---
url: 'https://www.corbado.com/faq/sms-based-authentication-explained'
title: 'What is SMS-based authentication and how does it work?'
description: 'SMS-based authentication is a widely used method for verifying user identity by sending a one-time passcode (OTP) via SMS. '
lang: 'en'
keywords: 'SMS-based authentication'
---

# What is SMS-based authentication and how does it work?

## What is SMS-Based Authentication?

SMS-based authentication is a method used to verify a user's identity by sending a
**one-time passcode (OTP)** via SMS to their registered phone number. The user then enters
this code into the authentication system to gain access. This method is commonly used in
**two-factor authentication (2FA)** and **multi-factor authentication (MFA)** setups.

### Types of SMS-Based Authentication

There are two primary types of SMS-based authentication:

- **Single-Factor Authentication (SFA):** Users log in using an SMS OTP instead of a
  traditional password.
- **Two-Factor Authentication (2FA):** Users first enter their password and then verify
  their identity using an SMS OTP.

### How Does SMS-Based Authentication Work?

1. A user attempts to log in or perform a sensitive action.
2. The system sends an **OTP via SMS** to the user's registered phone number.
3. The user retrieves the OTP from their SMS inbox and enters it into the application.
4. If the OTP matches the expected value, authentication is successful.

### Drawbacks of SMS-Based Authentication

Despite its widespread adoption, SMS-based authentication has significant downsides:

- **Security Risks:**
    - **SMS Traffic Pumping:** Attackers [exploit](https://www.corbado.com/glossary/exploit) SMS billing systems
      to generate fraudulent messages, increasing costs for businesses.
    - **SIM Swapping:** Hackers transfer a victim's phone number to a new SIM card to
      intercept OTPs.
    - **Phishing Attacks:** SMS-based authentication is susceptible to
      [phishing](https://www.corbado.com/glossary/phishing) attempts where users are tricked into revealing their
      OTP.

- **High Costs:**
    - Businesses pay for each authentication SMS sent, often costing **$0.01–$0.20 per
      message**.
    - [Large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) deployments can incur
      millions of dollars in annual SMS costs.

- **Poor User Experience (UX):**
    - Desktop users must manually enter SMS OTPs from their mobile phones, creating
      friction.
    - SMS delivery failures and delays can frustrate users and lead to
      [login abandonment](https://www.corbado.com/blog/login-friction-kills-conversion).

### Passkeys: A Secure Alternative to SMS-Based Authentication

To address these challenges, **passkeys** provide a **phishing-resistant**,
**cost-effective**, and **user-friendly** alternative to SMS-based authentication. By
using **public-key cryptography**, passkeys eliminate the need for passwords and SMS OTPs,
**reducing fraud risk** while significantly improving the user experience.

For enterprises looking to **reduce authentication costs** and **enhance security**,
switching from SMS-based authentication to passkeys is a **future-proof strategy**.

## Read the full article