---
url: 'https://www.corbado.com/blog/telegram-passkeys'
title: 'Telegram Passkeys: End of OTP Authentication'
description: 'Telegram is testing passkeys in Android beta to replace SMS and OTPs. Explore the security and cost benefits of this major authentication shift.'
lang: 'en'
author: 'Vincent Delitz'
date: '2025-12-05T08:31:54.919Z'
lastModified: '2026-03-27T07:01:54.562Z'
keywords: 'Telegram Passkeys'
category: 'Passkeys Reviews'
---

# Telegram Passkeys: End of OTP Authentication

## Key Facts

- Telegram is testing passkeys exclusively in **Android Beta** as of late 2025, replacing
  SMS OTP authentication to eliminate phishing risks and tens of millions in annual
  verification costs.
- At 2.5 million daily sign-ups and a blended rate of 0.05 USD per SMS, Telegram's
  **verification burn rate** reaches approximately 125,000 USD per day, nearly 45 million
  USD annually before re-logins or fraud.
- The **SS7 protocol** governing cellular networks lacks authentication mechanisms,
  allowing attackers to intercept OTPs in transit and compromise Telegram accounts without
  physical device access.
- **Passkey verification** costs only CPU cycles and minimal bandwidth, making
  authentication costs effectively zero as Telegram scales beyond its current 900 million
  monthly active users.

## 1. Introduction: Telegram Passkeys

To fully appreciate the magnitude of Telegram's shift to passkeys, one must first
understand the failure of the current authentication infrastructure that runs the modern
web. The "shared secret" model, which has dominated digital security for fifty years, has
collapsed under the weight of sophisticated [phishing](https://www.corbado.com/glossary/phishing),
[credential stuffing](https://www.corbado.com/glossary/credential-stuffing) and infrastructure-level attacks.

Telegram's move follows a broader industry trend led by messaging giants like
[WhatsApp](https://www.corbado.com/blog/whatsapp-passkeys). In October 2023, [WhatsApp](https://www.corbado.com/blog/whatsapp-passkeys)
rolled out passkey support for [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) users,
later extending it to [iOS](https://www.corbado.com/blog/webauthn-errors) in April 2024.
[WhatsApp](https://www.corbado.com/blog/whatsapp-passkeys) utilizes passkeys to replace the insecure SMS OTP for
re-authentication, allowing users to log in with a simple face scan or fingerprint. This
not only eliminated the friction of waiting for SMS codes but also secured accounts
against SIM-swapping attacks. Telegram's current
[Android](https://www.corbado.com/blog/how-to-enable-passkeys-android) beta testing suggests a similar roadmap:
prioritizing the largest user base (Android) before expanding to
[iOS](https://www.corbado.com/blog/webauthn-errors) and eventually offering a cross-platform, passwordless
experience (also on web).

## 2. Global Authentication Crisis and Telegram Context

![create telegram passkey](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/create_telegram_passkey_0091a3b8b0.jpeg)

### 2.1 Vulnerability of Mobile Station International Subscriber Directory Number (MSISDN)

For the past decade, the mobile phone number (MSISDN) has served as the de facto
[digital identity](https://www.corbado.com/blog/digital-identity-guide) for billions of users. Telegram, like
WhatsApp and Signal, was built on this premise: your phone number is your username. This
design decision, while lowering the barrier to entry and facilitating rapid social graph
integration, linked the security of user accounts to the security of the global cellular
infrastructure.

#### 2.1.1 Mechanics of SMS Interception

The reliance on SMS OTPs for authentication rests on the assumption that the cellular
network is secure. This assumption is demonstrably false. The Signaling System No. 7 (SS7)
protocol, which governs how cellular networks route calls and texts globally, lacks
inherent authentication mechanisms. Sophisticated adversaries, including state-sponsored
groups and criminal syndicates, can [exploit](https://www.corbado.com/glossary/exploit) SS7
[vulnerabilities](https://www.corbado.com/glossary/vulnerability) to intercept SMS messages in transit,
redirecting OTPs meant for the victim to a device controlled by the attacker. This allows
for account takeover without the attacker ever needing physical access to the victim's SIM
card or phone.

![login telegram passkey](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/login_telegram_passkey_ffaa1ab383.jpeg)

#### 2.1.2 Scourge of SIM Swapping

More common than high-level SS7 [exploits](https://www.corbado.com/glossary/exploit) is the "low-tech" attack
known as [SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk). In this scenario, an
attacker utilizes social engineering techniques to impersonate the victim, contacting
their mobile carrier's customer support to request that the victim's phone number be
ported to a new SIM card in the attacker's possession. Once the port is complete, the
attacker receives all SMS communications, including Telegram login codes.

