.png)
Voice revenue is in terminal decline. A2P SMS is under sustained AIT fraud attack. Data has become a commodity feature that users treat as a utility. Every major analyst covering the telecoms sector has reached the same conclusion: the path to meaningful ARPU growth for MNOs runs through network API monetisation — turning the unique, non-replicable capabilities inside your network into standardised, sellable services for the enterprise market.
Here is the part that does not get said loudly enough: one of those unique capabilities has been running in your network for over two decades, at no charge, as invisible infrastructure overhead. Every time a subscriber's device connects to your network (every time, without exception) your network runs EAP-AKA (Extensible Authentication Protocol – Authentication and Key Agreement). A cryptographic challenge-response exchange, unique to each SIM, unforgeable, completed in milliseconds. You have been doing this for every subscriber, billions of times a day, for free.
The market for that capability, packaged as a CAMARA-compliant API and exposed via GSMA Open Gateway, is currently valued at $3.8 billion. It will reach $11.2 billion by 2034. GSMA has already built the commercial infrastructure. 86 operator groups, representing over 300 networks and 80% of global mobile connections, are signed into the programme. 43 channel partners — including the platforms that enterprise authentication teams use every day — are already connected. The regulatory mandates that are forcing enterprises to replace SMS OTP by April 2026 are generating urgent, immediate demand for exactly what your network can provide.
The question is not whether this market exists. The question is whether your network is in it, or whether someone else is earning from your subscribers while you watch.
Section 1: The Two-Sided Squeeze — Why Inaction Has a Cost
Before making the case for what your network can earn, it is worth being clear about what the current situation is costing you. There are two pressures — and they are both accelerating.
The AIT Problem Is Yours Whether You Caused It or Not
Artificially Inflated Traffic fraud is the practice of generating fake OTP delivery requests through A2P SMS channels to inflate messaging volumes and claim a share of termination revenue. The GSMA estimates that AIT accounts for 5–40% of all international A2P SMS traffic, depending on the market. Global losses exceed $1.2 billion annually. In a single disclosure, Elon Musk stated that Twitter was losing $60 million per year to SMS pumping — and named 390 telecom operators as the source of those fraudulent delivery requests.
The reputational point is important: AIT fraud does not sit at the enterprise or at the fraudster alone. It runs through telecom infrastructure, and enterprises and regulators know it. When an enterprise's OTP costs spike due to AIT and they investigate, they find operator routes. When the UAE Central Bank banned SMS OTP in March 2026 and cited fraud as a primary driver, they were responding to fraud that ran through A2P SMS channels — channels that operators manage and monetise. The regulatory response to AIT is not just an enterprise problem. It is a mandate that directly reduces A2P SMS volume — your revenue line.
Regulatory Phase-Outs Are Eliminating Your OTP Revenue Regardless
India's RBI issued its Authentication Mechanisms Directions in 2025, effective April 1, 2026: using a SMS OTP API alone is no longer a sufficient second factor for digital payment transactions. UAE's CBUAE Notice 2025/3057 set a March 31, 2026 deadline for all licensed financial institutions to replace SMS and email OTP with biometric, FIDO2, or network-based alternatives. Singapore's MAS had already moved its major retail banks off OTP logins in July 2024. NIST SP 800-63B-4 reclassified SMS OTP as a 'restricted authenticator' in the United States.
Every one of these mandates reduces enterprise OTP SMS volume. If the alternative your enterprise customers adopt does not run through your network, you lose that revenue without replacement. If the alternative does run through your network — as a CAMARA-standard silent authentication API call — you replace the declining per-message OTP revenue with per-verification API revenue. The economics are different, but the enterprise relationship is retained and the AIT liability is eliminated.
Section 2: The Asset — EAP-AKA Is in Every SIM You Have Ever Issued
TS.43 (GSMA Technical Specification 43, updated in Release 11) is the entitlement configuration framework that defines how operators issue short-lived EAP-AKA tokens accessible to enterprise applications. It is the commercial and technical bridge between your existing HLR/HSS infrastructure and the CAMARA API layer that enterprises consume. In practical terms: your HLR or HSS already holds the subscriber authentication data. TS.43 adds an entitlement server — a relatively lightweight network function — that issues time-limited cryptographic tokens for enterprise use. Those tokens flow through the CAMARA Number Verification API to the enterprise. The enterprise receives a verified match in under 300 milliseconds. Your HLR/HSS is never exposed to the enterprise application.
