OTP & SMS Security

Passkeys (WebAuthn) vs SMS OTP for Indian Apps: Migration Notes

A practical roadmap for Indian product teams adding FIDO2 passkeys alongside SMS OTP: user education, device coverage, RBI-style step-up, recovery, and when SMS remains mandatory.

12 May 202610 min read

StartMessaging Team

Security

SMS OTP is universal in India but vulnerable to smishing and SIM events. Passkeys (FIDO2 / WebAuthn) bind sign-in to a device key pair and resist remote phishing. This guide is for engineering managers planning a migration, not a crypto tutorial — we focus on rollout sequencing and compliance touchpoints.

Why Indian Teams Still Default to SMS

  • Works on every handset without app updates.
  • Aligns with user mental models built by banks and UPI apps.
  • Vendor-neutral — no Apple / Google passkey sync assumptions.

Threat Model: What Passkeys Fix

SMS OTP can be intercepted by fake login pages that relay codes in real time. Passkeys remove shared secrets from the authentication ceremony. Read alongside OTP strengths and weaknesses to decide where passkeys belong in your stack (login vs payments vs account recovery).

Phased Rollout Pattern

  1. Shadow mode: Register passkeys for users who opt in; keep SMS OTP unchanged.
  2. Preferred factor: Offer passkey-first login with SMS fallback behind the same risk engine used for lockouts.
  3. Step-up: Keep SMS or issuer push for high-risk actions even after passkeys win on primary login.

Regulated Flows and Step-Up Authentication

Fintech teams should read RBI AFA guidance with counsel. Passkeys can satisfy “something you have” for app login, but card-not-present and many wallet actions still expect issuer-controlled factors. Document which journeys arein-app authentication vs regulated payment authentication.

Recovery Without SMS-Only Weakness

If passkey recovery is “send SMS OTP,” you reintroduce the same SIM risks. Stronger patterns include split knowledge with in-branch verification, video KYC for high-value accounts, or hardware security keys for admin roles.

Metrics That Prove the Migration

  • Login success rate by device cohort.
  • Median time-to-login before vs after passkeys.
  • Support tickets tagged smishing / OTP not received.
  • Chargeback or fraud loss rate on step-up flows.

FAQ

Passkeys and SMS OTP can coexist for years. Most Indian apps will keep SMS for reachability while passkeys absorb returning users on modern devices. For SMS-only flows, providers like StartMessaging keep integration simple while you migrate the login surface.

Related Articles

OTP & SMS Security
SMS OTP vs Email Magic Links vs Authenticator Apps

Choose a verification channel for Indian products: when TRAI-compliant SMS OTP wins, when email magic links help, and when TOTP fits—plus how DLT-free OTP APIs fit an SMS-first stack.

StartMessaging Team·10 Apr 202610 min read
OTP & SMS Security
RBI 2026 Mandatory 2FA Rules: What Indian Apps Must Do

Plain-English summary of RBI's April 2026 mandatory 2FA rules for digital payments, what counts as a valid second factor, and how OTP fits in.

StartMessaging Team·3 May 20269 min read
OTP & SMS Security
OTP Smishing: How Phishers Steal Codes (and How to Stop Them)

How smishing attacks trick users into handing over OTPs in India, the warning signs, and the product, copy, and infrastructure changes that defeat them.

StartMessaging Team·2 May 20269 min read

Ready to Send OTPs?

Integrate StartMessaging in 5 minutes. No DLT registration required.

Get Started FreeRead API Docs