Gautam Hazari showed up in telecom by accident—but never left. In 2000, he was solving Y2K bugs for banks in Sydney. When the clock struck midnight and nothing happened, he moved on. His next assignment was a Vodafone digital transformation project. What he saw changed everything: a global network that already knew who you were—without ever asking you to prove it.

Back then, the internet had no idea how to identify humans. It still doesn’t. Gautam realized mobile operators had already solved the identity problem—quietly, cryptographically, and at global scale. The SIM card was the original hardware wallet, running secure authentication in real time for billions of users. It just wasn’t being used for anything outside the operator’s own world.

That realization became a mission. Over the next two decades, Gautam wrote the first Mobile Connect spec at GSMA, mapped 66 universal mobile signals across 200+ operators, and helped lead the evolution of silent authentication and mobile network verification. His work now powers the GSMA Open Gateway initiative and helps define how identity might finally work in a world flooded with generative AI, phishing, and fraud.

Gautam is also a TEDx speaker and a published contributor to the Forbes Technology Council, where he continues to advocate for inclusive, SIM-based identity systems built on cryptography—not friction.

And in this edition of One Expert, One Topic, Gautam explains why real digital identity should be invisible—and why your SIM already knows who you are.

About The Series

This is the twenty-ninth installment in the One Expert, One Topic series, where field experts break down one big idea using Matt Abrahams’ What / So What / Now What format. Written instead of recorded, so you can actually take time to absorb it.

What

The internet still doesn’t know how to identify you. Every method—passwords, OTPs, cookies, device scans—is a workaround. Some are clever. All are brittle.

Mobile networks work differently. They use soft identity. Your operator doesn’t challenge you to prove who you are before connecting a call or delivering a text. It just knows. “Somehow,” Gautam says, “the mobile operator knows it’s me—and that nothing is wrong with my SIM.”

That’s because every SIM card is also a cryptographic device. It contains a unique private key, stored in hardware, and has been authenticating humans invisibly since 1991. “It’s an HSM,” he says. “A hardware security module that fits in your pocket.” The best part? The SIM doesn’t care whether it’s inside a $10 feature phone or an iPhone 16. It works just the same.

That’s why he calls SIM-based authentication inclusive by design—and why he believes it should be exposed outside the operator stack and made available to protect real users in the real world. 

So What

Fraudsters don’t need to be smart anymore. They just need the same tools as the rest of us.

They can fine-tune phishing messages using GenAI. They can craft content that hits emotional triggers and bypasses our reasoning brain. “Your amygdala kicks in,” Gautam says. “Dopamine goes up, oxytocin goes up—you just react. You don’t think.” That’s why phishing is no longer just a tech problem. It’s biochemical.

And it’s why passwords, OTPs, and user-driven verification flows aren’t just annoying—they’re dangerous. “The more you involve the human in the security dance,” he says, “the more likely they are to get exploited.”

What’s the answer? Invisibility.
“Steve Jobs used to say technology should be either beautiful or invisible,” Gautam says. “Security should be invisible. When I don’t have to do anything, I can’t be phished. I can’t be fooled. There’s nothing for the attacker to hook into.”

Now What

Here’s what Gautam believes comes next—and what the ecosystem needs to embrace:

1. Remove humans from security. If your users are entering passwords, scanning faces, or typing OTPs, you’ve already failed.
2. Use what already works. SIM cards offer cryptographic, real-time authentication. And they’ve been doing it reliably for over 30 years.
3. Build for everyone. Authentication should work on $10 phones, not just flagship devices. Security isn’t inclusive until it’s universal.
4. Expose the signals. Operators already hold dozens of fraud-mitigating data points—Gautam mapped 66 of them. APIs like GSMA’s Open Gateway should be the beginning, not the end.

Because the future of identity doesn’t need to be invented. It needs to be unlocked. The solution is already in our pockets—and has been for decades.