By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
DenyAccept

Trusted Caller Identity: Pilot Results from GSMA & Telefónica [Video and Takeaways]

Published
May 18, 2026
Table of content
This is also a heading
This is a heading

Join 14,000+ identity enthusiasts who subscribe to our newsletter for expert insights.

By subscribing you agree to with our Privacy Policy.
Success! You’re now subscribed to the newsletter.
Oops! Something went wrong while submitting the form.

Call center authentication is a problem most people have experienced but few in the identity industry have prioritized.

A proof of concept run across late 2025 and into 2026 by Telefónica Tech, GSMA, Dock Labs, and TMT ID set out to fix this. The approach combined Telefónica's mobile network APIs with Dock Labs' verifiable credentials infrastructure to build a call center authentication flow that completes in under 60 seconds, requires one tap on a mobile device, and eliminates the need to recite personal data to a call center agent.

The results from trialists were notably strong: 80% reported authentication was faster than their existing experience, 67% found it more secure, and 100% said they would prefer it over current methods.

This piece draws on the key insights from a recent webinar where Glyn Povah, Global Product Development Director at Telefónica Tech, and Helene Vigue, Identity and Data Director at GSMA, presented results from the PoC and discussed what comes next. The conversation covers fraud vectors, wallet distribution challenges, the extensibility of verifiable credentials beyond this single use case, and why the business case still needs significant work before a production deployment is viable.

The Fraud Problem Runs in Both Directions

  • Most public conversation about call fraud focuses on scammers calling consumers. The less-discussed and arguably more damaging direction is consumers being impersonated when calling into enterprise call centers.
  • Glyn described this as a gap in market awareness: impersonation fraud into call centers was something he had not heard much about before conversations with customers surfaced it as a growing problem.
  • The target is typically accounts with stored value: bank accounts, crypto, airline miles, and similar.
  • This inbound impersonation fraud is compounded by legacy authentication infrastructure that was never designed to prevent it.
  • Caller Line Identification (CLI) spoofing is a known and actively exploited vulnerability in call center authentication.
  • Fraudsters can spoof the phone number that appears at the call center, giving a false signal of legitimacy before any knowledge-based check even begins.
  • SIM swap fraud and number recycling add further attack surface, particularly as account takeovers have grown significantly.

Knowledge-Based Authentication Is a Broken Default

  • The current standard for call center identity verification (knowledge-based questions) is slow, unreliable, and leaks personal data.
  • Glyn observed customers spending three to five minutes on security checks, and sometimes failing them entirely because they could not recall information registered years earlier.
  • Customers regularly share personal data (dates of birth, address history, partial passwords) with call center agents they have never met, creating downstream privacy risk.
  • Much of that information is also findable via social media, reducing its security value while maintaining its friction cost.

The Proof of Concept Combined Two Distinct Technology Layers

  • The PoC was built by combining mobile network APIs (from Telefónica) with Dock Labs' Truvera digital identity and verifiable credentials stack. This combination had not been deployed together for this use case before.
  • Neither layer is entirely new. Network APIs have existed for a couple of years; decentralized digital identity has been available for longer. The innovation was in the integration.
  • The PoC ran for approximately six months with a group of trialists and was demonstrated publicly at Mobile World Congress 2026.

The PoC Results Were Strongly Positive on Speed and Preference

  • Quantitative and qualitative results from trialists were compelling, particularly on speed and preference.
  • 80% of trialists reported authentication was faster than their normal experience.
  • 67% reported it felt more secure.
  • 100% said they would definitely or probably prefer this method over current authentication.
  • Authentications completed in under 60 seconds on average, compared to a baseline of three to four minutes with traditional methods.

The User Experience Was Deliberately Minimal

  • The team chose a DIDComm-based message (an open standards encrypted message) over a verifiable credential presentation as the authentication mechanism, specifically because it removed one click from the user journey.
  • Nick noted that the result was functionally equivalent but the simpler path was chosen for the PoC.
  • The demo showed the user receiving a push notification in the Truvera wallet app and tapping confirm. Authentication completed in approximately ten seconds from that point.
  • This design choice reflects a deliberate philosophy: the technology should be close to invisible to the consumer.

