What are risks of transitioning from SMS OTPs to passkeys?

What are the risks of transitioning from SMS OTPs to passkeys?#

Transitioning from SMS One-Time Passwords (OTPs) to passkeys is a significant step toward improving security and user experience. However, this process involves certain risks that organizations should carefully address.

Key Risks in Transitioning to Passkeys#

1. User Resistance to Change#

• Some users may resist adopting new authentication methods due to unfamiliarity with passkeys.
• Lack of understanding can lead to reduced trust and slower adoption rates.

2. Device and Browser Compatibility Issues#

• Not all devices and browsers may support passkeys, particularly older models or outdated software.
• This can leave some users unable to authenticate if fallback methods are not maintained.

3. Disruption During the Transition#

• A poorly executed migration can result in user lockouts, login issues, or increased support inquiries.
• Testing and phased rollouts are essential to minimize disruption.

4. Security Gaps in Hybrid Systems#

• During the transition period, maintaining both SMS OTPs and passkeys can create potential vulnerabilities.
• It’s crucial to ensure that both methods are secure and cannot be exploited simultaneously.

5. Lack of MFA Fallbacks#

• Removing SMS OTPs without providing other fallback methods could alienate users who are not ready for passkeys.
• Maintaining alternate MFA options ensures continuity and user accessibility.

Mitigation Strategies#

• User Education: Provide clear guidance and resources to help users understand and adopt passkeys.
• Compatibility Analysis: Use data from State of Passkeys to assess your user base’s readiness for passkeys.
• Gradual Rollouts: Transition to passkeys in phases, starting with a subset of users before expanding.
• Maintain MFA Fallbacks: Keep SMS OTPs or other MFA options available during the initial rollout.

Conclusion#

While transitioning from SMS OTPs to passkeys has numerous benefits, careful planning and execution are necessary to mitigate risks. Addressing user resistance, ensuring compatibility, and maintaining robust fallback options will help ensure a smooth and successful transition.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →