues. There is even a risk that an A-number could be related to an individual who is not aware that his/her personal number is being misused.

Many MNOs now try to block flash call numbers in order to protect their SMS-based authentication revenues. However, blocking is not easy to do. After all, how can an MNO distinguish between a flash call and a ‘legitimate’ missed call? And even if it correctly identifies and blocks a flash number, there is nothing to stop the sender from generating new numbers to evade detection next time.

Aggregators have already launched flash calling products

Meanwhile, the flash calling phenomenon puts aggregators in a quandary. Obviously, they don’t want to invite conflict with MNOs. Yet equally they want to service their enterprise customers with a cost-effective product that end users love.

And, ultimately, this is a commercial decision. Flash calling is not illegal.

For the moment, it seems that most aggregators are siding with their customers. Some of the most prominent companies in the market now explicitly offer flash calling products. And they are not shy about trumpeting the benefits.

In a few years’ time we’ll know whether flash calling is a small and useful addition to the A2P mix or if it replaces large (and profitable) parts of it.

At GTC we have the advantage of being neutral. We know the ‘for’ and ‘against’ arguments. So if you’re eager to know more about this important topic, please get in touch.

Global Telco Consult (GTC) is a trusted independent business messaging consultancy with deep domain knowledge in application-to-person (A2P) services. GTC provides tailor-made messaging strategies to enterprises, messaging service providers, operators and voice carriers. We have expertise in multiple messaging channels such as RCS, Viber, WhatsApp, Telegram and SMS for the wholesale and retail industry.

GTC supports its customers from market strategy through service launch, running the operations and supporting sales and procurement. The company started in 2016 with a mission to guide operators and telcos to embrace new and exciting opportunities and make the most out of business messaging. For more information or industry insights, browse through our blog page or follow us on LinkedIn.

Any questions?