Passkeys vs SMS OTP: Conversion, Cost & Security

1. Introduction: comparing Passkeys and SMS OTP fairly#

"Should we move off SMS OTP and onto passkeys?" is one of the most common authentication questions, and the answer is usually yes - but the reasons people give are often the wrong ones. The decision is not about hype, it is about three measurable axes: login conversion, cost and security.

The comparison matters because SMS OTP is still everywhere. It is the default second factor for banks, retailers and marketplaces, partly because every phone can receive a text. But that reach hides three growing problems - it leaks conversion at the moment users wait for a code, it carries a real per-message bill that scales with traffic and it is the weakest widely-deployed factor against phishing. Passkeys attack all three, which is why providers like Google are actively moving away from SMS.

1.1 What this article covers#

• How passkeys and SMS OTP compare on conversion, cost and security
• Where SMS OTP still has a genuine edge and why reach is not the same as success
• The migration trap: why "rip out SMS" usually backfires
• How to measure the real method mix so you retire SMS safely, not blindly

2. What is SMS OTP and why it became the Default#

SMS OTP sends a short numeric code to the user's phone number, which they read and type back to prove possession of that number. It became the default because it is universal: no app to install, no account to set up, every mobile phone can receive it. That universality is its single strongest property and the reason it will not disappear overnight.

The trouble is that "the user can receive it" is not the same as "the user completes login". A code that arrives late, lands in the wrong app, gets mistyped or never arrives at all is a silent drop-off. As covered in login friction kills conversion, every extra step between intent and a completed session bleeds users, and SMS OTP adds a wait-read-switch-type sequence at the highest-intent moment.

3. Passkeys vs SMS OTP: the three Axes that matter#

3.1 Conversion: Passkeys remove the code that SMS makes users wait for#

Passkeys remove the code entirely. The user is prompted by the device, confirms with a biometric and a session is established - no waiting, no app switch, no typing. SMS OTP inserts a fragile gap: the message has to be delivered, opened and transcribed before the login can complete, and each of those is a place to lose the user. As a tendency, the fewer manual steps a method requires from a returning user, the higher it converts, which is the same dynamic that makes passkeys increase conversion over passwords.

3.2 Cost: Passkeys avoid the per-message fee SMS charges on every send#

This is the axis teams underestimate most. SMS OTP has a per-message carrier fee that is charged on every send, including retries when the first code does not arrive. As detailed in why SMS authentication costs too much, those fees range from fractions of a cent in the US to well over USD 0.30 in some markets, before adding fraud, support and infrastructure overhead. A passkey login rides standard web infrastructure with no per-authentication messaging fee, so the gap widens with every additional login and every new country you serve.

3.3 Security: Passkeys are phishing-resistant, SMS OTP is not#

A passkey is a cryptographic credential bound to your exact domain, so there is no shared secret to steal and nothing to replay on a phishing site. An SMS OTP is a human-readable code, which makes it vulnerable to phishing, SIM-swap attacks and malware that reads incoming messages. That is precisely why passkeys are described as phishing-resistant while SMS is treated as a weak factor - and why regulators in markets like the UAE are phasing out SMS OTP for banking.

4. Where SMS OTP still wins (and where that breaks down)#

SMS OTP keeps one honest advantage, and it is really two things: reach and bootstrapping. Reach, because a first-time user on an old device, with no passkey and no provider account, can still receive a text. Bootstrapping, because SMS works on first contact with zero setup - there is nothing to enrol, whereas a passkey has to be created before it can ever be used. For onboarding the very long tail of devices, and for that very first login, SMS is sometimes the only option that works on the first try.

But reach is not success. The same SMS flow that "works everywhere" also fails quietly in ways standard analytics never attribute to the method:

• Delivery gaps: codes delayed or dropped by carriers, especially across borders and on A2P routes.
• Wrong context: the code arrives while the user is mid-checkout in an in-app browser, forcing an app switch that breaks the flow - the same failure mode we cover for in-app browsers.
• Transcription errors: mistyped codes that read as "abandoned" rather than "method failed".

5. The Migration Trap: don't rip out SMS blindly#

The instinct after seeing the cost and security numbers is to cut SMS OTP off. That usually backfires, because a slice of users still depends on it and removing it locks them out. The pragmatic path is a managed handoff:

1. Make passkeys the primary method and present them first.
2. Keep SMS OTP as an explicit fallback for users without a passkey-capable device or account.
3. Shrink the SMS share over time as passkey adoption grows, guided by data not guesswork.
4. Retire SMS only when its share is small enough that the remaining users have a clean alternative.

This is the same buy-vs-build and rollout discipline that separates a smooth passkey launch from a support-ticket spike, and it depends entirely on being able to see the method mix.

6. How to measure which Method actually wins#

Most analytics stacks record only "logged in or not", so they cannot tell you whether SMS OTP is quietly underperforming passkeys for your users. To make the passkeys-vs-SMS decision on evidence rather than opinion, instrument the funnel and segment it:

• Track the full ceremony per method: from method chosen through to session_established, so a delayed SMS code shows up as a method failure, not a generic bounce.
• Segment by OS, device and browser type: the passkey-vs-SMS balance differs sharply between a modern iPhone and an old Android handset in an in-app browser.
• Watch method switches: a user who requests an SMS code, abandons and falls back to a password is one of the clearest friction signals there is.
• Track cost per successful login, not per message: retries and failures make the true SMS cost per completed authentication higher than the headline carrier rate.

This is the authentication observability that turns "passkeys feel better" into "passkeys complete materially more logins than SMS OTP on iOS while costing a fraction per success, so we should prioritise passkey enrolment for that segment". The full method-comparison method is laid out in the authentication analytics playbook.

7. Conclusion: Passkeys as primary, SMS as managed Fallback#

On conversion, cost and security, passkeys beat SMS OTP for the bulk of consumer logins. SMS keeps one real strength - universal reach - which makes it a good fallback, not a good default. Three takeaways:

1. Lead with passkeys. They remove the code, the wait and the per-message bill at once.
2. Keep SMS OTP as an explicit fallback. Reach matters for the long tail of devices, but it is not the same as conversion.
3. Measure the method mix. Segment the funnel by method, OS and browser, and track cost per successful login so you can shrink and eventually retire SMS on evidence.

The winner is not "passkeys" or "SMS" in the abstract - it is the method mix your own data says converts best per segment, with SMS shrinking as passkeys take over.

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →

Frequently Asked Questions#

Are passkeys better than SMS OTP?#

For most consumer logins passkeys win on the three axes that matter: they convert better because there is no code to wait for or mistype, they cost almost nothing per login versus a per-message carrier fee, and they are phishing-resistant while SMS OTP can be intercepted or SIM-swapped. SMS OTP keeps one real advantage: near-universal reach, since every phone can receive a text without setup. The honest framing is that passkeys should be the primary method and SMS OTP a fallback for users who cannot yet use a passkey, and the split should be measured per device and audience.

Why are passkeys phishing-resistant compared to SMS OTP?#

A passkey is a cryptographic key bound to the exact website domain it was created for, so it cannot be replayed on a lookalike phishing site and there is no shared secret to steal. An SMS OTP is a short code the user reads and types, which means it can be phished through a fake login page, intercepted via SIM-swap or malware, or socially engineered out of the user. That difference is why standards bodies and large providers treat SMS as a weak second factor and passkeys as phishing-resistant.

How much cheaper are passkeys than SMS OTP?#

SMS OTP carries a real per-message carrier fee that ranges from fractions of a cent in the US to well over USD 0.30 in some markets, multiplied by every login attempt and every retry, plus support and fraud overhead. A passkey login uses standard web infrastructure with no per-authentication messaging fee, so at consumer scale the cost difference is large and grows with volume and international reach. The saving is biggest for high-traffic apps with global users.

Should I replace SMS OTP with passkeys completely?#

Rarely all at once. The pragmatic path is to make passkeys the primary login, keep SMS OTP as a fallback for users without a passkey-capable device or account, and shrink the SMS share over time as passkey adoption grows. Tracking the method mix and the per-method success rate tells you when the SMS fallback is small enough to retire safely, instead of cutting it off and locking users out.