The 2025 TS.43 Release 11 Amendment — Wi-Fi Is Now Covered
The original TS.43 specification required the device to be on mobile data to carry the EAP-AKA signalling exchange. Since most smartphone users spend the majority of their time on Wi-Fi, this created a significant coverage gap for enterprise deployments. The GSMA's 2025 Release 11 amendment resolved this via the CIBA+TS.43 temporary token mechanism. While a device has mobile data connectivity, it pre-fetches a short-lived cryptographic token tied to the subscriber's SIM identity. That token can then authenticate the subscriber over a subsequent Wi-Fi session. This is the mechanism that powers NumberVerify2 (NV2)'s Wi-Fi verification capability — enabling phone number verification for subscribers regardless of whether they are on mobile data or Wi-Fi when the enterprise calls the API. The Wi-Fi extension is the single most commercially significant upgrade in the CAMARA Number Verification ecosystem since the standard was first published.
Section 3: The Revenue Model — What GSMA Open Gateway Actually Pays You
GSMA Open Gateway is the commercial and technical infrastructure that makes network API monetisation possible at global scale. It provides three things: a standardised API contract (CAMARA REST APIs) so enterprises integrate once and reach all operators; a commercial framework (per-call revenue sharing) so operators are compensated for every enterprise verification against their subscriber base; and a distribution network (43 signed channel partners) so enterprise demand reaches operators without requiring direct sales relationships.
For operators, the per-verification revenue share model is straightforward: every time an enterprise application calls the SilentAuth+ API or NumberVerify2 API and the authentication resolves against a subscriber on your network, you earn a share of that API call. You do not need to manage the enterprise relationship. U2opia handles API routing, billing, and channel partner integration. You collect per-verification revenue from the aggregate of every enterprise using any channel partner that sources traffic through your network.
The Revenue Illustration — A 50 Million Subscriber Operator
Exact per-verification rates vary by market and commercial agreement. The following illustration uses conservative assumptions to model the revenue opportunity for a mid-size operator.
The market is also scaling rapidly. CAMARA enterprise integration time dropped from 45 days with proprietary APIs to an average of 3.5 days with CAMARA standard APIs — a 92% reduction in onboarding friction that is accelerating enterprise adoption across the Open Gateway channel partner network. For operators, this means the addressable enterprise volume is growing faster than at any previous point in network API history. See GSMA's H2 2025 Open Gateway State of the Market report for adoption velocity detail.
Section 4: The USSD Differentiator — Your 2G/3G Coverage Is a Competitive Moat
TS.43 EAP-AKA silent authentication requires a 4G or 5G data connection to carry the entitlement signalling. For operators in Western Europe and North America, where 4G/5G coverage is near-universal, this is not a material constraint. For operators in Africa, South Asia, and Southeast Asia — where 2G and 3G subscribers remain a significant portion of the base and where OTP volumes are highest globally — a TS.43-only deployment covers, at best, 60–70% of your subscriber base. The remaining 30–40% must fall back to OTP, which reintroduces the AIT and delivery failure problems your enterprise customers are trying to solve.
U2opia's SilentAuth+ is the only silent authentication solution that extends coverage to 2G and 3G devices via a USSD fallback path. USSD (Unstructured Supplementary Service Data) operates over the GSM voice channel — the same network layer used for carrier USSD balance checks and call setup. It requires no internet connection, works on every mobile device without exception, and delivers sub-500ms authentication response times. When a subscriber's device is on 2G or 3G, SilentAuth+ automatically routes the authentication via USSD. The enterprise receives the same verified result. The subscriber sees nothing.
