The digital finance sector is on the brink of a systemic security overhaul, and the global telecommunications industry (from Mobile Network Operators (MNOs) to aggregators) must recognize this moment as a major inflection point. For years, Application-to-Person (A2P) SMS has been the essential backbone of digital banking, providing the ubiquitous channel for critical alerts and, most importantly, authentication.
Now, as we will see, regulatory bodies worldwide are issuing strict directives that mandate a decisive shift to more secure, modern authentication methods. This global pivot, driven by the need to protect consumers from sophisticated digital fraud like SIM-swap attacks and phishing, fundamentally redefines the security and revenue landscape for the entire messaging ecosystem.
However, rather than viewing SCA as a headwind, telcos and aggregators should recognize it as a structural opportunity to reposition their network assets — identity, risk, and reach — as trusted components of digital trust frameworks. The winners will be those who evolve from message delivery to verifiable identity assurance
The Looming Commercial Threat to A2P Revenue Streams
The regulatory push directly threatens the most profitable segment of A2P messaging. According to the Mobilesquared “Global A2P SMS Report 2017-2029,” this shift represents a profound market contraction that requires immediate strategic attention:
- Dominant Revenue Source: The Finance sector accounted for around 28% of total A2P SMS spend in 2024, solidifying its position as the most important vertical for the entire ecosystem.
- The OTP Collapse: The volume of messages related to Authentication—the critical SMS OTP use case—is forecast to drop from 1.43 trillion messages in 2024 to approx. 838 billion in 2029.
- Massive Revenue Erosion: Correspondingly, Brands will cut Authentication spend from a staggering $17.6 billion in 2024 to $9.6 billion in 2029. Authentication’s share of total A2P spend is projected to fall from 53% to 38% over the same period.
This mandates change: while Finance traffic is expected to increase (from 22% to 29%), the spend is shifting rapidly away from SMS Authentication and toward alternative, potentially less profitable channels. MNOs and aggregators face the dual challenge of preserving finance traffic volume while rapidly developing new, secure products to capture the collapsing authentication revenue.
The Worldwide Legislative Push for Stronger Authentication
The mandate for stronger authentication is no longer a best-practice recommendation; it is rapidly becoming a legal requirement across multiple global jurisdictions. Following several high-profile data breaches and the pervasive threat of fraud (especially account takeover via SIM swapping and intercepted SMS OTPs), governments and financial regulators worldwide have begun a coordinated legislative crackdown on single-factor and other weak authentication mechanisms.
This movement forces financial institutions, payments providers, and other regulated entities to move past compliance minimums and adopt robust, multi-factor solutions (such as biometrics, hardware tokens, and FIDO-based passkeys) to protect consumer assets and uphold market stability. The global trend emphasizes a layered security approach, risk-based analysis, and non-reliance on easily compromised communication channels like SMS or even OTT OTPs for that matter, as we’ve recently pointed out.
| Region / Country | Regulation or Guidance | Core Authentication Focus | Impact and Key Requirement |
| European Union (EU) | Payment Services Directive (PSD2), SCA, and DORA (Digital Operational Resilience Act) | Mandatory Strong Customer Authentication (SCA) | Requires two of three authentication elements (Knowledge, Possession, Inherence) for almost all electronic payment transactions and accessing online account information. |
| United States (US) | FFIEC Authentication and Access Guidance | Risk-Based Authentication and Layered Security | Replaced 2005/2011 guidance; explicitly states single-factor authentication is inadequate for high-risk transactions. Emphasizes risk assessment, layered controls, and advanced monitoring. |
| India | Reserve Bank of India (RBI) Guidelines on Digital Payments | Phasing Out Weak Authentication Mechanisms | Through various circulars, the RBI has actively pushed banks to limit or eliminate the use of easily intercepted methods like SMS OTPs and email OTPs for high-value or sensitive digital transactions, encouraging the shift to stronger app-based controls. |
| Australia | APRA Prudential Standard CPS 234 (Information Security) | Proactive Information Security Capability | Requires regulated entities (banks, insurers, super funds) to maintain an information security capability commensurate with threats and vulnerabilities, placing strong emphasis on controls, incident response, and third-party risk management, which includes robust access controls. |
| UAE & Philippines | Recent Central Bank Directives (e.g., BSP Circular No. 1213) | Binding Elimination of SMS OTPs | Imposed aggressive deadlines (e.g., UAE Central Bank) or binding orders (e.g., Bangko Sentral ng Pilipinas) for banks to eliminate SMS and email OTPs, directly mandating the use of soft tokens, biometrics, and passwordless systems for digital banking. |
New Rules, New Paths to Monetization
However, it’s not all bad news. Telcos just need to adapt to the changing regulatory landscape. These new rules open fresh opportunities for telcos to leverage their network strengths and offer advanced authentication and identity services that meet increasing security and compliance demands.
Here’s how telcos can capitalize on these opportunities worldwide:
- European Union: Shift focus from declining SMS OTP revenues to delivering network-driven API services like Number Verify and identity verification.
- United States: Partner with financial institutions to provide risk-based, context-aware authentication solutions.
- India: Collaborate with banks on secure, app-based tokenization to secure digital payments.
- APAC (UAE & Philippines): Deploy network-based device verification to meet urgent mandates and capture new revenue.
This transformation turns telcos from mere message carriers into essential trust providers powering secure digital identity ecosystems. And yes, GTC can help you on this path.
Core Directive: Phasing Out Weak Authentication
The confluence of regulatory pressure and mounting fraud has forced financial institutions to execute direct strategies to eliminate legacy single-factor mechanisms. This operational directive specifically targets One-Time Passwords (OTPs) delivered through traditional communication channels, recognizing their intrinsic weaknesses at scale.
