Globally, regulators are discouraging SMS‑based OTPs, central banks are warning financial institutions, and major technology vendors are pushing consumers toward passkeys, a form of cryptographic credential based on FIDO2/WebAuthn. This article unpacks why this is happening and what enterprises should do about it, drawing from regulatory updates and industry research.
The vulnerabilities everyone sees with OTPs
On paper, OTPs look like an elegant solution. You enter your username and password, receive a temporary code via SMS or app, and complete the login. In practice, that extra factor isn’t nearly as secure as it seems. Attackers routinely exploit several weaknesses:
SIM‑swapping and SS7 attacks Telecommunication weaknesses allow criminals to divert or intercept SMS messages.
Phishing and social engineering Adversary‑in‑the‑middle kits proxy login pages to trick victims into entering their OTP codes. Users often comply because the fake pages look identical to the real ones. Attacks like push bombing or smishing (phishing via SMS) overwhelm users with repeated prompts until they approve access.
High cost and poor reliability SMS delivery depends on mobile network connectivity; codes may be delayed or lost when travelling or on flights. Each message also incurs per‑transaction fees, leading to significant operational costs for high‑volume applications.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) bluntly advises: “Do not use SMS as a second factor for authentication.” Their mobile communications guidance points out that SMS messages are not encrypted, meaning any attacker with access to a telecom network can read them. Similar warnings appear in federal guidelines from the National Institute of Standards and Technology (NIST), which has deprecated email‑based OTP and significantly downgraded SMS‑based authentication in its updated Digital Identity Guidelines. In short, OTPs are now considered an insecure factor rather than a robust layer of security.
User experience is also part of the problem
Beyond security, OTPs introduce friction that hurts conversion. Delayed or mis‑keyed codes frustrate users and drive abandonment. In a 2025 FIDO Alliance survey across five countries, 47% of consumers said they will abandon a purchase if they forget a password, and over 35% had at least one account compromised in the last year.
OTPs may temporarily mask password pain, but they also create a psychological tax: users must juggle multiple devices and short time windows. In contrast, passkeys—the FIDO Alliance’s term for FIDO2/WebAuthn credentials—are designed to eliminate these friction points, as we’ll explore next.
Passkeys: what makes them different?
Passkeys are phishing‑resistant, cryptographic credentials bound to a domain. They can serve as a passwordless first factor or as a strong second factor in multifactor workflows.
Understanding how they differ from OTPs requires examining their technical foundations, user experience, and deployment implications.
Cryptography instead of shared secrets
When a user registers a passkey, their device generates a public–private key pair. The public key is stored with the service, while the private key remains securely on the user’s device, often in a secure enclave. During authentication, the service issues a challenge; the device signs it with the private key and returns the signature.
Because the private key never leaves the device and is scoped to the service’s domain, phishing sites cannot trick the authenticator into responding. Passkeys therefore resist adversary‑in‑the‑middle attacks that intercept or replay session tokens.
Passkeys are unlocked with user‑friendly factors such as biometrics or device PINs, making them four times faster than OTP‑based logins according to the FIDO alliance. There is no need to remember a password or wait for a code. Users simply approve the sign‑in on their device, and the device proves possession of the private key.
Reduced attack surface and improved usability
Several characteristics further distinguish passkeys from OTPs:
- Phishing and replay resistance. Because passkeys are bound to the legitimate domain and use asymmetric cryptography, attackers cannot generate a valid signature for a fake site. By contrast, OTPs can be intercepted and replayed without the user’s knowledge.
- Device integrity matters, not network integrity. OTPs depend on third‑party networks (mobile carriers or email providers). Passkeys operate locally on the device, eliminating SMS delivery failures and time‑synchronization issues. They work even without cellular coverage.
- Lower cognitive load. Passkeys leverage familiar behaviors such as unlocking a phone with a fingerprint or facial recognition.
