SMS authentication vs passkeys – why enterprises are replacing text OTPs

SMS Authentication vs Passkeys Why enterprises are replacing text OTPs

Why Are Enterprises Moving Away from SMS Authentication?

Since the early 2010s, SMS authentication has been widely used as a two-factor authentication (2FA) method by enterprises across industries. It relies on sending one-time passwords (OTP) via text messages to users’ phones as an added layer of identity verification. While simple to implement, this method is increasingly viewed as outdated and insecure and most importantly for enterprises, expensive.

Enterprises are now recognizing the operational and financial costs of maintaining SMS-based authentication. These costs include SMS traffic pumping, carrier fees, SIM swap attacks, delivery failures, and support overhead. At the same time, modern alternatives like passkeys offer superior security, cost savings, and a significantly improved user experience.

In this article, we explore:

  • The rising costs and security risks of SMS-based OTP
  • Why SMS OTPs are no longer sustainable at enterprise scale
  • How passkeys provide a phishing-resistant, low-cost, and user-friendly alternative
  • Implementation strategies for replacing SMS with Passkeys for Enterprises

1. What Is SMS-Based Authentication?

Before examining its limitations, it’s important to define what SMS authentication actually entails.

SMS authentication also called text OTP or SMS passcodes involves sending a numeric or alphanumeric code to a user’s phone number via text message. This is typically used as:

  • A second factor (e.g., password + OTP)
  • A single factor (e.g., text OTP only, often in passwordless flows)

Typical use cases:

  • Logging in to user accounts
  • Verifying new devices
  • Resetting passwords
  • Confirming transactions

While the process is familiar to users, it depends heavily on telecom infrastructure, global routing, and secure number assignment, which introduces a number of risks and operational burdens.

2. Drawbacks of SMS Authentication – Security and Fraud Risks

Despite its wide use, SMS authentication has serious security weaknesses. These flaws not only create vulnerabilities for users, but also expose enterprises to fraud, account takeovers, and financial losses.

2.1 SMS Traffic Pumping

One of the most expensive and overlooked fraud types in SMS authentication is SMS traffic pumping.

What is SMS traffic pumping?

SMS traffic pumping is an abuse of the OTP mechanism where fraudsters trigger massive volumes of fake OTP requests. These requests are routed to phone numbers that the attackers control often through partner mobile network operators (MNOs) that share revenue from each SMS sent.

  • Each fraudulent OTP triggers an SMS.
  • The MNO charges the company for delivery (up to $0.20 per message).
  • The fraudster and the MNO share the revenue.

Why does this matter?

  • This is not a theoretical risk, it’s happening at scale.
  • In 2022, Twitter reportedly lost $60 million annually due to SMS traffic pumping (source).
  • Most companies cannot detect or prevent this kind of abuse with existing SMS providers.

This form of invisible fraud directly drives up SMS traffic costs and creates an incentive for abuse that’s difficult to mitigate.

2.2 SIM Swapping

SIM swapping is another high-impact attack that affects SMS OTP security.

How does it work?

  • An attacker uses social engineering or internal access at a mobile provider to transfer a victim’s phone number to a new SIM card.
  • The attacker then receives all SMS messages, including OTPs for login, banking, or transaction confirmation.
  • Once the number is hijacked, all accounts tied to SMS verification are vulnerable.

Real-world consequences:

  • Unauthorized logins
  • Financial fraud
  • Permanent account loss for the user
  • Legal and reputational risk for the provider

SIM swapping is difficult to detect and bypasses the entire premise of SMS as a secure “possession” factor.

2.3 Interception and Protocol Vulnerabilities

SMS is an outdated protocol. It was never designed with cryptographic protection. It remains vulnerable to:

  • SS7 attacks (exploiting telecom signaling)
  • Malware on phones that read SMS messages
  • Man-in-the-middle interception in legacy networks

SMS security is inherently weak

Risk FactorCan be exploited by attackers?
SMS traffic pumping✅ Yes — to generate revenue fraudulently
SIM swapping✅ Yes — to hijack accounts
Network interception✅ Yes — due to lack of encryption

3. The Real Cost of SMS-Based Authentication

While SMS OTPs may seem cheap on a per-message basis, the total cost for enterprises adds up quickly. Beyond transaction fees, organizations must account for implementation, operations, maintenance, and hidden support overhead.