- **The Telegram Specifics:** Because Telegram defaults to a single-factor SMS login for
  convenience, a successful [SIM swap](https://www.corbado.com/glossary/sim-swap) often results in immediate
  account compromise.
- **The Black Market:** Access to high-value Telegram accounts (crypto influencers,
  channel administrators) is a traded commodity on dark web forums, often facilitated by
  bribed insiders at [telecommunications](https://www.corbado.com/blog/telstra-passkeys) companies.
- **Mitigation Failure:** While Telegram offers "Two-Step Verification" (a cloud
  password), adoption rates remain low among the general populace. Furthermore, the
  recovery mechanism for this password often relies on email, which itself may be
  compromised via SMS-based recovery flows, creating a circular
  [vulnerability](https://www.corbado.com/glossary/vulnerability).

### 2.2 Cost of Global SMS

Beyond the security implications, the "phone number as identity" model poses a severe
economic challenge for a platform operating at Telegram's scale.

- **The Termination Fee Model:** Every time a Telegram user logs in on a new device,
  re-installs the app or registers a new account, the platform must generate and deliver
  an OTP, mostly sent via SMS. [Telecom](https://www.corbado.com/passkeys-for-telecom) carriers and aggregators
  charge a "termination fee" for each message.
- **Aggregated Costs:** In Tier 1 markets like the US or UK, these fees are negligible.
  However, in emerging markets or regions with high fraud rates, the cost per SMS can
  skyrocket to between $0.05 and $0.20 per message. For a platform with 900 million
  monthly active users (MAU), even a conservative estimate of login events translates to
  tens of millions of dollars in monthly operational burn.
- **Artificial Inflation of Traffic (AIT):** A growing fraud vector involves rogue
  carriers or aggregators generating fake login requests to forced Telegram to send SMS
  messages, harvesting the termination fees. This SMS pumping fraud drains resources from
  platforms.
- **Telegram's Countermeasures:** The company's recent launch of the **Telegram
  Gateway** - an API allowing businesses to send verification codes via Telegram for
  $0.01, undercutting SMS - demonstrates their acute sensitivity to these costs. They are
  actively seeking to commoditize their own infrastructure to offset the telco tax.
  However, the ultimate cost-saving measure is to eliminate the transport layer entirely.

### 2.3 Rise of Passkeys

In response to these systemic failures, the FIDO (Fast IDentity Online) Alliance, a
consortium including Google, Apple, Microsoft and others, developed a new authentication
standard based on public-key cryptography.

- **Phishing Resistance:** Unlike passwords or OTPs, which can be intercepted or tricked
  out of a user via a fake website, FIDO credentials (passkeys) are bound to the origin.
  The browser or operating system will simply refuse to generate an authentication
  signature if the domain does not match the one where the credential was registered.
- **Protected by Hardware:** The private key used for authentication is protected with the
  Hardware Security Module of the user's device (e.g. Trusted Execution Environment or
  [Secure Enclave](https://www.corbado.com/glossary/secure-enclave)).
- **User Experience:** By leveraging the biometric scanners already present on billions of
  smartphones (FaceID, TouchID, [Android](https://www.corbado.com/blog/how-to-enable-passkeys-android)
  Fingerprint), passkeys offer a login experience that is faster and more intuitive than
  typing a [complex password](https://www.corbado.com/blog/complex-passwords-cracked-soon) or switching apps to
  copy an SMS code.

## 3. Current Availability: Android Beta Rollout

As of December 2025, Telegram has begun its
[transition to passkeys](https://www.corbado.com/blog/user-transition-passkeys-expert-strategies), but the
rollout is currently in its early stages. As of late 2025, passkey support has been
discovered and is exclusively available in the **Telegram Android Beta**.

### 3.1 What Users need to know

- **Android Beta Exclusive:** The feature is currently hidden within the beta version of
  the Android client. There is no official support yet for [iOS](https://www.corbado.com/blog/webauthn-errors) or
  the Web client. We will update this article as soon as news regarding other platforms
  becomes available.
- **Enhanced Security:** For beta users, enabling passkeys adds a robust layer of
  [phishing](https://www.corbado.com/glossary/phishing)-resistant security that SMS codes cannot match.
- **Backup & Sync:** Users leveraging password managers (like
  [Google Password Manager](https://www.corbado.com/blog/how-to-use-google-password-manager),
  [Dashlane](https://www.corbado.com/blog/dashlane-passkeys) or
  [1Password](https://www.corbado.com/blog/1password-passkeys-best-practices-analysis)) can sync their Telegram
  passkeys across their Android devices, ensuring they don't lose access if they lose a
  specific phone.

This phased rollout suggests Telegram is testing the implementation stability and user
experience flow before a global launch to its nearly one billion users.

## 4. Strategic Impact of Telegram Passkeys

While security is the public face of this transition, the economic drivers are arguably
more potent. Telegram's move to passkeys is a strategic maneuver to decouple its growth
costs from the legacy [telecommunications](https://www.corbado.com/blog/telstra-passkeys) infrastructure.

