SMS one-time passwords (OTPs) are no longer reliable for securing user accounts. Leading companies are replacing them with passkeys and encrypted messaging options likeWhatsApp OTP to strengthen security, reduce costs, and maintain regulatory compliance.
SMS codes are vulnerable to hacking, expensive to send, frequently undelivered, and increasingly non-compliant with new regulations. Authorities in Singapore, India, Malaysia, and the United States are moving to eliminate SMS OTPs, and organizations like FINRA and the US Patent and Trademark Office will no longer accept them by 2025.
There are better alternatives available, and making the switch is simpler than many companies expect.
Need to move away from SMS OTP? We can help you make the switch without disrupting your current auth flow. Drop us a line.
Why are more companies replacing SMS OTP
More and more companies are ditching SMS OTP, and I don't blame them. What started as a decent security measure has turned into a liability with serious risks for both businesses and users.
Why is SMS OTP not safe?
SIM swapping is the biggest problem. Scammers can call your phone carrier, pretend to be you, and move your number to their phone. Just like that, they get all your text messages - including your security codes.
The networks that carry text messages use outdated technology (called SS7) that hackers have figured out how to exploit. They can intercept messages without ever touching your phone.
And here's a scary thought – text messages aren't encrypted. They're sent as plain text that can be captured by anyone who knows how to monitor network traffic.
Can OTPs be spoofed?
Yes. Attackers can make fraudulent messages appear to come from trusted sources like your bank. These spoofed messages can trick users into revealing their OTPs or clicking malicious links.
Man-in-the-middle attacks can intercept OTPs during transmission. And mobile malware can silently forward your SMS messages to attackers without you ever knowing.
What are the risks of SMS OTP?
The most immediate risk is account takeover, where attackers gain control of user accounts, potentially leading to fraud, identity theft, and data breaches. For businesses, successful attacks damage reputation and erode customer trust.
Another major risk is financial loss from SMS pumping fraud, where fraudsters generate huge volumes of SMS messages to premium-rate numbers, inflating charges for targeted businesses.
Is SMS OTP still compliant in 2026?
While SMS OTP might technically satisfy some baseline requirements in certain sectors, its compliance standing is diminishing fast. Many regulatory bodies are actively moving away from SMS as an acceptable authentication method:
The US Patent and Trademark Office is phasing out SMS-based authentication by May 2025
Microsoft is mandating stronger authentication for Microsoft 365 admin accounts starting February 2025
Financial Industry Regulatory Authority (FINRA) is retiring SMS as an acceptable authentication option by July 2025
Reserve Bank of India (RBI) is planning to completely eliminate SMS OTP-based authentication for digital payments.
Singapore's Monetary Authority announced that major banks will phase out OTPs for account logins, moving towards digital tokens to enhance security against fraud.
Bank Negara Malaysia (BNM) has already directed financial institutions to stop using SMS-based OTPs to combat the rise in financial scams.
The real cost of sticking with SMS OTP
Most organizations focus only on the per-message cost of SMS OTP. But the true price tag is much higher when you consider delivery failures, customer support overhead, and fraud losses.
Why SMS 2FA creates major costs/risks
The direct costs add up fast. Each text message costs money, especially international ones. For companies with millions of users, this becomes a massive expense.
When SMS codes don't arrive (because of network issues, wrong numbers, or spam filters), users call support for help. This creates a whole other cost centre that many businesses overlook.
The biggest hit to the bottom line comes from fraud. Twitter (now X) reportedly lost $60 million a year to SMS fraud alone. With global spending on SMS OTP over $1.6 billion yearly, there's a lot of money at stake.
Cost-per-message vs. Passkeys/WhatsApp
Let's talk money. The difference in cost between SMS and newer options is eye-opening:
SMS OTP: Between 1 and 20 cents per message (plus verification fees)
Passkeys: You pay once to integrate, then zero per login
We've seen companies cut their authentication costs by up to 90% just by moving away from SMS. That adds up fast when you're sending millions of codes.
What are the best alternatives to SMS OTP?
There are several better options that offer improved security, better user experience, and cost savings.
