Silent Network Authentication (SNA) is a method of user verification in which a mobile network operator cryptographically confirms a user's phone number ownership using SIM-resident keys — without sending an OTP, without prompting the user, and without requiring an internet connection. The verification completes in under 300 milliseconds.

SNA is built on the GSMA TS.43 entitlement framework and EAP-AKA (Extensible Authentication Protocol – Authentication and Key Agreement) SIM cryptography. It is exposed to enterprises as an API through the GSMA Open Gateway CAMARA Number Verification standard. The authentication occurs entirely within the operator's core network — the Ki (root key) never leaves the SIM, the user sees nothing, and no message is transmitted.

‍

If you run a mobile network, you have already built the world's most secure authentication system. Every time a device connects to your tower, your HLR/HSS performs a mutual cryptographic challenge-response with the SIM card — verifying the device, verifying the user, and confirming the phone number in real time. You do this billions of times a day. You have been doing it since GSM.

Silent Network Authentication is not a new invention. It is the act of exposing what your network already does (SIM-based identity verification) as an API product that enterprises pay for every time they authenticate a user. No OTP is sent. No push notification. No user action. The user's app silently asks your network: 'Is this person who they say they are?' Your network answers in under 300 milliseconds, using the same EAP-AKA cryptography that powers 5G device authentication.

This guide explains exactly how SNA works at the network level, what operators around the world are deploying right now, and how to turn your existing infrastructure into a per-verification revenue stream. If you are a CDO, Head of API Products, or VP Wholesale evaluating the GSMA Open Gateway authentication API opportunity, this is your starting point.

The Problem SNA Was Designed to Solve: SMS OTP Is Breaking Under Its Own Weight

SMS OTP became the default authentication method because it was cheap to deploy, not because it was secure. In 2026, that trade-off has expired. Three simultaneous forces are pushing operators and enterprises toward SNA:

‍

Force 1: AIT Fraud Is Costing the Industry Over $1.2 Billion Annually

Artificially Inflated Traffic (AIT) is a fraud model in which attackers trigger mass OTP sends to phone numbers on premium routes they control, collecting the termination fees your network pays. Global AIT losses exceeded $1.2 billion in 2025, with analysts at Juniper Research estimating that up to 40% of A2P SMS traffic in some regions is fraudulently generated. A single enterprise client can experience a 256% spike in SMS costs within a week before detection.

The damage is not limited to enterprises. When AIT exploits your A2P messaging routes, your network bears the reputational and financial liability — including potential regulatory censure for failing to protect clients from fraud.  

‍

Force 2: Regulatory Mandates Are Eliminating SMS OTP as a Standalone Credential

Regulators across the five largest emerging market regions have moved from guidance to mandate in 2025–2026:

‍

‍

For operators, this is not a compliance detail — it is a product opportunity. Every enterprise that must now implement phishing-resistant 2FA needs a network-layer solution. That solution is your SIM infrastructure, exposed via a GSMA Open Gateway Number Verification API.

‍

Force 3: SS7 and SIM Swap Have Destroyed Trust in the Signalling Layer

SS7 vulnerabilities allow attackers to intercept in transit by exploiting legacy signalling protocols. SIM swap fraud — where criminals convince operators to port a number to an attacker-controlled SIM — has been used to drain bank accounts in hours. Neither attack vector can touch SNA: there is no OTP in transit to intercept, and the verification happens inside the network before any port takes effect. Our detailed breakdown of the TS.43 authentication trust model covers why network-layer auth is structurally immune to these attacks.

How Silent Network Authentication Works: The Full Technical Flow

Understanding SNA at the protocol level is what separates operators who can sell it with authority from those who treat it as a black box. Here is the complete authentication flow, from user tap to API response:

‍

‍

For the complete TS.43 protocol walkthrough including the EAP-AKA cryptographic exchange, see our technical deep-dive: From EAP-AKA to Access Token — How Device Authentication Works in TS.43.

The Three Infrastructure Layers Behind SNA

SNA is not a single product — it is the result of three network functions working in coordination. Operators evaluating deployment need to understand all three:

‍

Layer 1: The SIM Card (The Root of Trust)

Every SIM card issued by your network contains a Ki — a unique cryptographic key shared with your HLR/HSS/UDM and known to no one else. Not the user. Not the handset manufacturer. Not the enterprise. Not the network vendor. The Ki is the foundation of GSM, UMTS, LTE, and 5G authentication. EAP-AKA uses this Ki to run a mutual authentication challenge that neither side can fake. This is what makes SNA phishing-proof: there is nothing to phish. The credential lives in hardware, never transmitted, never visible.

