---
url: 'https://www.corbado.com/blog/passkeys-vs-sms-otp'
title: 'Passkeys vs SMS OTP: Conversion, Cost & Security'
description: 'Passkeys vs SMS OTP compared on login conversion, global cost and phishing resistance - plus how to measure which one actually wins for your users.'
lang: 'en'
author: 'Vincent Delitz'
date: '2026-06-22T08:19:30.806Z'
lastModified: '2026-06-22T08:19:30.806Z'
keywords: 'passkeys vs sms otp, sms otp alternative, replace sms otp with passkeys, sms otp replacement'
category: 'Authentication'
---

# Passkeys vs SMS OTP: Conversion, Cost & Security

## 1. Introduction: comparing Passkeys and SMS OTP fairly

"Should we move off [SMS OTP](https://www.corbado.com/glossary/otp) and onto passkeys?" is one of the most common
authentication questions, and the answer is usually yes - but the reasons people give are often
the wrong ones. The decision is not about hype, it is about three measurable axes: login
conversion, cost and security.

The comparison matters because SMS OTP is still everywhere. It is the default second factor for
banks, retailers and marketplaces, partly because every phone can receive a text. But that reach
hides three growing problems - it leaks conversion at the moment users wait for a code, it carries
a real per-message bill that scales with traffic and it is the weakest widely-deployed factor
against phishing. Passkeys attack all three, which is why providers like Google are actively
moving away from SMS.

### 1.1 What this article covers

- How passkeys and SMS OTP compare on conversion, cost and security
- Where SMS OTP still has a genuine edge and why reach is not the same as success
- The migration trap: why "rip out SMS" usually backfires
- How to measure the real method mix so you retire SMS safely, not blindly

## 2. What is SMS OTP and why it became the Default

SMS OTP sends a short numeric code to the user's phone number, which they read and type back to
prove possession of that number. It became the default because it is universal: no app to install,
no account to set up, every mobile phone can receive it. That universality is its single strongest
property and the reason it will not disappear overnight.

The trouble is that "the user can receive it" is not the same as "the user completes login". A
code that arrives late, lands in the wrong app, gets mistyped or never arrives at all is a silent
drop-off. As covered in [login friction kills conversion](https://www.corbado.com/blog/login-friction-kills-conversion),
every extra step between intent and a completed session bleeds users, and SMS OTP adds a
wait-read-switch-type sequence at the highest-intent moment.

## 3. Passkeys vs SMS OTP: the three Axes that matter

### 3.1 Conversion: Passkeys remove the code that SMS makes users wait for

Passkeys remove the code entirely. The user is prompted by the device, confirms with a biometric
and a session is established - no waiting, no app switch, no typing. SMS OTP inserts a fragile gap:
the message has to be delivered, opened and transcribed before the login can complete, and each of
those is a place to lose the user. As a tendency, the fewer manual steps a method requires from a
returning user, the higher it converts, which is the same dynamic that makes
[passkeys increase conversion](https://www.corbado.com/blog/passkeys-increase-conversion) over passwords.

### 3.2 Cost: Passkeys avoid the per-message fee SMS charges on every send

This is the axis teams underestimate most. SMS OTP has a per-message carrier fee that is charged
on every send, including retries when the first code does not arrive. As detailed in
[why SMS authentication costs too much](https://www.corbado.com/blog/sms-costs), those fees range from fractions of a cent
in the US to well over USD 0.30 in some markets, before adding fraud, support and infrastructure
overhead. A passkey login rides standard web infrastructure with no per-authentication messaging
fee, so the gap widens with every additional login and every new country you serve.

### 3.3 Security: Passkeys are phishing-resistant, SMS OTP is not

A passkey is a cryptographic credential bound to your exact domain, so there is no shared secret to
steal and nothing to replay on a phishing site. An SMS OTP is a human-readable code, which makes it
vulnerable to phishing, SIM-swap attacks and malware that reads incoming messages. That is precisely
why passkeys are described as [phishing-resistant](https://www.corbado.com/blog/passkeys-phishing-resistant) while SMS is
treated as a weak factor - and why regulators in markets like the
[UAE are phasing out SMS OTP](https://www.corbado.com/blog/uae-banking-otp-phase-out) for banking.

## 4. Where SMS OTP still wins (and where that breaks down)

SMS OTP keeps one honest advantage, and it is really two things: reach and bootstrapping. Reach,
because a first-time user on an old device, with no passkey and no provider account, can still
receive a text. Bootstrapping, because SMS works on first contact with zero setup - there is nothing
to enrol, whereas a passkey has to be created before it can ever be used. For onboarding the very
long tail of devices, and for that very first login, SMS is sometimes the only option that works on
the first try.

But reach is not success. The same SMS flow that "works everywhere" also fails quietly in ways
standard analytics never attribute to the method:

- **Delivery gaps:** codes delayed or dropped by carriers, especially across borders and on A2P
  routes.
- **Wrong context:** the code arrives while the user is mid-checkout in an in-app browser, forcing
  an app switch that breaks the flow - the same failure mode we cover for
  [in-app browsers](https://www.corbado.com/blog/passkeys-in-app-browsers).
- **Transcription errors:** mistyped codes that read as "abandoned" rather than "method failed".

> Reach guarantees a code can be sent, not that a login completes. Treat SMS OTP as a fallback that
> maximises coverage, not as a method that maximises conversion. The two goals are different and
> should be measured separately.

## 5. The Migration Trap: don't rip out SMS blindly

The instinct after seeing the cost and security numbers is to cut SMS OTP off. That usually
backfires, because a slice of users still depends on it and removing it locks them out. The
pragmatic path is a managed handoff:

1. **Make passkeys the primary method** and present them first.
2. **Keep SMS OTP as an explicit fallback** for users without a passkey-capable device or account.
3. **Shrink the SMS share over time** as passkey adoption grows, guided by data not guesswork.
4. **Retire SMS only when its share is small enough** that the remaining users have a clean
   alternative.

This is the same buy-vs-build and rollout discipline that separates a smooth passkey launch from a
support-ticket spike, and it depends entirely on being able to see the method mix.

## 6. How to measure which Method actually wins

Most analytics stacks record only "logged in or not", so they cannot tell you whether SMS OTP is
quietly underperforming passkeys for your users. To make the passkeys-vs-SMS decision on evidence
rather than opinion, instrument the funnel and segment it:

- **Track the full ceremony per method:** from method chosen through to `session_established`, so a
  delayed SMS code shows up as a method failure, not a generic bounce.
- **Segment by OS, device and browser type:** the passkey-vs-SMS balance differs sharply between a
  modern iPhone and an old Android handset in an in-app browser.
- **Watch method switches:** a user who requests an SMS code, abandons and falls back to a password
  is one of the clearest friction signals there is.
- **Track cost per successful login, not per message:** retries and failures make the true SMS cost
  per completed authentication higher than the headline carrier rate.

This is the [authentication observability](https://www.corbado.com/blog/authentication-observability) that turns "passkeys
feel better" into "passkeys complete materially more logins than SMS OTP on iOS while costing a
fraction per success, so we should prioritise passkey enrolment for that segment". The full
method-comparison method is laid out in the
[authentication analytics playbook](https://www.corbado.com/blog/authentication-analytics-playbook).

## 7. Conclusion: Passkeys as primary, SMS as managed Fallback

On conversion, cost and security, passkeys beat SMS OTP for the bulk of consumer logins. SMS keeps
one real strength - universal reach - which makes it a good fallback, not a good default. Three
takeaways:

1. **Lead with passkeys.** They remove the code, the wait and the per-message bill at once.
2. **Keep SMS OTP as an explicit fallback.** Reach matters for the long tail of devices, but it is
   not the same as conversion.
3. **Measure the method mix.** Segment the funnel by method, OS and browser, and track cost per
   successful login so you can shrink and eventually retire SMS on evidence.

The winner is not "passkeys" or "SMS" in the abstract - it is the method mix your own data says
converts best per segment, with SMS shrinking as passkeys take over.

## Frequently Asked Questions

### Are passkeys better than SMS OTP?

For most consumer logins passkeys win on the three axes that matter: they convert better because
there is no code to wait for or mistype, they cost almost nothing per login versus a per-message
carrier fee, and they are phishing-resistant while SMS OTP can be intercepted or SIM-swapped. SMS
OTP keeps one real advantage: near-universal reach, since every phone can receive a text without
setup. The honest framing is that passkeys should be the primary method and SMS OTP a fallback for
users who cannot yet use a passkey, and the split should be measured per device and audience.

### Why are passkeys phishing-resistant compared to SMS OTP?

A passkey is a cryptographic key bound to the exact website domain it was created for, so it cannot
be replayed on a lookalike phishing site and there is no shared secret to steal. An SMS OTP is a
short code the user reads and types, which means it can be phished through a fake login page,
intercepted via SIM-swap or malware, or socially engineered out of the user. That difference is why
standards bodies and large providers treat SMS as a weak second factor and passkeys as
phishing-resistant.

### How much cheaper are passkeys than SMS OTP?

SMS OTP carries a real per-message carrier fee that ranges from fractions of a cent in the US to
well over USD 0.30 in some markets, multiplied by every login attempt and every retry, plus support
and fraud overhead. A passkey login uses standard web infrastructure with no per-authentication
messaging fee, so at consumer scale the cost difference is large and grows with volume and
international reach. The saving is biggest for high-traffic apps with global users.

### Should I replace SMS OTP with passkeys completely?

Rarely all at once. The pragmatic path is to make passkeys the primary login, keep SMS OTP as a
fallback for users without a passkey-capable device or account, and shrink the SMS share over time
as passkey adoption grows. Tracking the method mix and the per-method success rate tells you when
the SMS fallback is small enough to retire safely, instead of cutting it off and locking users out.