Passkeys (FIDO2/WebAuthn)
Passkeys are the future of logging in. Instead of typing codes, you just use your device's built-in security – like your fingerprint or face scan.
Passkeys use advanced encryption that can't be phished or stolen. They completely eliminate the need for passwords and one-time codes.
WhatsApp OTP uses the messaging app most people already have to deliver codes through encrypted channels. With billions of users worldwide, it offers great reach while typically costing less than standard business SMS.
Email OTP / Magic Links
Email OTP sends verification codes to your email, while magic links let you log in with just one click. They're more secure than passwords alone but still vulnerable if someone gets into your email.
Push and authenticator apps
Authenticator apps create codes right on your phone without sending them over networks. Push authentication simply asks you to approve or deny login attempts with a tap.
Authentication Methods Comparison
Feature
SMS OTP
Passkeys
WhatsApp OTP
Security
Low (Vulnerable to SIM swap)
High (Can't be phished)
Medium (Encrypted)
Reliability
Low (Delivery problems)
High (Works offline)
Medium (Needs internet)
User Experience
Medium (Type in codes)
High (Just use your face/finger)
Medium (App switch)
Cost
High (Per-message + fraud)
Low (One-time setup)
Medium (Cheaper than SMS)
Works without cell service
No
Yes
Yes
The best SMS OTP alternative is passkeys
Passkeys are your best bet if you want the most secure and user-friendly replacement for SMS OTP.You might be thinking: "Implementing passkeys sounds like a headache." Many companies struggle with the technical side and worry about compatibility across different devices.
That's where we come in. Authsignal gives you passkeys that just work with your existing systems. Our ready-made components mean you can roll out passkeys in weeks.
Users get a smooth login experience, and your tech team gets the support they need. No vendor lock-in, just a better way to authenticate.
While passkeys are the best long-term solution, WhatsApp OTP is an excellent stepping stone away from SMS.
Many companies worry about user adoption of new security methods. Our WhatsApp OTP solution uses an app that billions of people already have and trust.
Air New Zealand saw amazing results after switching to WhatsApp OTP:
They cut SMS costs by 90%
Users adopted it quickly with no special training
Their support team spent less time helping with OTP issues
Our pre-built components make it easy to add WhatsApp OTP to your existing login flows, improving security while saving money.
How to phase-out SMS OTP and roll-out passkeys and WhatsApp OTP
The most successful approach is to make the switch gradually:
Add passkeys and WhatsApp OTP as options alongside SMS
Show users why the new methods are better and more convenient
Slowly make SMS less prominent as people adopt the alternatives
Eventually, phase out SMS completely
Common mistakes include not educating users enough, not having backup options, and poor testing across different devices. Our platform helps you avoid these pitfalls with expert guidance and proven workflows.
How do passkeys work, and why are they better than SMS OTP?
Passkeys use encryption with a private key stored securely on your device. You authenticate with your fingerprint or face scan, and the private key never leaves your device - making passkeys virtually impossible to steal.
What happens if a user doesn't have signal to receive an OTP?
Without cell service, SMS codes won't arrive, and users can't log in. Passkeys work offline since everything happens on the device. WhatsApp OTP needs internet,t but not cellular service.
How do I get approval to replace SMS OTP?
Build a case showing the security risks, costs (including fraud and support), and user experience problems with SMS. Show how alternatives offer better security, lower costs, and improved user satisfaction.
How can Authsignal help me replace SMS OTP?
We provide drop-in solutions for both passkeys and WhatsApp OTP that work with your existing systems. Our platform includes ready-made interfaces, developer tools, and expert support to make the transition smooth.
What are the common mistakes when replacing SMS OTP?
The biggest mistakes are poor user education, not having backup options, inadequate testing across devices, and making the experience too complicated. We help you avoid these pitfalls with proven implementation patterns.
Future-proof your authentication
SMS OTP just doesn't cut it anymore. The security holes, rising costs, and user frustrations make it increasingly obsolete. Passkeys and WhatsApp OTP offer better security, smoother user experiences, and lower costs.
Authsignal makes switching from SMS OTP simple with ready-to-use solutions for both passkeys and WhatsApp OTP. Partner with us to boost your security, cut costs, and give users a much better login experience.
.png)
.svg)