‍

Layer 2: The Core Network (HLR / HSS / UDM)

Your HSS (4G) or UDM (5G) holds the subscriber profile and the Ki-derived authentication vectors. During SNA, the ECS requests an authentication vector from the HSS/UDM for the specific MSISDN being verified. The HSS/UDM generates a fresh triplet (RAND, AUTN, XRES) and returns it to the ECS. This is the same mechanism your network uses to authenticate devices attaching to towers — SNA repurposes network attach authentication as an enterprise API product. Our guide to TS.43 and core network vs entitlement server authentication explains exactly where these boundaries sit.

‍

Layer 3: The Entitlement Configuration Server (ECS)

The ECS is the operator-facing network function defined in GSMA TS.43 — the specification that standardises how devices authenticate for managed services including VoWiFi, eSIM provisioning, and SNA. The ECS sits between the core network and the API gateway; it manages the EAP-AKA flows, enforces entitlement policies, and translates network authentication events into API responses that CAMARA-compliant clients can consume. Silent Authentication in TS.43: How Devices Authenticate Invisibly is covered in detail on our platform hub.

‍

‍

USSD Fallback: Why 2G and 3G Coverage Is the Non-Negotiable Differentiator

‍

The most common gap in SNA deployments is the assumption that all subscribers are on 4G or 5G data connections. In reality, the operators where SNA generates the most revenue — India, Indonesia, Nigeria, Kenya, Bangladesh, Pakistan — serve populations where 2G and 3G coverage is not a legacy transition but a permanent deployment reality.

Standard EAP-AKA SNA requires an active data connection. If the subscriber is on 2G voice, in a fringe coverage zone, or connected to a network segment where data routing is unavailable, the EAP-AKA flow cannot complete. The enterprise app receives a timeout. The user is forced to fall back to SMS OTP — exactly the credential the operator was trying to replace.

‍

The USSD Path: Authentication on the GSM Voice Channel

USSD (Unstructured Supplementary Service Data) operates on the GSM signalling channel — not the data plane. A USSD session reaches a device over 2G as reliably as a voice call, and with a round-trip time measured in seconds rather than the OTP's 30–90 second user input cycle. U2opia's SilentAuth+ is the only CAMARA-compliant SNA solution that incorporates a USSD fallback path:

• Data available: EAP-AKA over TS.43 executes in the standard sub-300ms window.

• Data unavailable / 2G / fringe: The authentication request falls back to a USSD session over the GSM voice channel. The user still sees no OTP. A USSD string is silently processed by the network and the authentication result is returned to the API.

• Result: 100% of your subscriber base is coverable — from 2G rural to 5G urban — with a single API integration.

For operators managing multi-technology networks across diverse geographies, USSD fallback is the difference between an authentication API that works for 60% of traffic and one that works for 100%. This is particularly critical for African MNOs and Indian operators covering tier-2 and tier-3 cities. Our analysis of how roaming and coverage scenarios affect entitlement server behaviour covers the network-level implications in full.

‍

SNA vs SMS OTP: A Network-Level Comparison

For operators pitching SNA to enterprise clients — or evaluating it for their own network products — this side-by-side comparison anchors the commercial conversation:

‍

‍

For a full decision-framework comparison including migration considerations, see our dedicated silent authentication vs SMS OTP operator guide. For the regulatory timeline, our SMS OTP ban global tracker is updated quarterly.

What Operators Around the World Are Already Deploying

SNA has moved from specification to commercial deployment across every major region. These are real operator actions taken in 2025–2026:

Philippines — Globe and BPI: December 2025 PoC

Globe and BPI completed a Silent Network Authentication Proof of Concept in December 2025 through Globe's G Verify platform, aligned to GSMA Open Gateway CAMARA standards. The PoC demonstrated bank-grade SNA for BPI's mobile app users without any OTP or user interaction. This is the first publicly documented SNA+banking production trial in Southeast Asia, confirming that CAMARA NV2 flows work within an active commercial operator environment.