Why Coverage Completeness Drives Operator Revenue
Enterprise authentication teams operate with a coverage threshold model: they set a silent auth 'hit rate' — the percentage of their user base for which silent authentication can complete — and they size their investment accordingly. An operator offering 65% coverage means the enterprise must maintain OTP infrastructure for 35% of that operator's subscribers, incurring dual-system cost and maintaining their AIT exposure on that segment. An operator offering 100% coverage via USSD means the enterprise can retire OTP infrastructure entirely for that market.
Full coverage drives three commercial outcomes for the operator: higher verification volume per enterprise (no OTP bypass for 2G/3G subscribers), stronger preference in enterprise vendor selection (100% vs 65% coverage wins the shortlist), and faster market-level penetration as enterprise adoption is not gated by partial coverage. For operators with significant 2G/3G subscriber bases, USSD fallback is not a minor technical feature — it is a commercially decisive differentiator versus every other TS.43 provider in the market.
Section 5: What Operators Who Have Deployed Are Seeing
Silent authentication is not a 2026 concept — it has been in production deployments for several years. What has changed in 2026 is the scale, the commercial infrastructure, and the regulatory tailwind that is converting enterprise curiosity into active procurement.
U2opia's authentication platform currently covers 104+ operators across 60+ countries via SilentAuth+, NumberVerify2, and P2A Authentication. Across that network, enterprise deployments report a consistent 30–40% conversion lift versus SMS OTP — driven entirely by the elimination of user friction and OTP delivery failures. SIM Swap API calls across the CAMARA ecosystem reached 340 million in 2025, primarily from banking partners using it for transaction fraud prevention alongside Number Verification.
The industry signals are moving in one direction. Meta's February 2026 white paper, published with leading telco partners, proposed establishing a dedicated GSMA taskforce in H1 2026 to coordinate enterprise adoption of silent authentication — describing TS.43 as 'the best path to enable interoperability and scale beyond SMS OTP API.' Ericsson's enterprise API platform team has publicly endorsed silent authentication as the mechanism that 'fosters a deeper, more collaborative relationship between telcos and enterprises, creating new revenue streams for MNOs and enhanced security for businesses.' These are not exploratory statements — they reflect procurement decisions already happening across the GSMA Open Gateway channel partner network.
Silent Authentication API vs Legacy OTP Revenue — Operator Revenue Comparison
Section 6: How Operators Deploy — The Two Models
There are two deployment architectures for operators joining U2opia's SilentAuth+ programme. Both result in the same commercial outcome: per-verification revenue via GSMA Open Gateway, with U2opia handling enterprise relationships, API compliance, and channel partner routing. The choice between them depends on the operator's infrastructure posture, data residency requirements, and deployment timeline.
Model 1: U2opia-Hosted (Fastest to Revenue)
U2opia deploys and operates the TS.43 entitlement server infrastructure, connecting to the operator's HLR/HSS via standard Diameter or REST interfaces. The operator's subscriber authentication data remains on-network — the entitlement server only exchanges cryptographic challenge tokens, never subscriber PII. U2opia handles all CAMARA API compliance, revenue metering, and enterprise-facing operations. No new network functions are deployed by the operator. No capital expenditure is required. Typical production timeline: 6–10 weeks from contract signature to live verification traffic.
This model is recommended for operators who want the fastest path to revenue and do not have regulatory requirements mandating that the entitlement server itself sit on-network. Full deployment and revenue mechanics are documented in the SilentAuth+ for Operators guide.
Model 2: Operator-Deployed (Full Data Sovereignty)
The TS.43 entitlement server runs as a network function on the operator's own infrastructure — cloud-native NF deployment on the operator's core network or edge cloud. All subscriber identity processing stays on-network. U2opia provides the NF software, the CAMARA API gateway layer, and ongoing support, but the operator controls the entire authentication data flow. Revenue metering occurs at the CAMARA API gateway layer, with settlement handled via GSMA Open Gateway commercial terms.
This model is recommended for operators with data residency requirements, operators in regulated markets where subscriber data processing on third-party infrastructure is restricted, or operators with existing cloud NF deployment capability who prefer full operational control. Typical production timeline is 10–16 weeks, including operator NF deployment and acceptance testing.