3.1 Implementation Costs

To use SMS OTPs, companies must either:

  • Build their own SMS delivery system
  • Or integrate with a third-party SMS authentication service

In-house development costs:

  • SMS gateway setup and telecom integration
  • Rate-limiting, delivery logging, and monitoring tools
  • Internal compliance, audit logging, and fraud prevention mechanisms

Estimated cost: €20,000–€100,000 in development and infrastructure setup

Third-party integration costs:

Even with ready-made providers like Twilio or AWS SNS, there are:

  • Upfront integration efforts
  • Custom flows and callback management
  • Ongoing vendor management

3.2 Transaction Costs: SMS Carrier Fees

As of 2025, SMS OTP messages typically cost $0.01–$0.20 per message, depending on the provider and region.

  • $0.01–$0.20 per message (depending on country, volume, and provider)
  • High-quality routes (with better delivery and speed) cost more
  • Some providers charge extra fees for delivery confirmation or retries

Example:

Based on 2024 SMS rates, a company sending 1 million SMS OTPs per month could spend approximately $600,000 annually.

And this does not include fraudulent SMS traffic caused by SMS pumping or bots.

3.3 Maintenance and Support Overhead

SMS authentication is not “set and forget.” Ongoing costs include:

  • Monitoring global SMS delivery
  • Dealing with failed or delayed SMS
  • Supporting users who did not receive their code
  • Managing international routes and country-specific regulations

Hidden support costs:

Every “I didn’t get my code” support ticket consumes:

  • Help desk time
  • Operational overhead
  • Customer satisfaction impact

According to internal studies, support interactions tied to SMS OTP failures add 10–20% to total authentication costs.

Summary: SMS OTP Costs Breakdown

Cost TypeExample Impact
Implementation€20k–€100k (in-house or vendor integration)
Transaction fees$0.01–$0.20 per message
Fraud (SMS pumping)Can multiply costs by 2–3x
Support overhead10–20% additional cost per auth flow
MaintenanceGlobal routing, compliance, monitoring

4. SMS Authentication – Reliability and User Experience Issues

Beyond security and cost, reliability and usability are two more critical reasons enterprises are replacing SMS OTPs. Authentication needs to be both secure and seamless SMS often fails to deliver on both fronts.

4.1 Reliability: SMS Can Be Delayed or Lost

SMS delivery depends on multiple external factors:

  • Mobile network congestion
  • Country-specific routing delays
  • Carrier issues
  • Device signal availability

Result:

  • SMS OTPs may arrive late or not at all
  • Users abandon login flows
  • Increased failed logins and support requests

This impacts conversion rates, especially for critical flows like registration, checkout, or password resets.

4.2 Poor User Experience on Desktop

SMS authentication was designed for mobile devices. On desktops, the experience is fragmented:

  • Users must switch devices to retrieve codes
  • Manually enter the OTP from their phone
  • Risk mistyping or timing out the input

This creates friction and often leads to drop-offs during login.

4.3 Re-authentication Fatigue

SMS OTPs are typically required at every login. This leads to:

  • Repetitive, intrusive authentication steps
  • Frustration for returning users
  • Poor NPS and user sentiment

Compare that with passkeys, which authenticate with a quick biometric scan and do not require re-entry across sessions (if securely stored in the browser or OS).

4.4 Global Variability in Experience

The SMS experience is inconsistent across countries:

  • In some regions, codes are delayed or filtered
  • Message formats may not render correctly
  • Language or encoding issues can confuse users

A global enterprise must account for hundreds of carrier-specific edge cases, making SMS a poor fit for modern, international platforms.

Summary: Why SMS Fails on UX and Reliability

ProblemImpact
Delays / message lossFailed logins, support overhead
Device switching (desktop use)Poor login experience, high drop-off rate
OTP fatigueReduced engagement, repeated friction
Global inconsistenciesHigher failure rates across key regions

5. Why Passkeys Are a Better Alternative to SMS-Based Authentication

Passkeys are a modern authentication method based on asymmetric cryptography and the FIDO2/WebAuthn standards. Unlike SMS OTPs, passkeys are phishing-resistant, cost-effective, and seamlessly integrated with today’s devices and browsers.

By adopting passkeys, organizations can eliminate the core weaknesses of SMS authentication while significantly improving user experience and reducing operational costs.

5.1 Phishing-Resistant MFA and Stronger Security

Passkeys use a public-private key pair stored securely on the user’s device. Authentication happens via a digital signature, created locally on the device and verified by the server.