Malaysia — September 2025 Operator MOU

Malaysia's major mobile operators executed a joint MOU in late September 2025 to launch a federated network authentication service under the GSMA Open Gateway initiative. The framework standardises Number Verification and SIM Swap Detection APIs across all signatory operators — allowing enterprises to integrate once and authenticate across the full Malaysian subscriber base. YTL Communications announced a strategic partnership in April 2026 to deploy CAMARA Number Verification and SIM Swap APIs commercially.

New Zealand — March 2026 Commercial Launch

One New Zealand announced in March 2026 a commercial agreement to launch a suite of Network Authentication APIs via the GSMA Open Gateway framework. This marks a second Wave-1 operator in the Asia-Pacific region reaching commercial SNA deployment within a single fiscal year.

UAE and India — Regulatory-Driven Deployments

The UAE Central Bank's Notice 3057 (effective March 2026) eliminated SMS OTP for licensed financial institutions, directly driving Emirates NBD, ADIB, First Abu Dhabi Bank, and their MNO partners toward SNA integration. In India, the RBI's April 2026 mandate is accelerating SNA API negotiations between Jio, Airtel, Vodafone Idea, and their fintech and banking enterprise clients — with SMS OTP at INR 0.30 per message representing an immediate cost-elimination case for SNA.

GSMA Open Gateway: The Global Context

As of 2026, 86 operator groups — representing more than 300 networks and 80% of global mobile connections — are committed to the GSMA Open Gateway framework. The Number Verification API (driven by CAMARA NV2) is consistently among the top three APIs by enterprise demand. This network effect means operators who deploy SNA APIs today can offer enterprises a global authentication coverage story — one API contract, 80% of the world's mobile subscribers.

‍

The Revenue Opportunity: How Operators Monetise SNA as an API Product

SNA converts authentication events — which your network already performs for free during device attach — into billable API calls. The GSMA Open Gateway model defines a clear commercial framework:

• Per-verification pricing: Each API call (each authentication event) is billable. Typical market rates run $0.02–$0.05 per successful verification at scale.

• Volume tiers: Enterprise clients with high-volume authentication needs (fintech, e-commerce, super apps) negotiate volume commitments. A single large fintech client may generate 10–50 million verifications per month.

• Premium fraud APIs: SIM Swap Detection, Device Status, and Number Portability APIs are sold as add-ons alongside Number Verification, increasing revenue per enterprise API contract.

• Revenue share with aggregators: Operators who prefer not to manage enterprise API sales directly can expose their SNA capability through GSMA Open Gateway aggregators, receiving a per-call wholesale fee without commercial overhead.

‍

‍

At 10% adoption — realistic within 24 months of a commercial SNA API launch, based on observed GSMA Open Gateway ramp rates — the same operator generates approximately $7.56M ARR. This revenue compounds as more enterprise verticals (fintech, e-commerce, super apps, OTT platforms) integrate the API.

The market context: the global Number Verification API market was valued at $3.8 billion in 2025 and is projected to reach $11.2 billion by 2034 at a CAGR of 12.8%. Authentication and fraud APIs represent approximately 90% of near-term GSMA Open Gateway commercial opportunity. For a full operator authentication API monetisation playbook including pricing models and partnership structures, see our dedicated revenue strategy guide.

How to Deploy SNA: Two Paths for Operators

Operators approaching SNA deployment have two architecturally distinct options. The right choice depends on your existing core network posture, BSS/OSS integration capacity, and time-to-revenue requirements:

‍

Path 1: Build on Your Existing Entitlement Server

If you have already deployed an ECS for VoWiFi, eSIM (ODSA), or other TS.43 services, you have the primary NF. The SNA deployment path is to extend your existing ECS configuration to support the CAMARA Number Verification API exposure layer. This requires: (a) activating the EAP-AKA auth vector request path from the ECS to HSS/UDM; (b) deploying an API gateway with CAMARA NV2 spec compliance; and (c) connecting to the GSMA Open Gateway aggregation layer for enterprise API distribution. Your TS.43 implementation guide walks through the configuration sequence. Typical extension time for an experienced operator team: 6–10 weeks.