Distribution Is the Hard Problem, Not the Technology

  • Getting the wallet into users' hands at scale is a larger challenge than the technology itself.
  • The PoC used Truvera's standalone wallet app for simplicity. The likely production path would embed wallet functionality within an operator's existing app (for example, the O2 app in the UK).
  • Glyn cited O2's monthly active app usage at approximately 70% of its subscriber base, which provides a credible distribution channel without requiring users to adopt a new app.
  • Nick described this as the "Trojan horse of credentials": a simple, high-frequency use case that quietly deploys wallet and credential infrastructure at scale, creating a foundation for future use cases.

Mobile Network Operators Are Positioned as Potential Identity Providers

  • MNOs hold first-party data (phone number, address, payment history, SIM lifecycle events) that most other organisations cannot access, positioning them as credible credential issuers.
  • Glyn highlighted that phone number and SIM card can serve as a root of trust, particularly when combined with real-time network API signals such as SIM swap detection, number porting, and number recycling events.
  • There is an open question about whether MNOs want to take on the liability and operational complexity of formal credential issuance.
  • Telefónica's network API business is part of a broader industry initiative (Open Gateway) now supported by approximately 80% of global carriers.
  • Credential revocation is as important as issuance. MNOs already process the lifecycle events (SIM swap, port-out, number recycling) that would trigger revocation in real time, making them well-suited to manage credential validity at scale.

The Wallet Ecosystem Is Complex and Largely Government-Led

  • Commercial use cases are colliding with a wallet ecosystem that was primarily designed around government services and citizen identity.
  • In Europe, the EU Digital Identity Wallet is driving wallet standards and interoperability across member states, but its use cases are oriented toward government services.
  • The UK is also advancing its own digital wallet, with a digital driving licence expected by the end of 2025/2026.
  • Glyn described the tension: arriving with a commercial B2B use case into an ecosystem built from a government standpoint is genuinely challenging, even when the use case clearly addresses a real market problem.

Verifiable Credentials Are More Extensible Than Point Solutions

  • Competing approaches (such as Barclays' app-based push notification for call center authentication) solve a specific problem but do not create reusable infrastructure.
  • Nick highlighted that verifiable credentials, once issued at scale, can support a range of additional use cases: loyalty discounts, frictionless onboarding with pre-verified data, identity proofing across third-party services, and more.
  • The Barclays example was framed constructively: it validates that the problem is real and large enough for a major bank to build its own proprietary solution, rather than waiting for an industry standard.

Scaling Requires Significant Additional Work

  • The PoC proved the concept works in a controlled environment. Scaling it changes the security and operational picture significantly.
  • Glyn noted the attack surface at a small subscriber base is fundamentally different from 350 million (Telefónica's footprint) or 6 billion (global SIM card holders).
  • Business model validation, pricing development, and enterprise ROI models are all still to be built out.
  • Privacy-by-design and GDPR compliance become more critical, not less, as scale increases.

GSMA Is Treating Scam Prevention as a Cross-Industry Structural Priority

  • Helene framed scam prevention not as a telecoms problem but as a systemic threat to trust in digital services broadly.
  • Global scam losses in 2024 were cited at approximately $1 trillion, with only around 4% recovered.
  • In Southeast Asia, roughly one in ten consumers reported being scammed in the past year.
  • The behavioral impact is measurable: in Singapore, 83% of respondents said they avoid buying on Facebook and 67% avoid TikTok Shop, driven by scam distrust. A significant proportion said they would switch financial services providers to get better security.
  • GSMA is also working on the reverse authentication problem: verifying that an enterprise calling a consumer is who it claims to be. This was demonstrated at MWC 2026 as a separate proof of concept under the "verifiable communications" framing.

VoIP and OTT Channels Remain Unaddressed

  • The PoC and carrier-led authentication solutions are focused on carrier voice and messaging channels. WhatsApp, VoIP, and other OTT services are outside scope.
  • Glyn stated Telefónica's focus is on restoring trust in its own network services and will leave OTT providers to develop their own approaches.
  • This is a meaningful gap given how much consumer communication has shifted to OTT channels.

A unified identity experience, without rebuilding your stack

Truvera helps you issue and verify digital IDs using the identity systems you already have. Connect IAM, IDV, and partner systems to create a unified identity experience that reduces re-verification, lowers friction across channels, and enables trusted interactions at scale.

Request free consultation
Sign up

Ready to get started?

Sign up to TruveraRequest Free Consultation

Company

Truvera Platform

Developers

Use Cases

Resources

Copyright © 2020-2024 Dock Labs AG