Telegram Passkeys: End of OTP Authentication

To fully appreciate the magnitude of Telegram's shift to passkeys, one must first understand the failure of the current authentication infrastructure that runs the modern web. The "shared secret" model, which has dominated digital security for fifty years, has collapsed under the weight of sophisticated phishing, credential stuffing and infrastructure-level attacks.

Telegram's move follows a broader industry trend led by messaging giants like WhatsApp. In October 2023, WhatsApp rolled out passkey support for Android users, later extending it to iOS in April 2024. WhatsApp utilizes passkeys to replace the insecure SMS OTP for re-authentication, allowing users to log in with a simple face scan or fingerprint. This not only eliminated the friction of waiting for SMS codes but also secured accounts against SIM-swapping attacks. Telegram's current Android beta testing suggests a similar roadmap: prioritizing the largest user base (Android) before expanding to iOS and eventually offering a cross-platform, passwordless experience (also on web).

For the past decade, the mobile phone number (MSISDN) has served as the de facto digital identity for billions of users. Telegram, like WhatsApp and Signal, was built on this premise: your phone number is your username. This design decision, while lowering the barrier to entry and facilitating rapid social graph integration, linked the security of user accounts to the security of the global cellular infrastructure.

The reliance on SMS OTPs for authentication rests on the assumption that the cellular network is secure. This assumption is demonstrably false. The Signaling System No. 7 (SS7) protocol, which governs how cellular networks route calls and texts globally, lacks inherent authentication mechanisms. Sophisticated adversaries, including state-sponsored groups and criminal syndicates, can exploit SS7 vulnerabilities to intercept SMS messages in transit, redirecting OTPs meant for the victim to a device controlled by the attacker. This allows for account takeover without the attacker ever needing physical access to the victim's SIM card or phone.

More common than high-level SS7 exploits is the "low-tech" attack known as SIM swapping. In this scenario, an attacker utilizes social engineering techniques to impersonate the victim, contacting their mobile carrier's customer support to request that the victim's phone number be ported to a new SIM card in the attacker's possession. Once the port is complete, the attacker receives all SMS communications, including Telegram login codes.

• The Telegram Specifics: Because Telegram defaults to a single-factor SMS login for convenience, a successful SIM swap often results in immediate account compromise.
• The Black Market: Access to high-value Telegram accounts (crypto influencers, channel administrators) is a traded commodity on dark web forums, often facilitated by bribed insiders at telecommunications companies.
• Mitigation Failure: While Telegram offers "Two-Step Verification" (a cloud password), adoption rates remain low among the general populace. Furthermore, the recovery mechanism for this password often relies on email, which itself may be compromised via SMS-based recovery flows, creating a circular vulnerability.

Beyond the security implications, the "phone number as identity" model poses a severe economic challenge for a platform operating at Telegram's scale.

• The Termination Fee Model: Every time a Telegram user logs in on a new device, re-installs the app or registers a new account, the platform must generate and deliver an OTP, mostly sent via SMS. Telecom carriers and aggregators charge a "termination fee" for each message.
• Aggregated Costs: In Tier 1 markets like the US or UK, these fees are negligible. However, in emerging markets or regions with high fraud rates, the cost per SMS can skyrocket to between $0.05 and $0.20 per message. For a platform with 900 million monthly active users (MAU), even a conservative estimate of login events translates to tens of millions of dollars in monthly operational burn.
• Artificial Inflation of Traffic (AIT): A growing fraud vector involves rogue carriers or aggregators generating fake login requests to forced Telegram to send SMS messages, harvesting the termination fees. This SMS pumping fraud drains resources from platforms.
• Telegram's Countermeasures: The company's recent launch of the Telegram Gateway - an API allowing businesses to send verification codes via Telegram for $0.01, undercutting SMS - demonstrates their acute sensitivity to these costs. They are actively seeking to commoditize their own infrastructure to offset the telco tax. However, the ultimate cost-saving measure is to eliminate the transport layer entirely.

In response to these systemic failures, the FIDO (Fast IDentity Online) Alliance, a consortium including Google, Apple, Microsoft and others, developed a new authentication standard based on public-key cryptography.