Why now is the time passkeys are becoming more practical
1. Platform adoption Apple, Google and Microsoft have integrated passkey support into their operating systems and browsers. Microsoft made passkeys generally available in its authenticator app earlier this year. This update turns any modern iOS or Android phone into a phishing‑resistant security key, eliminating the need for specialized hardware. Historically, distributing physical FIDO2 keys was a major barrier to adoption. Now, organizations can leverage devices users already carry.
2. Business outcomes Microsoft’s Digital Defense Report revealed that Entra blocked 7000 password attacks per second and recommends retiring passwords in favor of phishing‑resistant passkeys. Passkey implementations reduce authentication failures by 30% or more, cut credential‑related support calls by 70% and speed up login times by 30%. These improvements translate into improved customer experience and lower support costs.
3. Banking adoption ripple effect Thales predicts that 30% of consumers already use passkeys and that the banking sector will lead a passkey adoption ripple effect in 2025, thanks to mobile payment systems like Apple Pay.
Transitioning from OTPs to passkeys: a guide for 2025
1. Audit your authentication flows
Start by mapping where and how OTPs are used. Identify logins, step‑up authentication and recovery flows. Many organizations use OTPs as a second factor alongside passwords; some rely on OTPs for account recovery. Each flow requires different migration tactics. Consider whether high‑assurance use cases (e.g., wire transfers) might initially continue to use hardware security keys while lower assurance use cases move to passkeys.
2. Address identity proofing and enrollment
Passkeys need to be bound to a verified identity. The FIDO Alliance recommends identity proofing at registration to ensure the right person is assigned the credential. Organizations can choose self‑service registration (users bootstrap a passkey using existing credentials), supervised registration (via help desk), or pre‑provisioned credentials.
3. Decide where passkeys are stored
You have several options:
- Platform authenticator (built into phones and laptops) Most users can store passkeys in their device’s secure enclave. This is cost‑effective and convenient. However, for shared devices (e.g., retail tablets), you may not want passkeys stored on the device.
- Roaming authenticators (hardware keys) For shared or high‑security use cases, FIDO‑certified security keys can store passkeys. They provide hardware‑backed protection and can be issued as a secondary device to reduce lockout risk.
- Synced passkeys Many platforms now sync passkeys across a user’s devices using end‑to‑end encryption. Ensure your policy addresses how and where these backups are stored.
4. Pilot and iterate
Before a broad rollout, test passkeys with a pilot group. FIDO recommends piloting registration, authentication and recovery processes and using feedback to fine‑tune user experience. Pay attention to edge cases, such as users who lose their device or upgrade to a new one. Plan for fallbacks (for example, issuing a hardware key or temporarily falling back to OTP during recovery). But avoid leaving OTPs enabled indefinitely; attackers will exploit that backdoor.
Integrate fraud prevention and identity verification
Passkeys solve the authentication problem, but fraudsters may still target your systems through account recovery, device binding or social engineering. Solutions like ID Dataweb’s identity threat detection and risk mitigation can link passkeys to verified identities and monitor for anomalies. The Microsoft/Transmit Security partnership notes that combining passkeys with behavioral biometrics and strong device identification yields high detection rates for credential‑stuffing attacks. ID Dataweb can dynamically invoke other factors with step-up authentication when risk increases.
Conclusion
Passkeys are not a panacea. Attackers will adapt, and there are still risks to address, including malware on end‑user devices and potential weaknesses in cross‑device credential exchange.
ID Dataweb’s experience shows that fraud prevention and identity verification remain essential companion technologies. Innovations such as behavioral biometrics, dynamic risk scoring and digital identity wallets will complement passkeys to create a resilient identity stack.
Moreover, the regulatory environment continues to evolve. Data privacy conversations will take center stage in the U.S., driven by emerging legislation like the American Privacy Rights Act , and zero‑trust frameworks will increasingly require organizations to prove they are using phishing‑resistant authentication across all user segments.
2025 represents a turning point because passkeys are moving from early adoption to early majority. Consumer awareness has reached critical mass, platform support is ubiquitous and regulators are removing insecure options. For organizations still relying on OTPs, the message is clear: now is the time to transition to phishing‑resistant MFA.