What Both Models Include
- USSD fallback path for 2G/3G subscribers — covering 100% of the subscriber base
- SIM swap correlation — flagging recently-swapped SIMs as high-risk to enterprise applications
- NumberVerify2 (CIBA+TS.43 Wi-Fi extension) — covering subscribers authenticating over Wi-Fi via NV2
- GSMA Open Gateway commercial framework — per-verification revenue share, metering, and settlement
- U2opia channel partner routing — connecting operator coverage to all 43 Open Gateway channel partners and their enterprise customers
- Ongoing API compliance with CAMARA stable API specification updates
Section 7: The Risk of Inaction — What Happens When Enterprises Migrate Without You
The enterprise migration away from SMS OTP is not pausing while operators decide whether to participate. The RBI April 2026 and CBUAE March 2026 mandates have already triggered active procurement across the financial services sector in both markets. Authentication platform vendors are building their operator coverage maps now. Enterprises evaluating silent authentication vendors ask one question above all others: which operator networks does your coverage include?
If your network is not in coverage — or if you are not directly enrolled but are accessible as a pass-through via a competing aggregation platform — the outcome is the same: your subscribers are authenticated via silent auth, but the per-verification revenue flows to whichever aggregation platform built coverage through you. You provided the infrastructure. Someone else collected the API revenue.
Direct enrollment in U2opia's SilentAuth+ MNO programme means you define your own coverage terms, you receive per-verification revenue directly via GSMA Open Gateway settlement, and you have visibility into which enterprises are using authentication against your subscriber base. Passive coverage — where your network is accessible via someone else's routing agreement — means you receive a fraction of the commercial value, with no enterprise relationship and no visibility.
The Window Is Now — Q3 2026 Is the Inflection Point
Enterprise authentication procurement cycles typically run 3–6 months from evaluation to production. The regulatory mandates that triggered the current procurement wave took effect in March–April 2026. Enterprises who started evaluating in Q1 2026 are going live in Q3 2026. Operators who complete deployment before that window close will be on production shortlists. Operators who miss this cycle face a longer wait — enterprises on long-term authentication contracts do not re-evaluate annually.
The $11.2 billion that the Number Verification API market will reach by 2034 will not be distributed evenly across operators. It will be concentrated among operators who enrolled early, built enterprise relationships via CAMARA channel partners, and offer differentiated coverage — particularly USSD coverage in 2G/3G markets. The operators sitting on that revenue in 2034 are making deployment decisions right now. See GSMA Open Gateway's programme overview for current enrolment details.
Section 8: The Broader Network API Picture — Authentication Is the Entry Point
Silent authentication is the largest and most urgent network API opportunity in the CAMARA Fall25 stable set — but it is not the only one. The 10 stable CAMARA APIs include SIM Swap Detection, Device Status (reachability, connectivity), Device Location, and QoD (Quality on Demand). The CAMARA project's 60-API Fall25 meta-release represents the most comprehensive standardised network API catalogue ever produced. Operators who deploy TS.43 entitlement infrastructure for silent authentication are simultaneously establishing the CAMARA API gateway and HLR/HSS connectivity that enables rapid deployment of the remaining stable APIs.
Think of silent authentication as the forcing function. The enterprise demand is immediate, the regulatory pressure is real, and the infrastructure investment is modest. But the infrastructure investment — a TS.43 entitlement server, a CAMARA API gateway, HLR/HSS interfaces — is precisely the foundation needed for every other CAMARA API the market will demand over the next three years. The operator who deploys for silent authentication today is three steps ahead of the operator who waits for the next API wave.
Network intelligence monetisation — subscriber identity, device state, network quality, fraud signals — is the sustainable, OTT-resistant revenue model that the industry has been searching for since voice revenue collapsed. It works because OTT companies and enterprises genuinely cannot replicate it. No app can replicate EAP-AKA. No cloud platform can replicate HLR/HSS subscriber data. No hyperscaler can replicate USSD coverage. These are capabilities that exist only in your network. GSMA Open Gateway and CAMARA are the commercial infrastructure to charge for them. The market has arrived. The only remaining question is timing.
Frequently Asked Questions — For Operators
What infrastructure changes does deploying TS.43 actually require?