The goal is to move beyond the easily compromised “possession” factor (the phone number) and embrace methods that are cryptographically secure and resistant to man-in-the-middle, phishing, and telecom-level attacks.
| Method | Primary Vulnerability / Threat | User Experience | Regulator Stance |
| SMS OTP (Text Message) | SIM swapping, SS7 interception, smishing attacks, message interception via malware. | High familiarity, but prone to high latency, delivery failure, and network congestion issues. | Actively being banned or heavily restricted for high-value transactions by regulators worldwide. |
| Email OTP | Phishing, email account compromise (EAC), lack of delivery assurance (spam folders). | Requires app-switching (friction), universally accessible, but often slower than real-time authentication requires. | Generally deemed too weak for financial and high-risk transactional authentication. |
| Voice OTP (Phone Call) | Voice recognition errors, call forwarding/hijacking (less susceptible to SIM swap than SMS). | Good for users with accessibility needs, but can be intrusive and requires a dedicated audio channel. | Less common but still relies on vulnerable telecom infrastructure and call path integrity. |
While regulatory focus often centers on traditional SMS and email channels due to their ubiquity in finance, it is important to note that Over-the-Top (OTT) OTPs—delivered via platform-specific messaging apps—are subject to many of the same core issues.
Fundamentally, they still rely on proving possession of a single device tied to a potentially fallible app layer, thus failing to achieve the “fit-for-purpose” authentication required for modern security (as discussed here).
The Global Standard: Strong Customer Authentication (SCA)
The regulatory drive is centered on enforcing Strong Customer Authentication (SCA), formally defined (e.g., under the EU’s PSD2) as an authentication process utilizing two or more elements from distinct categories. These elements must be independent of one another—meaning the compromise of one factor must not jeopardize the security of the others—and designed to protect the confidentiality of the authentication data.
SCA requires verification of identity using at least two of the following three categories:
| Element | Description (Something you…) | Common Examples (Compliant Mechanisms) |
| Knowledge | …know. A secret known only to the authorized user. | Password, Personal Identification Number (PIN), Passphrase, Secret Question response. |
| Possession | …owns or physically control. A physical or digital item tied to the user’s identity. | Hardware Token (FIDO Key), Token Generator, Smartphone running a secure, cryptographically-bound application (Soft Token). |
| Inherence | …are. A unique and measurable biometric attribute of the user. | Fingerprint, Facial Recognition, Iris Scan, Voiceprint, Behavioral Biometrics (e.g., typing patterns). |
A critical, non-negotiable requirement for SCA compliance in high-risk financial transactions is Dynamic Linking. This mandates that the authentication code or factor must be dynamically linked to the specific transaction amount and the intended payee. If either of these parameters is altered, the authentication token must immediately become invalid, preventing man-in-the-middle fraud.
The Role of Silent Authentication (GSMA TS.43) in the SCA Landscape
Silent Authentication, often facilitated by mobile network operator (MNO) systems using standards like GSMA TS.43, performs a highly secure, instantaneous, and frictionless confirmation of the device’s Possession factor (i.e., verifying that the device currently initiating the action is securely associated with the registered phone number/SIM).
While Silent Authentication is superior to SMS OTPs in terms of security and user experience—being inherently resistant to SIM swap, smishing, and interception—it is not a compliant Strong Customer Authentication (SCA) solution on its own.
The critical reasons Silent Authentication is used as a powerful enabler rather than a stand-alone solution are that, one, it only fulfills the Possession requirement, and two, it lacks the native cryptographic mechanism to sign the specific transaction details dynamically; a non-negotiable requirement of SCA for payment authorization.
Feasibility and Strategic Application
Despite these regulatory distinctions, Silent Authentication is highly feasible and strategically essential in modern authentication frameworks:
- SMS OTP Replacement: It serves as the most secure, low-friction replacement for SMS OTPs, significantly hardening the device binding and initial access layers.
- Frictionless MFA: When combined with a low-friction second factor (e.g., Silent Authentication confirms Possession + the user enters a simple session PIN or uses biometrics for Inherence), it creates a robust, SCA-compliant, and virtually seamless Multi-Factor Authentication experience.
- Device Binding: It is a strong tool for securely binding a user’s identity to a specific mobile application (e.g., a banking app), which then enables the secure generation of a cryptographically sound Soft Token for Dynamic Linking.
- Risk-Based Authentication (RBA): Its high assurance level allows financial institutions to use it as a powerful data point in their RBA engine, often enabling the institution to qualify for a regulatory exemption from step-up SCA for low-risk transactions (like checking a balance or low-value payments).
Conclusion: A Collaborative Future for Trust
The global regulatory push for Strong Customer Authentication (SCA) confirms that the future of high-assurance security is rooted in Dynamic Linking, driven by cryptographically secure solutions like Soft Tokens and FIDO/Passkeys. While this transition satisfies the non-negotiable regulatory demands for multiple independent factors and transaction integrity, it does not sideline the telecom industry.As vulnerable A2P SMS authentication revenue declines, Silent Authentication (GSMA TS.43) positions the Mobile Network Operator (MNO) as the essential provider of the initial, high-assurance Possession factor. By frictionlessly verifying the trusted binding between a device and a phone number, MNOs secure their “piece of the pie” in the digital trust ecosystem. The Telco value proposition evolves from being a simple delivery channel to becoming the non-repudiable foundation for secure identity verification, enabling the next generation of seamless, SCA-compliant experiences. This partnership between network intelligence and end-user technology is the key to maximizing both security and user convenience.