‍

Path 2: Deploy SilentAuth+ as Managed Entitlement + SNA Service

If you have not deployed an entitlement server, or want to accelerate time-to-revenue without diverting core network engineering resources, U2opia's SilentAuth+ delivers the complete stack: ECS deployment, EAP-AKA authentication flow, USSD fallback for 2G/3G coverage, CAMARA NV2 API exposure, and enterprise integration support. SilentAuth+ has been deployed across 104+ operator networks across Asia, Africa, and the Middle East, with a standard BSS/OSS integration timeline of 4–6 weeks using 2–3 engineers. For operators on a tight time-to-revenue calendar — particularly those facing RBI or UAE Central Bank compliance timelines — Path 2 eliminates the NF build phase entirely.

For architecture considerations including cloud, on-premise, hybrid, and multi-tenant deployment models, see our entitlement server deployment architecture guide. For scaling considerations as verification volume grows, our scalable entitlement system best practices covers capacity planning and failure handling.

What Makes SilentAuth+ Different: The Four Operator-Grade Guarantees

Multiple vendors offer silent authentication APIs. The differentiators that matter for operators deploying production-grade SNA at national scale are:

1. TS.43 Native — Not an IP Address Workaround

Some SNA implementations use IP address matching rather than SIM cryptography — routing the enterprise's authentication request through a data connection and checking whether the IP address maps to the claimed MSISDN. This approach fails on Wi-Fi (subscriber IP is from the router, not the mobile network), VPNs, and shared network environments. SilentAuth+ uses TS.43 EAP-AKA exclusively — the same SIM cryptography your network uses for 5G device authentication. The authentication is cryptographic, not heuristic. See our comparison of TS.43 SNA vs IP-based authentication approaches for the technical distinction.

‍

2. USSD Fallback — 100% Subscriber Coverage

As covered in Section 4, SilentAuth+ is the only CAMARA-compliant SNA solution with a USSD fallback path for 2G and 3G subscribers. For operators in markets with mixed network generations — India, Africa, Southeast Asia — this is the difference between a 60% coverage product and a 100% coverage product.

‍

3. CAMARA NV2 Compliant — Including Wi-Fi Authentication

CAMARA's Number Verify v2.0.0 (NV2) introduced TS.43 temporary token support, enabling SNA to work when the user is connected to Wi-Fi rather than the mobile data network. The ECS issues a TS.43 temporary token during the last cellular session, which the device presents to the enterprise API when on Wi-Fi. SilentAuth+ supports NV2 natively. This matters for operators whose enterprise clients serve users who frequently switch between mobile and Wi-Fi — a majority of urban fintech and e-commerce transactions. Our guide to silent authentication over Wi-Fi via NV2 explains the token issuance and validation flow in detail.

‍

4. 15+ Years of Operator Deployments — Not a Lab Product

U2opia has deployed entitlement server and SIM authentication infrastructure across more than 104 operator networks. The TS.43 and EAP-AKA implementation in SilentAuth+ has been battle-tested across Apple and Samsung device provisioning flows, ODSA eSIM activation, VoWiFi deployments, and roaming scenarios. When your production SNA traffic scales to tens of millions of verifications per month, you need an infrastructure partner whose software has already handled that load — not a product that was designed in a lab and is being stress-tested on your subscribers.

‍

Common Misconceptions: What SNA Is Not

Operators evaluating SNA sometimes encounter vendor framing that conflates related concepts. Here is a precise disambiguation:

• SNA is not the same as mobile identity verification: Mobile identity products (KYC, document verification, biometrics) confirm who a person is. SNA confirms that the device currently connected to your network owns the claimed phone number. These are complementary, not interchangeable.

• SNA is not a VoLTE or VoWiFi product: While SNA shares the TS.43 entitlement framework with VoWiFi registration, it is a distinct service with different EAP-AKA flow triggers and API exposure characteristics. See our guide to the TS.43 relationship with IR.51, IR.92, and RCC.14 for the specification boundaries.

• SNA is not CIAM (Customer Identity and Access Management): CIAM platforms (Okta, Auth0, ForgeRock) are enterprise-facing identity orchestration layers. SNA is the network-layer verification signal that feeds into these platforms. The operator provides the SNA API; the enterprise's CIAM system consumes it.

• SNA does not replace all authentication: SNA is optimised for phone number ownership verification — the first factor in phishing-resistant 2FA. High-assurance transactions (large transfers, account changes) may require additional factors (biometric, FIDO2). SNA eliminates the OTP; it does not claim to replace multi-factor authentication architecture.

‍

Frequently Asked Questions: Silent Network Authentication

What is the difference between Silent Network Authentication and Number Verification?