In the hosted model (U2opia-Hosted), the operator's existing HLR/HSS connects to U2opia's entitlement server via standard Diameter or REST interfaces — no new network functions are deployed by the operator. In the operator-deployed model, a TS.43 entitlement server NF is deployed on the operator's cloud NF infrastructure, requiring standard HLR/HSS integration and CAMARA API gateway deployment. Neither model requires changes to the core network access signalling path. EAP-AKA continues to run exactly as it always has — the entitlement server adds a token issuance layer on top of existing infrastructure.
How is per-verification revenue metered and settled?
Revenue is metered at the CAMARA API gateway layer — each verified API call against a subscriber on your network generates a billable event. Settlement follows GSMA Open Gateway commercial terms, typically monthly, via the Open Gateway programme's financial settlement framework. U2opia provides per-operator dashboards showing verification volumes, enterprise sources, and revenue accruals in real time. Operators do not need separate billing infrastructure — the Open Gateway commercial framework handles end-to-end settlement between operators, U2opia, and channel partners.
Does USSD fallback require new network elements?
USSD fallback routes through the operator's existing USSD gateway infrastructure — the same network element already handling subscriber USSD services (balance checks, menu-based services, etc.). No new network elements are required. SilentAuth+ integrates with the existing USSD gateway via standard USSD signalling interfaces. For operators whose USSD gateway capacity is constrained, U2opia can advise on traffic sizing — but for the authentication volumes typical of enterprise deployments, USSD capacity impact is minimal versus existing USSD service traffic.
How is subscriber data protected when enterprise applications call the API?
Subscriber PII is never transmitted to the enterprise application. The enterprise sends a phone number and receives a verified match or mismatch — no SIM identity data, no network parameters, and no subscriber details are returned. The cryptographic EAP-AKA exchange is entirely internal to the network and the entitlement server. In the hosted model, U2opia's entitlement server exchanges challenge-response tokens with the HLR/HSS — again, no PII, only cryptographic tokens. CAMARA's API design explicitly enforces data minimisation: the enterprise receives only the verification result.
What is the minimum subscriber base to make silent authentication commercially worthwhile?
There is no formal minimum, but the revenue model scales with subscriber base. For operators under 5 million subscribers, the per-verification revenue from authentication APIs is relatively modest in absolute terms — though it is still positive-margin, zero-capex revenue in the hosted model. The more compelling case at smaller subscriber scales is competitive: enterprises building global authentication coverage via CAMARA want complete geographic coverage, and operators who are not in coverage leave a gap that competitors may fill. The commercial case accelerates significantly for operators above 10 million subscribers, and is highly compelling for operators above 50 million.
How quickly can we go from conversation to live production traffic?
In the hosted deployment model, U2opia's typical production timeline is 6–10 weeks from contract signature to live verification traffic. This includes HLR/HSS connectivity setup, entitlement server configuration, CAMARA API compliance testing, channel partner routing activation, and enterprise acceptance testing. In the operator-deployed model, timeline extends to 10–16 weeks, dependent on the operator's internal NF deployment process. U2opia provides full technical programme management throughout both deployment tracks.
The Bottom Line: Your Network Is the Product — CAMARA Is the Storefront
The transition from SMS OTP to silent authentication is not a trend your enterprise customers are managing. It is a regulatory and commercial reality that is reshaping the enterprise authentication market right now, in the markets where your subscriber base is largest. That transition either generates API revenue for your network or for a competitor's aggregation platform — and the determining factor is whether your TS.43 entitlement server is live before enterprise procurement decisions close.
Your network already runs EAP-AKA on every subscriber, every day, at no charge. TS.43 adds the commercial layer that turns that capability into a billable API. CAMARA standardises the interface so any enterprise in the world can integrate once and reach you. GSMA Open Gateway handles the commercial settlement. U2opia handles everything between the enterprise and your HLR/HSS — coverage routing, USSD fallback for 2G/3G, SIM swap correlation, and channel partner access.
The market is at $3.8 billion today and growing at 12.8% annually. The regulatory mandates are live. The enterprise procurement wave is happening. The infrastructure investment is 6–10 weeks and zero capex in the hosted model. Contact U2opia's partnerships team to start the technical conversation.