• Phishing Resistance: Unlike passwords or OTPs, which can be intercepted or tricked out of a user via a fake website, FIDO credentials (passkeys) are bound to the origin. The browser or operating system will simply refuse to generate an authentication signature if the domain does not match the one where the credential was registered.
• Device Binding: The private key used for authentication is stored in the secure hardware of the user's device (Trusted Execution Environment or Secure Enclave). It cannot be extracted, cloned or guessed.
• User Experience: By leveraging the biometric scanners already present on billions of smartphones (FaceID, TouchID, Android Fingerprint), passkeys offer a login experience that is faster and more intuitive than typing a complex password or switching apps to copy an SMS code.

As of December 2025, Telegram has begun its transition to passkeys, but the rollout is currently in its early stages. As of late 2025, passkey support has been discovered and is exclusively available in the Telegram Android Beta.

• Android Beta Exclusive: The feature is currently hidden within the beta version of the Android client. There is no official support yet for iOS or the Web client. We will update this article as soon as news regarding other platforms becomes available.
• Enhanced Security: For beta users, enabling passkeys adds a robust layer of phishing-resistant security that SMS codes cannot match.
• Backup & Sync: Users leveraging password managers (like Google Password Manager, Dashlane or 1Password) can sync their Telegram passkeys across their Android devices, ensuring they don't lose access if they lose a specific phone.

This phased rollout suggests Telegram is testing the implementation stability and user experience flow before a global launch to its nearly one billion users.

While security is the public face of this transition, the economic drivers are arguably more potent. Telegram's move to passkeys is a strategic maneuver to decouple its growth costs from the legacy telecommunications infrastructure.

Telegram adds approximately 2.5 million new users daily. Each new user requires phone number verification.

• Direct Costs: Assuming an average blended cost of $0.05 per SMS globally, 2.5 million daily sign-ups generate a daily burn rate of $125,000 for verification alone - nearly $45 million annually. This does not include re-logins, device switches or failed attempts.
• Indirect Costs: The "Artificial Inflation of Traffic" (AIT) fraud vectors mean Telegram likely pays for millions of SMS messages that are never requested by real users but triggered by bots to harvest fees for corrupt carriers.

Passkey authentication occurs over the standard data channel (internet).

• Marginal Cost: The cost to verify a passkey signature is the cost of a few CPU cycles on the server and a few kilobytes of bandwidth. It is effectively zero.
• Scaling: As Telegram grows to 1.5 billion or 2 billion users, the cost of authentication using passkeys remains flat, whereas SMS costs would scale linearly (or exponentially given inflation in AIT fraud).

Telegram's introduction of the Telegram Gateway API is a transitional step. By allowing other businesses to verify users via Telegram messages ($0.01/msg) instead of SMS ($0.05+/msg), Telegram is turning its authentication infrastructure into a revenue stream. However, for its own users, moving to passkeys allows Telegram to stop paying the telcos entirely.

Strategic End State: A future where "Telegram" is the identity provider. Users leverage their Telegram Passkey to log in to third-party services, and Telegram charges those services a micro-fee (or offers it free to boost ecosystem lock-in), completely bypassing the SMS ecosystem.

The introduction of passkeys is a foundational step for Telegram's broader ambitions.

Telegram is aggressively building a platform of "Mini Apps" (tApps) - web applications that run inside Telegram. These include e-commerce stores, crypto wallets and gaming platforms.

• Friction: Currently, these apps often require separate logins or wallet connections.
• Passkey Integration: Telegram could expose a request_passkey_auth API to Mini Apps. A user could authorize a purchase or a crypto transaction within a Mini App using the same biometric passkey they use for Telegram. This creates a "One-Tap" economy similar to Apple Pay, but cross-platform.

The introduction of passkeys is the most significant upgrade to Telegram’s identity layer since the introduction of the Cloud Password. It is a convergence of necessity and opportunity: the necessity to escape the crushing costs and security failures of the SMS ecosystem and the opportunity to build a frictionless, biometric-first identity layer for the Super App era.

For the user, the future is simple: no more codes to copy, no more passwords to forget. Just a glance at the screen, and the cryptographic vault opens. For Telegram, it is a strategic liberation from the telecommunications industry, cementing its status as an independent, sovereign digital platform. While the transition will take time - likely years to fully deprecate SMS for the majority of users - the beta evidence confirms that the journey has definitively begun.