Key advantages over SMS:

  • No codes are sent over the network therefore there’s nothing to intercept
  • The private key never leaves the device
  • Origin binding ensures credentials can only be used on the intended domain
  • Resilient against SIM-swapping, phishing, and traffic pumping attacks

Passkeys also offer built-in multi-factor authentication (MFA):

  • “Something you have” = the device holding the private key
  • “Something you are” = biometric unlock (Face ID, fingerprint)

This makes passkeys stronger than SMS-based 2FA, and even more secure than traditional password + SMS OTP combinations.

5.2 No Per-Login Costs: SMS Cost Reduction

With SMS OTPs, every login, every reset, and every new device requires a paid transaction.

With passkeys:

  • There are no per-login fees
  • No telecom infrastructure needed
  • No SMS gateway or country-specific charges

Companies switching from SMS to passkeys have seen savings of up to 90% on their authentication costs.

Example:

A service sending 1 million SMS OTPs per month at $0.05/message spends ~$600,000 per year. Passkeys eliminate nearly all of that cost.

5.3 Enhanced User Experience

Passkeys drastically simplify the login process. Users authenticate with a biometric scan or device PIN no code entry, no device switching.

Benefits include:

  • Faster logins across desktop and mobile
  • Support for cross-device authentication (e.g., scanning a QR code on a desktop with a mobile phone)
  • Conditional UI: browsers suggest and autofill passkeys automatically

This creates a frictionless experience for users one that’s both secure and intuitive.

5.4 Seamless Enterprise Integration with Secfense

One of the reasons enterprises hesitate to move away from SMS is integration complexity. Secfense eliminates this barrier.

With Secfense User Access Security Broker (UASB):

  • Passkeys can be added to existing applications without modifying source code
  • Works with Active Directory and LDAP
  • Supports both platform authenticators (Windows Hello, Face ID) and roaming security keys (YubiKey, Feitian, etc.)

This enables organizations to roll out passkeys without disrupting existing IAM systems.

Summary: SMS vs Passkeys

FeatureSMS OTPPasskeys
Phishing Resistance❌ Vulnerable✅ Yes – origin bound
SIM Swap Protection❌ No✅ Yes – no phone number used
Cost per Login💰 $0.01–$0.20✅ None
UX on Desktop❌ Poor✅ Seamless (cross-device)
Integration with IAM⚠️ Complex (telecom link)✅ Easy via Secfense UASB
Biometric Support❌ No✅ Native on all major platforms

5.5 Secfense Passkeys for Enterprises

Secfense enables enterprises to adopt passkeys without modifying existing applications or IAM systems. With its no-code, agentless architecture, Secfense introduces passkey support directly into live environments through a proxy-based approach — preserving all existing logic and integrations.

Key Enterprise Capabilities:

  • Central policy control over authentication flows across all applications and user groups
  • Support for all authenticator types, including platform authenticators, roaming security keys, and mobile-bound passkeys
  • Compatibility with AD and legacy systems, without rewriting authentication flows
  • Compliance alignment with NIS2, DORA, and GDPR through phishing-resistant, audit-ready authentication

Mobile-Bound Passkeys:

Secfense supports mobile-bound passkeys tied to enterprise-managed smartphones. These credentials remain within the managed device ecosystem and are not synced to personal cloud accounts. This improves both security posture and device trust, allowing organizations to:

  • Enforce authentication only on trusted, controlled mobile devices
  • Prevent credential leakage through consumer sync features
  • Combine convenience with strict compliance and endpoint governance

As a User Access Security Broker (UASB), Secfense ensures enterprises can scale passkeys securely while maintaining control over devices, identity assurance, and authentication policy — without disrupting infrastructure.

6. Real-World Example – How Enterprises Cut SMS Costs with Passkeys

One of the strongest enterprise-grade examples of replacing traditional authentication with passkeys comes from the BNP Paribas Bank Polska case. As one of the largest financial institutions in Europe and a leader in the Polish banking sector, BNP Paribas operates in a highly regulated and technically complex environment.

6.1 Lower Authentication Costs

BNP Paribas Bank Polska adopted passkeys to reduce dependence on passwords and SMS authentication. An internal economic analysis conducted during the project showed that:

  • The support costs for passkeys were 6 times lower than for traditional methods based on passwords and SMS.
  • The migration and maintenance costs of passkey infrastructure were significantly lower than those associated with SMS and password-based authentication.

