What are the risks of transitioning from SMS OTPs to passkeys?

Transitioning from SMS One-Time Passwords (OTPs) to passkeys is a significant step toward improving security and user experience. However, this process involves certain risks that organizations should carefully address.

• Some users may resist adopting new authentication methods due to unfamiliarity with passkeys.
• Lack of understanding can lead to reduced trust and slower adoption rates.

• Not all devices and browsers may support passkeys, particularly older models or outdated software.
• This can leave some users unable to authenticate if fallback methods are not maintained.

• A poorly executed migration can result in user lockouts, login issues, or increased support inquiries.
• Testing and phased rollouts are essential to minimize disruption.

• During the transition period, maintaining both SMS OTPs and passkeys can create potential vulnerabilities.
• It’s crucial to ensure that both methods are secure and cannot be exploited simultaneously.

• Removing SMS OTPs without providing other fallback methods could alienate users who are not ready for passkeys.
• Maintaining alternate MFA options ensures continuity and user accessibility.

• User Education: Provide clear guidance and resources to help users understand and adopt passkeys.
• Compatibility Analysis: Use tools like Corbado’s Passkeys Analyzer to assess your user base’s readiness for passkeys.
• Gradual Rollouts: Transition to passkeys in phases, starting with a subset of users before expanding.
• Maintain MFA Fallbacks: Keep SMS OTPs or other MFA options available during the initial rollout.

While transitioning from SMS OTPs to passkeys has numerous benefits, careful planning and execution are necessary to mitigate risks. Addressing user resistance, ensuring compatibility, and maintaining robust fallback options will help ensure a smooth and successful transition.