Most people have been through it.
You call your bank. You give your date of birth. You confirm your address. You try to recall the fourth and fifth characters of a password you set in 2016. Then you wait while an agent you have never met types things on the other end of the line.
It takes three to four minutes. It leaks personal data you would not post publicly. And it does not reliably stop fraud.
Last week, we published results from a proof of concept we ran across late 2025 and into early 2026. The collaboration involved Telefónica Tech, GSMA, and TMT ID. The goal was straightforward: replace the SMS OTP and security question ritual with something faster, less invasive, and harder to defeat.
The results were hard to argue with:
- Authentications completed in under 60 seconds on average.
- 80% of trialists reported the process was faster than their normal experience.
- 100% said they would prefer it over existing methods.
What replaced the SMS OTPs and the security questions
The architecture combined two layers that have existed separately but had not been integrated for this use case before.
Telefónica contributed mobile network APIs: real-time signals that an operator can derive from its own infrastructure, including SIM swap detection, number porting events, and number recycling. Dock Labs contributed Truvera, its Digital ID infrastructure.
The flow from the user's side was deliberately minimal. A push notification arrives in a wallet app. The user taps confirm. Authentication completes. No security questions, no SMS one-time passwords, no reading out digits from a text message.
That simplicity was a deliberate design decision, not a byproduct. The team chose a DIDComm-based message over a verifiable credential presentation specifically to remove one click from the journey. The point was to make the technology close to invisible.
Glyn Povah, Global Product Development Director at Telefónica Tech, described the verification step as completing in approximately ten seconds once the user responds. The remaining time is network and back-end processing.
The problem the PoC was actually solving
Public conversation about phone fraud tends to focus on scammers calling consumers. The direction that motivated this project is the less-discussed one: fraudsters impersonating consumers when they call into enterprise call centers.
The target is accounts with stored value. Bank accounts, crypto holdings, airline miles. And the attack surface starts before the knowledge-based check even begins.
Caller Line Identification spoofing allows a fraudster to present a legitimate phone number at the call center, getting past the first signal of identity before any question is asked. SIM swap fraud and number recycling add further exposure.
The existing defense, the security question, was never designed to address these vectors. Povah noted that much of the information used in knowledge-based checks is findable via social media, which means the questions impose friction on legitimate users while providing limited resistance to a prepared attacker.
The friction is real: Povah described customers spending three to five minutes on security checks and sometimes failing them because they could not recall information they registered years earlier.
Why this matters beyond the call center
The more significant implication of the PoC is not what it does for phone authentication. It is what it does for the infrastructure underneath.
Nick Lambert, CEO at Dock Labs, who presented alongside Povah, described the approach as "the Trojan horse of credentials." A simple, high-frequency use case, call center verification, that quietly deploys wallet and digital ID credential infrastructure at scale.
Once that infrastructure is in place, the same credential can support loyalty discounts, frictionless onboarding, identity proofing for third-party services, and other use cases that currently require their own separate verification stacks.
Mobile network operators are well-positioned to issue credentials in this model.
They hold first-party data, phone number, address, payment history, SIM lifecycle events, that most other organizations cannot access.
Critically, they already process the events that would trigger credential revocation in real time: a SIM swap, a port-out, a number recycled to a new subscriber. Revocation infrastructure is often the overlooked cost in credential deployments. In this model, it largely already exists.
Helene Vigue, Identity and Data Director at GSMA, provided the wider context.
Global scam losses in 2024 were approximately $1 trillion, with around 4% recovered.
In Southeast Asia, roughly one in ten consumers reported being scammed in the past year. In Singapore, 83% of survey respondents said they avoid buying on Facebook, and 67% avoid TikTok Shop, citing scam distrust. A significant share said they would switch financial services providers to get better security.
What still needs to happen
The PoC ran with a limited group of trialists. Povah was direct about what that means: the attack surface at small scale is fundamentally different from 350 million subscribers, Telefonica's footprint, or 6 billion, the global SIM card holder count. Scaling changes the security posture significantly.
The business model has not been built yet. Pricing, enterprise ROI models, and commercial agreements between operators and relying parties are still to be worked out.
The wallet ecosystem adds friction of a different kind: in Europe, the infrastructure is largely oriented toward government services, and arriving with a commercial B2B use case into that context is genuinely challenging.
There is also a distribution question.
The PoC used a standalone wallet app. The likely production path embeds wallet functionality in an operator's existing app. Povah cited O2's monthly active app usage at approximately 70% of its subscriber base, which offers a credible channel. But getting there requires operator buy-in, integration work, and a clear enough business case to move it up the product roadmap.
None of that is insurmountable.
The four-minute security check is a problem that a lot of organizations have lived with because there was nothing obviously better to replace it with. The Trusted Caller Identity PoC is a credible answer to that.
Whether it becomes a production deployment depends less on the technology than on the commercial and ecosystem work that comes next.
