By NHI Mgmt Group Editorial TeamPublished 2026-04-16Domain: Governance & RiskSource: Prove Identity

TL;DR: GSMA TS.43 Release 11 extends silent network authentication across browser and app sessions, reducing reliance on SMS OTP while adding consent-based, hardware-backed verification, according to Prove Identity. The real governance question is not whether the channel is stronger, but how identity teams manage SIM swap risk, consent handling, and device binding without mistaking transport for identity assurance.


At a glance

What this is: GSMA TS.43 extends silent network authentication to browser and app sessions, closing a long-standing coverage gap in mobile identity verification.

Why it matters: IAM and fraud teams need to understand where device-bound authentication changes the control surface, especially when SMS OTP is being phased out for high-risk flows.

By the numbers:

👉 Read Prove Identity's blog on TS.43 and device-bound authentication


Context

Silent network authentication only helps if it works in the session path the user actually takes. The gap here is not just user experience, but assurance coverage, because browser-based sessions on Wi-Fi have historically fallen back to SMS OTP or weaker alternatives. For IAM teams, that makes TS.43 relevant wherever mobile identity verification is part of step-up authentication, transaction approval, or account recovery.

The governance issue is that TS.43 verifies the SIM and then binds trust to the device, which changes how practitioners should think about authentication strength, consent, and fraud resistance. That is why the article matters to identity programmes that are already dealing with SMS deprecation, passkey adoption, and tighter controls over high-risk consumer sessions.


Key questions

Q: How should security teams replace SMS OTP in high-risk authentication flows?

A: Replace SMS OTP gradually, starting with the highest-risk journeys such as account recovery and transaction approval. Use stronger factors where they actually change fraud outcomes, then keep a tightly governed fallback path for exceptions. The goal is not factor sprawl, but clearer assurance levels and fewer weak links in the authentication chain.

Q: Why does device-bound authentication still require IAM governance?

A: Because a stronger signal does not remove lifecycle risk. You still need policy for enrolment, consent, recovery, and exception handling, or the control will be inconsistently applied across channels and markets. Identity teams should govern the full path, not just the cryptographic check.

Q: What do organisations get wrong about SIM-based authentication?

A: They often assume SIM control is equivalent to user identity. In practice, SIM-based signals can be useful, but they do not fully solve SIM swap, device replacement, or recovery abuse. Security teams should treat SIM assertions as one input in a broader trust decision, not the decision itself.

Q: Who should own mobile authentication decisions in the enterprise?

A: Ownership should sit across IAM, fraud, and product security because the control affects both user trust and transaction risk. If one team owns the channel without visibility into recovery policy, step-up logic, and exception rates, the organisation will end up with fragmented assurance and uneven user treatment.


Technical breakdown

How TS.43 changes silent network authentication coverage

GSMA TS.43 Release 11 extends silent network authentication beyond the historical limitation of app-only or network-constrained use cases. The key architectural shift is that authentication can be performed through the SIM and eSIM layer across connection types, including browser sessions on Wi-Fi, while still depending on carrier participation and user consent. That matters because it moves the trust signal lower in the stack, away from session-layer OTP delivery and toward a cryptographic assertion anchored in the mobile network. It does not eliminate identity risk. It changes where the assurance is sourced and where governance has to sit.

Practical implication: map TS.43 to the sessions it actually covers, and do not treat it as a universal replacement for all step-up flows.

SIM-bound verification versus device-bound identity

The article draws a useful distinction between authenticating the SIM and binding identity to the device. That distinction matters because SIM swap is not solved by a network-level assertion alone. A SIM-based signal can prove continuity of carrier control, but it does not by itself prove the person behind the device. Device binding raises the bar by tying trust to longer-lived signals and cryptographic continuity, which is stronger than one-time passcode delivery but still requires fraud controls that understand transfer, replacement, and recovery scenarios.

Practical implication: separate SIM assurance, device binding, and human identity proofing in your control design rather than treating them as the same control.

Consent orchestration is now part of the authentication control plane

TS.43 introduces carrier-by-carrier end-user consent, which means the authentication path now includes policy, experience, and regulatory handling before a challenge can succeed. In practice, consent is not a UI afterthought. It becomes part of the control plane because a poor consent flow can reduce conversion, undermine trust, or create inconsistent enforcement across markets. This is especially relevant where authentication is used for financial services or other regulated contexts, because the control has to satisfy both security and user permission requirements.

Practical implication: govern consent flows as an identity control, with clear rules for carrier variance, auditability, and fallback when consent cannot be established.


Threat narrative

Attacker objective: The attacker aims to defeat second-factor verification and take control of a high-value consumer session or transaction.

  1. Entry occurs through the legacy SMS OTP path, where phishing, SIM swap, or message interception can expose a one-time code to an attacker.
  2. Escalation follows when the attacker uses the compromised code to satisfy authentication and gain access to the target session or transaction.
  3. Impact is account takeover or fraudulent transaction completion, with the victim’s trust in the authentication channel itself undermined.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

SMS OTP is now a governance liability, not just a weak factor. The problem is not only that OTP can be phished or intercepted. It is that the control assumes the delivery channel is trustworthy enough to stand in for identity, which no longer holds in high-risk consumer flows. Regulated teams should treat SMS as a fallback of last resort, not an authentication anchor.

TS.43 improves signal quality, but it does not remove identity ambiguity. A stronger carrier-backed signal can reduce fraud exposure, but it still proves control of a device or SIM relationship, not durable personhood. That distinction matters in account recovery and step-up authentication, where a stronger transport signal can still be paired with weak upstream enrolment. Practitioners need to re-evaluate where identity proofing ends and authentication begins.

Device-bound authentication creates a new trust boundary around consent and lifecycle handling. If consent is inconsistent across carriers or recovery states are poorly governed, the control becomes uneven in exactly the sessions that matter most. The named concept here is device-bound trust debt: organisations can accumulate confidence in a stronger factor while leaving enrolment, consent, and recovery paths under-governed. That is a programme design problem, not a feature problem.

Mobile authentication is converging with broader identity governance. The article signals a market shift away from isolated one-time passcodes toward layered identity signals, device binding, and carrier integration. That aligns authentication more closely with IAM policy, fraud controls, and recovery governance, which means identity teams should stop treating mobile verification as a narrow channel decision.

The real test is whether teams can retire compensating controls cleanly. When a stronger signal is added, organisations often keep SMS OTP, weak recovery flows, and inconsistent step-up logic in parallel. That creates mixed assurance and operational drift. Practitioners should view TS.43 as a reason to simplify control paths, not to add another option without governance.

From our research:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • A separate finding shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which is why lifecycle discipline remains a control gap in identity programmes.
  • 52 NHI Breaches Analysis shows how weak identity governance turns credential exposure into repeatable intrusion patterns.

What this signals

Mobile authentication is moving closer to identity governance, which means security teams will need to manage assurance levels across channels rather than treat SMS, app, and carrier-backed flows as interchangeable. The control question is no longer whether a factor works in isolation, but whether it fits a governed risk tier and recovery path.

Device-bound trust debt: stronger authentication signals can create false confidence if enrolment, consent, and recovery remain weak. Teams should watch for mixed-assurance architectures where a stronger factor coexists with legacy fallback paths and undocumented exceptions, because that is where policy drift usually hides.


For practitioners

  • Reclassify SMS OTP as fallback authentication only Limit SMS to low-risk or recovery scenarios where stronger factors are unavailable, and define clear policy thresholds for when it is no longer acceptable as a primary assurance method.
  • Map device-bound authentication to specific risk events Use TS.43 only for the transactions and sessions where carrier-backed device assertions materially reduce fraud, such as account access, payment approval, or step-up checks.
  • Separate SIM assurance from person assurance Update identity architecture so SIM control, device binding, and proofing are tracked as distinct trust layers with different failure modes and recovery paths.
  • Govern consent as part of authentication design Document carrier-specific consent handling, audit trails, and fallback behaviour so consent failures do not become silent bypasses or conversion killers.

Key takeaways

  • TS.43 closes an important mobile authentication gap, but it does not turn SIM control into full identity proof.
  • The control only changes risk if IAM teams govern consent, recovery, and fallback paths as carefully as the cryptographic signal itself.
  • Security programmes that keep SMS OTP as a default option will preserve the very exposure TS.43 is meant to reduce.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-7Authentication and access decisions are central to TS.43 use cases.
NIST SP 800-53 Rev 5IA-2Identity proofing and authentication governance apply to mobile step-up flows.
NIST Zero Trust (SP 800-207)Zero Trust requires stronger continuous verification than SMS OTP provides.
ISO/IEC 27001:2022A.5.15Access control policy must cover authentication methods and exceptions.

Apply zero-trust principles to step-up flows and avoid treating one factor as sufficient across all contexts.


Key terms

  • Silent Network Authentication: Silent network authentication is a verification method that uses carrier network signals to authenticate a device or session without asking the user to enter a code. In practice, it reduces friction, but the trust outcome still depends on carrier coverage, consent, and how the signal is bound into the wider identity decision.
  • Device-Bound Authentication: Device-bound authentication ties trust to a specific device through cryptographic or persistent signals rather than a disposable code. It is stronger than SMS OTP, but it still needs lifecycle governance for enrolment, replacement, recovery, and exception handling because device control is not the same as person verification.
  • SIM Swap: SIM swap is a fraud technique where an attacker transfers a victim's mobile number to a different SIM, often to intercept authentication flows or reset access. It is a reminder that channel control can be subverted even when the underlying account or application has not been directly breached.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • How Prove integrates TS.43 into existing authentication workflows without requiring a new carrier implementation project
  • The way Prove handles carrier-specific consent variation across markets and regulatory requirements
  • The platform's device-binding model and why Prove says it reduces repeat carrier transactions
  • The commercial and rollout implications for clients already using Prove Mobile Auth or Prove Unified Authentication

👉 The full Prove Identity post covers consent handling, rollout details, and the device-binding model behind TS.43

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org