Any white papers, literature etc on this would be greatly appreciated. As well as just advice on approaching this. I could very well be overestimating what i need to build to achieve my goal.
See RFC6238 for time based one time passcodes. It is a fairly simple truncated SHA hash of a shared secret (random fixed length string) with a UTC timestamp. Build your own or look for code on the internet.
Once you can generate and verify a proper hash (https://totp.danhersam.com/), it is simply a matter of getting the user to do likewise. This can be done using an app (I like FreeOTP+) or you can generate the hash value yourself and delivery it to the user over SMS or email or voice call or carrier pigeon or any other off channel way you can think of.
Obviously, there are details to be worked out but the overall process is "kindergarten algebra". In your case, the biggest hiccup is likely to be USSD.
User inputs number and requests code. System generates code, saves in database, sends code. User returns wirh code. System checks if code matches the code in the database and takes appropriate action.
With USSD the flow would be different --- as I understand it, the user requests come in a session context where the carrier provides the subscriber identity; but if this is for app verification purposes, you've got to connect the USSD session up somehow to an app session you have.
USSD involves two-way communication and requires cooperation of the carrier.