They are effectively the same capability described at different layers. 'Silent Network Authentication' describes the mechanism — SIM cryptography executed invisibly within the network. 'Number Verification' is the CAMARA API product name that exposes SNA as a service. When an enterprise integrates the CAMARA Number Verification API, they are consuming SNA as the underlying authentication engine.

‍

Does SNA work without an internet connection?

Yes — with USSD fallback. Standard TS.43 EAP-AKA SNA requires an active data connection. U2opia's SilentAuth+ includes a USSD fallback that executes authentication over the GSM voice channel, which operates on 2G without a data session. This enables SNA across all network generations.

‍

Which GSMA specification governs Silent Network Authentication?

GSMA TS.43 (Service Entitlement Configuration) defines the ECS-device API contract and EAP-AKA authentication flows that power SNA. The enterprise API layer is standardised by CAMARA's Number Verification specification (Number Verify v2.0.0 / NV2), which is part of the GSMA Open Gateway initiative. Operators deploying SNA should reference both TS.43 and the CAMARA NV2 specification.

‍

How does SNA handle roaming subscribers?

Roaming introduces complexity because the authentication vector request must route from the visited network's ECS to the home network's HLR/HSS. SilentAuth+ handles roaming via home-network ECS routing. For detailed roaming behaviour under TS.43, including Wi-Fi and international roaming edge cases, see our dedicated guide on entitlement server roaming and Wi-Fi behaviour.

‍

What is the Ki key and why does it matter for SNA security?

The Ki (Authentication Key) is a 128-bit secret embedded permanently in the SIM card at manufacture. It is shared only between the SIM and the operator's HLR/HSS/UDM. The Ki never leaves the SIM — not to the device OS, not to applications, not across any network interface. EAP-AKA uses the Ki to generate a challenge-response that proves the SIM is present without transmitting the key itself. This is why SNA is phishing-proof: there is no credential in transit that can be stolen.

‍

How long does a Silent Network Authentication take?

Typically 150–300 milliseconds from API call initiation to response, under normal network conditions. This compares to 30–90 seconds for SMS OTP (including the time for the user to receive, read, and enter the code). In high-latency environments or when USSD fallback is invoked, the verification may take 3–8 seconds — still dramatically faster than OTP.

‍

Can SNA work for Wi-Fi users not on mobile data?

Yes, via CAMARA NV2 (Number Verify v2.0.0). NV2 introduced TS.43 temporary token support: the Entitlement Configuration Server issues a short-lived token during the subscriber's last cellular session. When the user moves to Wi-Fi, their device presents this token to the enterprise API, and the ECS validates it against the subscriber record. This enables SNA for the growing share of urban users who authenticate while connected to Wi-Fi.

‍

What operator infrastructure is required before deploying SNA?

The minimum requirements are: (1) an active HSS/UDM with EAP-AKA authentication vector generation capability — present in all 4G/5G networks; (2) an Entitlement Configuration Server (ECS) deployable either in-house or as a managed service; (3) a CAMARA-compliant API gateway for enterprise exposure; and (4) GSMA Open Gateway registration for commercial API distribution. Operators without an existing ECS can deploy SilentAuth+ as a managed entitlement service, typically integrated within 4–6 weeks.

‍

Conclusion: Your Network Has Always Been the Authenticator

Silent Network Authentication is not a future technology. It is the present-tense productisation of capabilities your network has executed since the first GSM subscriber authenticated to your tower. EAP-AKA, the Ki, the HLR/HSS authentication vector — these are not new. What is new is the API layer that exposes them to enterprise clients as a billable, CAMARA-standardised, Open Gateway-distributed product.

The regulatory window is narrowing. India's RBI mandate landed April 2026. UAE's CBUAE Notice 3057 deadline was March 2026. NIST's classification of SMS OTP as non-compliant with AAL2 is reshaping enterprise purchasing decisions in North America. Every enterprise that must now implement phishing-resistant authentication is looking for a carrier-grade solution. The operator who has deployed SNA first wins that procurement conversation.

Operators already deploying SNA are building API revenue streams that compound quarterly, while simultaneously eliminating the AIT fraud exposure and regulatory liability that made SMS OTP a liability as much as a revenue line. The SilentAuth+ platform for operators delivers the full TS.43 + CAMARA NV2 + USSD fallback stack, deployed across 104+ networks and ready to integrate with your existing BSS/OSS in weeks, not quarters.

‍