I spent the last year building an SMS verification service. Here's what I learned about the surprisingly fragile infrastructure behind those 6-digit codes.
The Journey of a Verification Code
When you tap "Send Code" on WhatsApp or any other app, you trigger a chain of events that crosses at least 4 different networks:
Your app → Platform's server → SMS aggregator → Carrier gateway →
SMSC → Cell tower → Your phone
Each hop is a potential failure point. The industry average delivery rate? Around 70-85% depending on the country. That means up to 30% of verification codes never arrive.
Why Codes Fail to Arrive
After processing tens of thousands of verification requests, I've categorized the failure modes:
1. Carrier Filtering (40% of failures)
Carriers run content inspection on SMS traffic. Messages containing patterns like "Your code is" or "verification" get flagged and sometimes silently dropped.
This is why some services send codes as:
-
G-482916(Google's format — harder to filter) -
Your Telegram code: 48291(mixed with branding) - A message with no clear code pattern at all
Carrier filtering varies wildly by country. Indonesia has aggressive filtering. Germany is relatively permissive. The US is somewhere in between — and it varies by carrier (T-Mobile vs. AT&T have completely different filtering rules).
2. Grey Routes (25% of failures)
SMS routing has a dirty secret: grey routes. To save money, some aggregators route international SMS through unauthorized paths.
Legitimate route:
US Platform → US Aggregator → UK Carrier → UK Phone ✅
Grey route:
US Platform → Indian Aggregator → Random gateway → UK Phone
(cheaper, but unreliable and often blocked)
Grey routes are cheaper but have terrible delivery rates. They're also technically illegal in many jurisdictions. If a verification service is suspiciously cheap, they're probably using grey routes.
3. Number Type Mismatches (20% of failures)
This is the biggest challenge for virtual number services. Platforms actively try to block virtual and VoIP numbers:
| Number Type | Telegram | ||
|---|---|---|---|
| Real carrier SIM | ✅ 95%+ | ✅ 95%+ | ✅ 95%+ |
| Mobile VoIP | ⚠️ 60-70% | ✅ 85%+ | ⚠️ 50-60% |
| Fixed VoIP | ❌ <20% | ⚠️ 40-50% | ❌ <10% |
| Virtual (dedicated) | ⚠️ 70-80% | ✅ 90%+ | ⚠️ 40-60% |
These rates shift constantly. WhatsApp updates their VoIP detection roughly every 2-3 weeks. What works today might not work tomorrow.
4. Timing and Load (15% of failures)
SMS infrastructure has capacity limits. During peak hours (9-11 AM local time in most countries), carrier gateways queue messages. Verification codes have a shelf life — if the code takes 3 minutes to arrive but the app's timeout is 60 seconds, it's a failure even though the SMS eventually arrives.
The Multi-Provider Problem
No single SMS provider covers all 180+ countries reliably. Here's what the provider landscape looks like:
Provider A: Good in US/EU, terrible in Southeast Asia
Provider B: Great in Asia, doesn't cover Africa
Provider C: Covers Africa, but expensive and slow
Any serious verification service needs at least 2-3 providers with intelligent routing. The algorithm isn't just about fallback — it's about knowing which provider works best for which country-service combination in real-time.
// Naive approach (bad)
const provider = providers[0] || providers[1];
// Better: route based on historical success data
function selectProvider(country, service) {
const stats = getSuccessRates(country, service); // from last 24h
// Weight by success rate and latency
return stats
.filter(s => s.successRate > 0.5) // minimum threshold
.sort((a, b) => {
const score = (s) => s.successRate * 0.7 + (1 - s.avgLatency/120) * 0.3;
return score(b) - score(a);
})[0]?.provider;
}
The Refund Problem
Here's an industry dirty secret: most SMS verification services profit from failed deliveries.
You pay $0.50 for a number. The SMS never arrives. The service keeps your money and says "sorry, try again." They spent $0.10 on the number attempt, pocketed $0.40, and gave you nothing.
This is why automatic refund policies matter. If a service doesn't offer automatic refunds for failed verifications, they have a financial incentive for codes to not arrive. Think about that.
What I've Learned Building This
After a year of building VerifySMS, these are my biggest takeaways:
SMS is unreliable by design. It was built for human-to-human communication in the 1990s, not for security-critical verification in 2026.
The industry needs transparency. Success rates, delivery times, and refund policies should be published openly. Most services hide behind vague "high success rate" claims.
Authenticator apps are better. If a service offers TOTP-based 2FA (Google Authenticator, Authy), use it instead of SMS. SMS verification should be a last resort, not a first choice.
Country matters more than service. A US number for WhatsApp verification might work 90% of the time. A Bangladeshi number for the same service might work 40% of the time. Always check country-specific success rates before purchasing.
The Future of Verification
SMS verification is a $2+ billion market, but it's built on infrastructure from the 1990s. The industry is slowly moving toward:
- WhatsApp Business API verification (platform-native, no SMS needed)
- Email-based verification (cheaper, more reliable)
- Passkeys (passwordless, no verification code needed)
- Device attestation (Apple/Google verify the device, not the number)
Until these alternatives achieve full adoption, SMS verification remains a necessary evil. Understanding how it works — and fails — helps you make better choices about when and how to use it.
I build VerifySMS, a virtual number service with automatic refunds. If you have questions about SMS verification infrastructure, I'm happy to answer in the comments.
Top comments (0)