6.2 Implementation with No Application Code Changes

A major project requirement was to deploy passkeys without modifying the front-end code of the GoOnline Biznes banking application. This was achieved through:

  • Content adaptation at the load balancer layer, where all frontend elements related to passkeys were dynamically injected.
  • Use of Secfense User Access Security Broker (UASB) to introduce passkey support without changes to existing applications.

The solution was integrated into the bank’s SAML-based authentication process and supported the bank’s distributed infrastructure and multiple identity sources.

6.3 Secure and Controlled Rollout

BNP Paribas Bank Polska prioritized operational security and compliance. The rollout process was designed accordingly:

  • A Friends & Family testing phase was completed in less than 3 months from the start of the project.
  • An opt-in mechanism allowed selective inclusion of users for testing, ensuring that only designated individuals experienced the new authentication flow.
  • The implementation complied fully with the bank’s internal security policies and sector regulations.

6.4 Summary

BNP Paribas Bank Polska achieved the following results using Secfense technology:

  • Improved security through phishing-resistant passkey authentication
  • Simplified user experience by eliminating passwords and SMS codes
  • No changes to existing applications or disruption to user flows
  • Full regulatory compliance
  • Substantial cost savings in authentication support and maintenance

BNP Paribas Bank Polska became the first bank in Poland to implement passkeys and one of the first in Europe, confirming that passwordless authentication can meet the requirements of a highly regulated enterprise environment without sacrificing usability or operational stability.

7. Why Passkeys Are Replacing SMS Authentication

SMS authentication once served as a convenient method to introduce two-factor authentication. But in today’s security and operational landscape, it has become:

  • Too costly due to per-message carrier fees and fraud
  • Too risky due to phishing, SIM swapping, and traffic pumping
  • Too inconsistent across countries, devices, and user segments

In contrast, passkeys offer a scalable, secure, and cost-effective solution. Built on modern cryptographic standards like WebAuthn and FIDO2, passkeys:

✅ Eliminate shared secrets and phishing risk
✅ Reduce recurring authentication costs to zero
✅ Simplify UX with cross-device and biometric login
✅ Integrate seamlessly into enterprise systems using Secfense

Strategic Recommendations for Enterprises

1. Stop Paying for Authentication You Don’t Control

SMS-based 2FA gives you no control over cost, routing, or fraud risks. Every OTP increases your vendor dependency and support overhead.

With passkeys, the credential is stored on the user’s device, and login is validated by public key cryptography – no message required.

2. Move Away from SMS Gradually but Decisively

You don’t need a full system overhaul. Start with:

  • Passkeys for new users
  • Passkeys as primary login, with SMS fallback
  • Enrollment flows that offer biometric authentication first

Secfense makes this possible with its no-code, agentless architecture.

3. Control Devices, Not Networks

Phone numbers can be hijacked or ported. Passkeys are bound to the domain and device, and can be linked to enterprise-managed endpoints.

Combine passkeys with attestation to ensure only company-approved authenticators are used.

4. Partner with a Passkey-Ready Platform

Working with a provider like Secfense helps you:

  • Add passkeys to apps without code changes
  • Enforce policy centrally across platforms
  • Integrate with your IAM stack and Active Directory

Replace SMS OTPs Before You’re Forced To

With rising fraud, compliance demands (GDPR, NIS2, DORA), and mounting SMS costs, the decision to move away from text-based authentication is not just strategic, it’s inevitable.

Passkeys represent the next generation of strong authentication and with Secfense, you can adopt them without changing infrastructure, rewriting apps, or disrupting user flows.

Speak to a Secfense Expert

Ready to reduce SMS costs and implement phishing-resistant passkey authentication at scale?

Talk to a Secfense expert today

Watch Case Study

Learn how BNP Paribas Bank Polska deployed passkeys with no infrastructure changes.

Watch the full recording here

Antoni takes care of all the marketing content that comes from Secfense. Read More

Featured Articles

Keep In Touch

Read More

Leading insurer chooses Secfense for code-free MFA rollout

How can large enterprises secure user access without disrupting operations? A top insurance company in Central and Eastern Europe has answered this question by deploying…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 2 MIN

Passkeys and privacy – a simple explanation

This is the short and non-technical version of our full article about passkey privacy. If you’re curious about how passkeys work and whether they’re safe…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 2 MIN

Why privacy questions around passkeys is important

Passkeys are quickly becoming the preferred method for secure, phishing-resistant login. They offer a better user experience, remove the risks associated with passwords, and lower…
Avatar of Antoni Sikora Antoni Sikora

READ TIME 7 MIN

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures