The biggest phone carriers in the U.S. are ready to make the ritual of waiting on your phone for that six-digit code a thing of the past. On July 8, AT&T, T-Mobile, and Verizon quietly flipped the switch on a new authentication system powered by telecom startup Aduna. Instead of texting a user a one-time password, apps can now ask their carrier a much simpler question: “Is this phone number really being used on this phone right now?”
If the answer is yes, the user is in.
Goodbye SMS codes, hello invisible logins
The new system, based on CAMARA, an open-source project backed by the Linux Foundation and the GSMA that’s been working toward standardized carrier APIs for years, works behind the scenes. When you log into an app that supports Aduna’s technology, the app contacts your carrier through a shared API. Your carrier checks whether the phone number, SIM card, and the device match. If everything lines up, authentication succeeds almost instantly.
One notable factor here is that it works whether you’re on cellular or Wi-Fi, solving one of the biggest headaches older carrier verification systems had. Also, Aduna basically gives developers one integration that works across all three major U.S. carriers instead of forcing them to build separate systems for each network. Google Cloud, Vonage, Sinch, and Infobip are already onboard.
The multi-billion-dollar fraud threat that’s killing the SMS security code
This change is not about making logins less annoying. The actual motivation here is fraud. According to the FTC, Americans reported $15.9 billion in fraud losses in 2025, a huge jump from the previous year. Many of these losses happened through SIM-swap attacks.
In a SIM-swap attack, a scammer gets a target’s mobile carrier to transfer their phone number onto a SIM card the bad actors control. The moment that happens, every security text meant for the target suddenly goes straight to the scammers.
Banking login codes, crypto wallet verifications, two-factor authentication messages, and password reset texts are all easily intercepted. In one high-profile case, a successful SIM swap cost T-Mobile millions after a customer’s cryptocurrency wallet was emptied.
Since the new verification happens directly through the carrier’s network, it becomes much harder for criminals to hijack an account simply by intercepting text messages.
There is a privacy issue
Old-school SMS authentication had one surprisingly useful privacy feature. Your carrier knew it delivered a text message. But it didn’t necessarily know what app you were logging into. With this new system, that’s no longer true. Because the carrier has to verify your identity directly, it also knows which service requested the verification. That means your carrier could potentially know when you authenticate with your bank, your healthcare portal, your dating app, your favorite shopping app, and your streaming service.
To be clear, there is no evidence AT&T, Verizon, or T-Mobile are abusing that information. But technically, they now have visibility they didn’t have before. And unlike anonymous Google or Apple accounts, your carrier knows your actual identity because you signed up using a government-issued ID.
This new system also makes carrier databases even more valuable targets. Last year, South Korea’s SK Telecom suffered a massive breach that exposed sensitive SIM authentication data affecting roughly 27 million subscribers.
In recent years, all three major U.S. carriers have each dealt with significant security incidents, including the Salt Typhoon cyber-espionage campaign that compromised telecom infrastructure. The new authentication system raises the stakes.
Source: Tech Times