### 4.1 "Telco Tax" on Growth

Telegram adds approximately 2.5 million new users daily. Each new user requires phone
number verification.

- **Direct Costs:** Assuming an average blended cost of $0.05 per SMS globally, 2.5
  million daily sign-ups generate a daily burn rate of $125,000 for verification alone -
  nearly $45 million annually. This does not include re-logins, device switches or failed
  attempts.
- **Indirect Costs:** The "Artificial Inflation of Traffic" (AIT) fraud vectors mean
  Telegram likely pays for millions of SMS messages that are never requested by real users
  but triggered by bots to harvest fees for corrupt carriers.

### 4.2 Zero-Cost Alternative

Passkey authentication occurs over the standard data channel (internet).

- **Marginal Cost:** The cost to verify a passkey signature is the cost of a few CPU
  cycles on the server and a few kilobytes of bandwidth. It is effectively zero.
- **Scaling:** As Telegram grows to 1.5 billion or 2 billion users, the cost of
  authentication using passkeys remains flat, whereas SMS costs would scale linearly (or
  exponentially given inflation in AIT fraud).

### 4.3 "Telegram Gateway" Pivot

Telegram's introduction of the **Telegram Gateway** API is a transitional step. By
allowing other businesses to verify users via Telegram messages ($0.01/msg) instead of SMS
($0.05+/msg), Telegram is turning its authentication infrastructure into a revenue stream.
However, for its _own_ users, moving to passkeys allows Telegram to stop paying the telcos
entirely.

**Strategic End State:** A future where "Telegram" is the identity provider. Users
leverage their Telegram Passkey to log in to third-party services, and Telegram charges
those services a micro-fee (or offers it free to boost ecosystem lock-in), completely
bypassing the SMS ecosystem.

## 5. Telegram Super App Strategy

The introduction of passkeys is a foundational step for Telegram's broader ambitions.

Telegram is aggressively building a platform of "Mini Apps" (tApps) - web applications
that run inside Telegram. These include [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) stores,
crypto [wallets](https://www.corbado.com/blog/digital-wallet-assurance) and gaming platforms.

- **Friction:** Currently, these apps often require separate logins or
  [wallet](https://www.corbado.com/blog/digital-wallet-assurance) connections.
- **Passkey Integration:** Telegram could expose a `request_passkey_auth` API to Mini
  Apps. A user could authorize a purchase or a crypto transaction within a Mini App using
  the same biometric passkey they use for Telegram. This creates a
  "[One-Tap](https://docs.corbado.com/corbado-connect/features/one-tap-login)" economy
  similar to [Apple Pay](https://www.corbado.com/blog/how-to-use-apple-pay), but cross-platform.

## 6. Conclusion: Telegram Passkeys

The introduction of passkeys is the most significant upgrade to Telegram’s identity layer
since the introduction of the Cloud Password. It is a convergence of necessity and
opportunity: the necessity to escape the crushing costs and security failures of the SMS
ecosystem and the opportunity to build a frictionless, biometric-first identity layer for
the Super App era.

For the user, the future is simple: no more codes to copy, no more passwords to forget.
Just a glance at the screen, and the cryptographic vault opens. For Telegram, it is a
strategic liberation from the [telecommunications](https://www.corbado.com/blog/telstra-passkeys) industry,
cementing its status as an independent, sovereign digital platform. While the transition
will take time - likely years to fully deprecate SMS for the majority of users - the beta
evidence confirms that the journey has definitively begun.

## Frequently Asked Questions

### What is the Telegram Gateway API and how does it relate to the passkey rollout?

Telegram Gateway is an API allowing businesses to send verification codes via Telegram for
0.01 USD each, compared to SMS rates of 0.05 USD or more. It is a transitional revenue
step: while third parties use it to cut SMS costs, Telegram's own users moving to passkeys
allows Telegram to stop paying telecom carriers entirely.

### Why does SIM swapping pose a specific security risk to Telegram accounts compared to other apps?

Telegram defaults to single-factor SMS login, meaning a successful SIM swap gives
attackers immediate access to login codes and full account compromise. High-value accounts
such as crypto influencers and channel administrators are actively traded on dark web
forums, often facilitated by bribed insiders at telecom companies.

### How does Artificial Inflation of Traffic fraud affect Telegram's SMS authentication costs?

Rogue carriers and aggregators generate fake login requests to force Telegram to send SMS
messages, harvesting termination fees in a scheme called AIT fraud. This means Telegram's
45 million USD annual SMS cost estimate excludes millions of additional messages triggered
by bots rather than real users.

### How could Telegram passkeys enable authentication across Mini Apps and third-party services?

Telegram is building a Mini Apps ecosystem (tApps) covering e-commerce, crypto wallets and
gaming platforms. A proposed request_passkey_auth API would let users authorize purchases
or transactions within Mini Apps using the same biometric passkey they use for Telegram,
creating a one-tap experience similar to Apple Pay but cross-platform.