Zero-Trust SMS Verification
Achieving Full Anonymity with Temporary Numbers and an OTP Proxy

For advanced developers and security researchers — where every node is hostile, and privacy must be engineered, not assumed.

Setting the stage: what does “full anonymity” mean? In previous explorations, we established that virtual numbers are anonymous to the service but not to the platform provider. Self-hosted gateways are anonymous to the service but not to the mobile network operator. Today we ask: can we build a system where sender and receiver are logically uncorrelatable — where even the proxy that forwards the verification code cannot read it, and no single party knows both the phone number and the user? The answer lies in combining zero-trust architecture with an OTP proxy.

Core concepts defined

Zero-trust network: Trust nothing inside or outside the perimeter. Every access is authenticated, all communication is encrypted, and least-privilege principles apply. Imagine a secret letter relayed through a chain of unknown couriers in a foreign city — each knows only the next hop, never the origin or the final recipient.

OTP proxy (One-Time Password proxy): A lightweight middleware that receives an SMS, extracts the verification code, encrypts it with the recipient's public key, and forwards the ciphertext. The proxy never sees the plaintext code — it's end-to-end encrypted from the moment it arrives.

System architecture: the ciphered courier model

[Target Service] ──sends SMS──→ [Temporary Number A] │ ▼ [OTP Proxy Node] (local / remote, never trusted) │ ┌────────────┼────────────┐ │ (encrypted with PubKey B) │ (encrypted with PubKey C) ▼ ▼ [Client B (real user)] [Client C (backup)] │ │ (decrypts with Private Key B) ▼ Obtains OTP → submits to Target Service

Temporary Number A is any number obtained anonymously (paid rental, public pool). The OTP proxy runs under your control — a minimal service that does exactly one thing: receive SMS, extract code, encrypt with pre-configured public key, and broadcast the ciphertext over an anonymous network (Tor hidden service, Secure Scuttlebutt, or an ephemeral encrypted channel). The client decrypts with the corresponding private key. The proxy never possesses the decryption key; it cannot read the code.

Step-by-step implementation

Step 1: Building the temporary number layer

Choose an SMS source that offers API access and does not require real identity: paid private rental services, or a self-managed SIM pool with prepaid cards bought for cash. Ensure the number acquisition path is not linkable to your real persona. The proxy will poll this number or receive webhooks.

Step 2: OTP proxy core logic (pseudocode in Rust-like structure)

// OTP Proxy - runs on a hardened, anonymous host
async fn handle_incoming_sms(raw_sms: SmsMessage) {
    // Extract verification code using regex
    let code = extract_otp(&raw_sms.body);
    if code.is_none() { return; }
    let code = code.unwrap();

    // Fetch target public key from local keyring
    let pub_key = keyring::get_public_key("client_b");

    // Encrypt using age (or NaCl sealed box)
    let ciphertext = age::encrypt(pub_key, code.as_bytes());

    // Publish ciphertext to anonymous channel
    tor_hidden_service::publish("otp_channel", ciphertext);
}

fn extract_otp(body: &str) -> Option<String> {
    let re = Regex::new(r"\b\d{4,8}\b").unwrap();
    re.captures(body).map(|c| c[0].to_string())
}

The proxy uses public-key encryption (e.g., age or NaCl crypto_box_seal). No symmetric keys are stored. The proxy writes ciphertext, never plaintext, to any persistent store. All logs are disabled.

Step 3: Client decryption and consumption

The real user runs a client on Tails OS or a hardened mobile device. The client listens on the anonymous broadcast channel, retrieves the encrypted blob, and decrypts with the private key:

# Using age command-line tool
age -d -i private_key.txt encrypted_otp.age
# or with libsodium
cat encrypted.bin | AGE-SECRET-KEY=... age -d

Once decrypted, the user manually enters the code into the target service — ideally from a browser environment isolated with anti-fingerprinting measures (WebGL spoofing, random canvas, separate browser profile).

Step 4: Anonymous transport layer

The proxy node must itself be untraceable. Deployment options include:

A VPS paid with cryptocurrency, accessed exclusively over Tor, with no identifying metadata in SSH configurations.
A single-board computer (Raspberry Pi) on a network that only exposes a Tor hidden service — no direct internet connectivity.
An IoT device connected via an anonymously acquired prepaid data SIM, again routing everything through Tor.

The proxy's IP and physical location remain unknown. Even if the SMS provider logs API requests, they see only the Tor exit node IP.

Zero-trust principles embodied in this architecture

Proxy zero-knowledge: Public-key encryption ensures the proxy cannot read verification codes. It's a dumb courier.
Transport layer unlinkability: Via Tor and multiple hops, the sender (proxy) and receiver (client) cannot be correlated at the network layer.
Identity decoupling: Temporary number A receives the code. Public key B represents the user. No single entity ever possesses both pieces simultaneously. The number provider doesn't know who holds the private key; the user never directly touches the number.

Threat model and security boundaries

What this defends against:

Man-in-the-middle interception: Ciphertext is useless without the private key.
Platform log forensics: Logs contain only encrypted blobs and Tor exit IPs.
Proxy compromise: The proxy stores no plaintext. An attacker who seizes the proxy gets only pubkeys and encrypted messages.

What it does NOT fully defend against:

Browser/device fingerprinting by the target service: If you're not using a properly isolated, anti-fingerprinting browser, the service can link your session to previous logins. Always pair this architecture with a dedicated anonymous browser profile.
Temporary number provider logs: The provider sees that number A received an SMS at a certain time. They also see the API request IP (Tor exit). That's minimal, but it's not zero.

🛠 Extreme threat — global passive adversary: An entity capable of monitoring both the inbound SMS to the temporary number and the outbound login attempt to the target service could, in theory, correlate events by precise timing. Mitigation: introduce random delays in the proxy broadcast, batch multiple ciphertexts, and add timing noise. The proxy could hold messages for 30–180 seconds before publishing, making temporal correlation statistically weak.

Legal and ethical boundaries

This architecture reaches a technical sophistication that can be misused. The author explicitly states: This knowledge is provided solely for legal penetration testing, authorized security research, and protecting personal safety in high-risk environments (e.g., journalists under oppressive regimes, whistleblowers communicating with legal counsel). Any use to defraud services, bypass lawful identity verification, or conduct illegal activity is strictly prohibited and likely a crime in your jurisdiction. Respect the law. Technology is a tool; your ethics define its purpose.

Conclusion: when all nodes are untrusted, protocol becomes armor

Zero-trust SMS verification doesn't promise unconditional perfection. It raises the cost of tracing to an impractical level by dismantling the correlation between phone number, user identity, and code content. For those rare moments when absolute control over privacy is non-negotiable, this layered architecture — temporary numbers, public-key encrypted OTP proxies, anonymous transport — is the final option in the toolbox.

“In a network where every relay is suspect, the only trustworthy courier is the one who carries a message they cannot open.”

Zero-Trust SMS VerificationAchieving Full Anonymity with Temporary Numbers and an OTP Proxy